https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16902#M3979 <HTML><HEAD></HEAD><BODY><P>Hi Chris,</P><P></P><P>There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .</P><P></P><P>Thanks,</P><P>Rashmi.</P></BODY></HTML> Wed, 04 Mar 2009 10:16:23 GMT rashmid 2009-03-04T10:16:23Z https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16897#M3978 <HTML><HEAD></HEAD><BODY><P>I'd like to be able to secure an API user that would have read-only access to the filer. Going through RBAC, this seems possible, but there are too many options to successfully create a role based on this. The command errors as it's too long, and if I load it into a text file and run it using source, it reports the command is too long. I won't post the full list of "api-" RBAC roles I want to give the user as it's a bit big!</P><P></P><P>Is there an easy way of creating a read-only api-* user?</P></BODY></HTML> Thu, 05 Jun 2025 07:30:14 GMT https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16897#M3978 chriskranz 2025-06-05T07:30:14Z https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16902#M3979 <HTML><HEAD></HEAD><BODY><P>Hi Chris,</P><P></P><P>There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .</P><P></P><P>Thanks,</P><P>Rashmi.</P></BODY></HTML> Wed, 04 Mar 2009 10:16:23 GMT https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16902#M3979 rashmid 2009-03-04T10:16:23Z https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16905#M3980 <HTML><HEAD></HEAD><BODY><P>Thanks for the reply. However that's the problem I have. I've been through all the api- roles and highlighted the read-only ones, But the command line input buffer isn't long enough to accept this into a single role. If there was a way that I could add additional settings to an existing role, then I could build this up, but there doesn't seem to be, it just overwrites the existing settings.</P></BODY></HTML> Wed, 04 Mar 2009 10:20:16 GMT https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16905#M3980 chriskranz 2009-03-04T10:20:16Z https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16910#M3981 <HTML><HEAD></HEAD><BODY><P>You can use useradmin category APIs to overcome the limitations of CLI.</P><P></P><P>Thanks,</P><P>Rashmi.</P></BODY></HTML> Wed, 04 Mar 2009 10:24:01 GMT https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16910#M3981 rashmid 2009-03-04T10:24:01Z https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16915#M3982 <HTML><HEAD></HEAD><BODY><P>Maybe you can break the api-* list to multiple roles, each one having different apis as capabilities. Then add these roles to a group, then assign a read only user to this group.</P><P></P><P>For example, create the roles you need.</P><P></P><P>Name: testrole</P><P>Info:</P><P>Allowed Capabilities: api-*</P><P></P><P>Name: login</P><P>Info:</P><P>Allowed Capabilities: cli-*,login-ssh,login-telnet</P><P></P><P></P><P>Create a group for these roles:</P><P>Name: testgrp</P><P>Info:</P><P>Rid: 131085</P><P>Roles: testrole,login</P><P></P><P></P><P>Assign user to this role.</P><P>Name: testuser</P><P>Info:</P><P>Rid: 131092</P><P>Groups: testgrp</P><P></P><P>Let me know if this works!</P></BODY></HTML> Wed, 04 Mar 2009 10:29:31 GMT https://community.netapp.com/t5/ONTAP-Discussions/Read-Only-User/m-p/16915#M3982 nagendrk 2009-03-04T10:29:31Z