topic Re: OnTAP Custom Role Not Working in ONTAP Discussions

OnTAP Custom Role Not Working

TMADOCTHOMAS — Wed, 04 Jun 2025 10:37:14 GMT

Hello,

I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource". Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?

Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs

Re: OnTAP Custom Role Not Working

paul_stejskal — Thu, 28 Jan 2021 15:20:11 GMT

What is the security login show output? And did you set up a security login show?

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Thu, 28 Jan 2021 15:30:47 GMT

The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.

Re: OnTAP Custom Role Not Working

paul_stejskal — Thu, 28 Jan 2021 16:23:34 GMT

It's probably security login role command. I think you've got the right idea it's in the "options" output.

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Thu, 28 Jan 2021 16:26:54 GMT

That's a possibility. I guess it has to read the role to know what it's rights are :). I'll try that and update the thread with the results.

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Thu, 28 Jan 2021 16:41:24 GMT

Defining custom roles:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-910E18E9-B83C-41BF-8A68-C1806FEB6177.html

cluster1::> security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

cluster1::> security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application console -authentication-method password -role script -vserver cluster1

I logged in as jocolon user with script role assigned
cluster1::> vserver options -vserver cluster1 -option-name
encryption.data_at_rest_encryption.disable_by_default
replication.create_data_protection_rels.enable
replication.dst_snapshot_op_ems.enable
replication.feature1.enable
replication.ls_mirrors_on_data_volumes.enable
replication.mirror_initialize_priority
replication.mirror_update_priority
replication.reservation.dst.high_pri_xfer_pct
replication.reservation.dst.low_pri_xfer_pct
replication.reservation.src.high_pri_xfer_pct
replication.reservation.src.low_pri_xfer_pct
replication.restore_priority
replication.throttle.enable
replication.throttle.incoming.max_kbs
replication.throttle.outgoing.max_kbs
replication.throttle.outgoing.max_kbs_objstore
replication.vault_initialize_priority
replication.vault_update_priority
snmp.enable
volmove.throttle.enable

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs -option-value 45

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs

cluster1
replication.throttle.outgoing.max_kbs
45 -

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.incoming.max_kbs -option-value 2

Error: command failed: not authorized for that command

cluster1::> ?
exit Quit the CLI session
history Show the history of commands for this CLI session
man Display the on-line manual pages
redo Execute a previous command
rows Show/Set the rows for this CLI session
top Go to the top-level directory
up Go up one directory
vserver> Manage Vservers

cluster1::>

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Thu, 28 Jan 2021 16:56:29 GMT

@paul_stejskal unfortunately that command didn't do the trick. I may experiment with some other security login commands.

@jcolonfzenpr thank you for showing me your testing of my issue! Do you have a suggestion for how to get the desired results?

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Thu, 28 Jan 2021 17:04:52 GMT

can you share the powershell script?

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Fri, 29 Jan 2021 21:05:29 GMT

Yes, here it is:

# Import the OnTAP module and create the cluster connection variable
Clear-Host
Import-Module DataONTAP
$CLUSTER = Connect-NcController -Name <cluster_name>

# Throttle snapmirror transfers
Invoke-NaSsh -Name $CLUSTER -Command "options -option-name replication.throttle.outgoing.max_kbs 3125"

That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Fri, 29 Jan 2021 21:15:19 GMT

It's getting hung up here:

$CLUSTER = Connect-NcController -Name albflnacl01p

Error says :

Connect-NcController : Insufficient privileges: user '<username>' does not have read access to this resource

Here is the role. As you can see I tried setting the command/directory to "security login" but that didn't work either.

----------------------------------------------------------------------------------

Vserver: <vserver>
Role Name: script
Command / Directory: DEFAULT
Access Level: none
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs
----------------------------------------------------------------------------------

Any ideas or suggestions?

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Fri, 29 Jan 2021 21:41:44 GMT

can you add one extra role setting like this?

Vserver: <vserver>
Role Name: script
Command / Directory: vserver
Access Level: readonly
Query:

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Fri, 29 Jan 2021 21:44:09 GMT

FYI I found the following which answers my question for 7-mode. Anyone know a cdot equivalent?

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/Determining-Ontap-privileges-needed-for-powershell-script/td-p/16210

@jcolonfzenpr I will try that and see if it works.

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Fri, 29 Jan 2021 21:46:59 GMT

i think this is not needed!

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Sat, 30 Jan 2021 15:59:11 GMT

I do the testing and it work by adding a role setting to the DEFAULT as readonly.

Security role creation:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Create and apply role to a user:

security login create -user-or-group-name jocolon -application ontapi -authentication-method password -role script -vserver cluster1
security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

Create the powershell credential object:

PS C:\Users\Administrator.DEMO> $cred = (Get-Credential)

Display powershell credential object:
PS C:\Users\Administrator.DEMO> $cred

UserName Password
-------- --------
jocolon System.Security.SecureString

I changed your script a litter bit:
PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs 3125"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:24:50

1 entry was modified.

Display the modified option:

PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:25:06

cluster1
replication.throttle.outgoing.max_kbs 3125 -

I learn something new today! Thanks

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Mon, 01 Feb 2021 15:38:55 GMT

Thanks @jcolonfzenpr . It actually works with just the following two lines:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Mon, 01 Feb 2021 15:54:01 GMT

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

but you have to change a litter bit your scripts.

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Mon, 01 Feb 2021 16:10:32 GMT

Thanks @jcolonfzenpr . I reset DEFAULT back to none and added vserver in as readonly, but that didn't work either. I do realize I had one error in the script I showed earlier. Invoke-NaSsh should read Invoke-NcSsh.

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Tue, 02 Feb 2021 16:28:17 GMT

@jcolonfzenpr , for the record I decided to go ahead and modify the role to make DEFAULT readonly, as this is at least an improvement on how it works now. It does lock it down a good bit from being a full admin to having limited rights. I have a case open with NetApp and still want to narrow this down even further to give it read only rights only to the commands needed to log in.

Re: OnTAP Custom Role Not Working

jcolonfzenpr — Wed, 03 Feb 2021 13:29:08 GMT

If support provides a solution please share it here so other user with similar need can benefit.

also i forgot to metion you can ask for help on the slack channel of netapp.io

https://join.slack.com/t/netapppub/shared_invite/zt-ki0sse86-6ihXPApFepvu0Nx~YibCtA

Re: OnTAP Custom Role Not Working

TMADOCTHOMAS — Wed, 03 Feb 2021 13:47:12 GMT

@jcolonfzenpr I definitely will! Thanks for the tip on slack, I will check that out.

On a related note, I've been testing things out on the script I posted earlier in this thread. The "DEFAULT"/readonly setting + additional rule works great for this script. I've now checked out the other PowerShell scripts I want to give permission to, and forgot that I'm using native PowerShell commands for those scripts, such as Get-NcCifsShare and Get-NcCifsShareAcl for example. At the moment it works fine since all commands are set to readonly, but if I'm able to lock "DEFAULT" down further I will need to know which NetApp commands correspond to the PowerShell commands. Do you know of a PDF that details which native NetApp commands correspond to PowerShell toolkit commands?