topic Re: Custom role required with access to only few SVMs in ONTAP Discussions

Custom role required with access to only few SVMs

ppadmgeo1 — Wed, 04 Jun 2025 10:11:56 GMT

I need to create a custom role that allows a group of administrators from AD_domain_A to manage all bar one PCI DSS SVM. That last PCI DSS SVM is joined to another domain (AD_domain_B) and will be managed via SSH directly to the SVM admin lif as I understand that ONTAP System Manager is only available on cluster level.

I tried creating a custom role AD_Admin as attached on cluster level which grants access to the group of administrators from AD_domain_A, I then added that same AD group to vsadmin role within the non-PCI SVMs but the resulting access is not AD_Admin + vsadmin. I think I possibly incorrectly assumed that the permissions will be additive and ad admins can't resize volumes etc.

What is the best way to setup this role? Do I need to add, as part of the AD_Admin role definition, something like this but that would mean listing all commands and repeating this for all SVMs?

security login role create -role AD_Admin -cmddirname "volume modify" -access all -query "-vserver svm1"

Re: Custom role required with access to only few SVMs

hmoubara — Fri, 08 Oct 2021 01:56:23 GMT

Hello,

Check the below kb:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A__Custom_roles_for_administration_of_ONTAP

Hope it helps answer your question.

Thanks

Re: Custom role required with access to only few SVMs

ppadmgeo1 — Fri, 08 Oct 2021 08:04:17 GMT

Thanks hmoubara,

I've seen this FAQ but it does not cover what I need - the crux of the question is how a cluster custom role can grant selective permissions in only selected SVMs as above...