https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433571#M40356 <P>Have you checked this:<BR /><A title="FAQ: Custom roles for administration of ONTAP" href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A__Custom_roles_for_administration_of_ONTAP" target="_blank" rel="noopener">FAQ: Custom roles for administration of ONTAP</A>&nbsp;</P><P>Also did you verify that you logged in with the user that doesn't have permission? How did you manage to set the role for that user?</P> Fri, 01 Apr 2022 05:14:58 GMT tahmad 2022-04-01T05:14:58Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433531#M40349 <P>We would like to have a custom admin role which is allowed for everything except of deleting snapshots. We could successfully create a custom role and assigned a testuser to this role.</P><P>The permissions seems to work, when connected via SSH to the CLI, the testuser can not delete snapshots. But when using the System Manager, the testuser is still allowed to delete snapshots.</P><P>&nbsp;</P><P>the custom admin role looks like that:<BR />Role Command/ Access Vserver Name Directory Query Level<BR />---------- ------------- --------- ----------------------------------- --------<BR />vserver admin_custom DEFAULT all</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; volume snapshot delete none</P><P>&nbsp;</P><P>Any idea why the behaviour in GUI and CLI is different? Does the role need different permissions for working correctly in GUI?</P><P>Thank you for any suggestions</P> Wed, 04 Jun 2025 10:02:47 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433531#M40349 esolva 2025-06-04T10:02:47Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433571#M40356 <P>Have you checked this:<BR /><A title="FAQ: Custom roles for administration of ONTAP" href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A__Custom_roles_for_administration_of_ONTAP" target="_blank" rel="noopener">FAQ: Custom roles for administration of ONTAP</A>&nbsp;</P><P>Also did you verify that you logged in with the user that doesn't have permission? How did you manage to set the role for that user?</P> Fri, 01 Apr 2022 05:14:58 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433571#M40356 tahmad 2022-04-01T05:14:58Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433574#M40357 <P>Thank you for your reply, yes I've already checked that FAQ.</P><P>User was created and set to this role with the following command:<BR />security login create -user-or-group-name testuser -application http -authmethod password -role admin_custom -vserver vserver</P><P>&nbsp;</P><P>I did another test setting the volume snapshot permission to read only for that role:<BR />security login role create -role admin_customer -cmddirname "volume snapshot" -access readonly -vserver vserver</P><P>This works like expected, the user is not allowed to delete snapshot but also creating or modifying snapshot is prohibited. We do like that snapshot creation is allowed and only deletion is not allowed.</P><P>&nbsp;</P> Fri, 01 Apr 2022 05:28:35 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433574#M40357 esolva 2022-04-01T05:28:35Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433575#M40358 <P>Actually this KB should do the job:</P><P><A title="How to use RBAC to prevent deletion of snapshots and volumes" href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_use_RBAC_to_prevent_deletion_of_snapshots_and_volumes" target="_blank" rel="noopener">How to use RBAC to prevent deletion of snapshots and volumes</A>&nbsp;</P><P>Kindly let me know if it works</P> Fri, 01 Apr 2022 06:25:20 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433575#M40358 tahmad 2022-04-01T06:25:20Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433596#M40362 <P>this is exactly what I tried first, but unfortunately this works only in CLI.&nbsp; when using GUI still i'm still able to delete snapshots</P> Fri, 01 Apr 2022 14:27:03 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433596#M40362 esolva 2022-04-01T14:27:03Z https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433619#M40363 <P>In the upper right corner of System Manager is two characters "&lt; &gt;" (greater than and less than). Click that and see what kind of API call System Manager is doing. That might provide a clue. Also reference the audit log. If it looks right, you may have to open a case so we can file a bug.</P> Fri, 01 Apr 2022 22:15:44 GMT https://community.netapp.com/t5/ONTAP-Discussions/Custom-Role-with-no-permissions-to-delete-Snapshots-using-System-Manager/m-p/433619#M40363 paul_stejskal 2022-04-01T22:15:44Z