https://community.netapp.com/t5/ONTAP-Discussions/Ontap-gui-login-with-diffent-active-directory-domains/m-p/463079#M45149 <P>I am pretty sure this will not work in your case...Much of the GUI is REST-related and this trick does not work with REST:</P><P>&nbsp;</P><P>when creating RBAC, many forget about the -query option.</P><PRE>security login role create -role corpAAA_admin -cmddirname volume -query "-vserver svm_AAA" -access all</PRE><P>Basically, you have a couple choices:</P><P>1. you can give the admins ability to "login" to their own SVM, but they will be limited to CLI access.</P><P>2. you can give the admins ability t "login" to the main cluster, but you define EVERY command they can run and be very judicious with the "-query" option which will limit the user to only run things in their own SVM</P><P>&nbsp;</P><P>I would love to be proven wrong, but as far as I know there is no way to "limit" GUI access to an SVM.</P><P>It is a catch 22... You can specify "rest-role" but they are targeted to a data svm. the GUI is the admin svm.</P><P>If I provide access to the GUI, I need to find a way to limit (which again, I do not think is possible)</P><P>&nbsp;</P><P>Hopefully this is a bit clearer than mud.</P> Wed, 10 Sep 2025 15:49:33 GMT TMACMD 2025-09-10T15:49:33Z https://community.netapp.com/t5/ONTAP-Discussions/Ontap-gui-login-with-diffent-active-directory-domains/m-p/463078#M45148 <P>Hello to all&nbsp;</P><P>We got a customer with 3 diferent Active Directory&nbsp; domains, for example AAA.corp,BBB.corp and CCC.corp.</P><P>we had created 3 different SVM in ontap 9.16 and created volumes and shares. Everything is fine.</P><P>when i want&nbsp;to let domain admins logon to GUI&nbsp; of&nbsp; netapp (system manager) with domain admin accounts , but not reaching anything else then their own SVM ,&nbsp;</P><P>yet we couldnt do it,</P><P>&nbsp;</P><P>can logon with ActiveDirectory accounts when we let permission with Cluster SVM ,but then can reach everything</P><P>created RBAC role, and assigned role to users ,then we can logon but that time, can reach all SVM systems</P><P>&nbsp;</P><P>what can you advise&nbsp; to do,?</P><P>&nbsp;</P><P>thanks</P> Wed, 10 Sep 2025 15:19:05 GMT https://community.netapp.com/t5/ONTAP-Discussions/Ontap-gui-login-with-diffent-active-directory-domains/m-p/463078#M45148 ORCUN_USTURALI 2025-09-10T15:19:05Z https://community.netapp.com/t5/ONTAP-Discussions/Ontap-gui-login-with-diffent-active-directory-domains/m-p/463079#M45149 <P>I am pretty sure this will not work in your case...Much of the GUI is REST-related and this trick does not work with REST:</P><P>&nbsp;</P><P>when creating RBAC, many forget about the -query option.</P><PRE>security login role create -role corpAAA_admin -cmddirname volume -query "-vserver svm_AAA" -access all</PRE><P>Basically, you have a couple choices:</P><P>1. you can give the admins ability to "login" to their own SVM, but they will be limited to CLI access.</P><P>2. you can give the admins ability t "login" to the main cluster, but you define EVERY command they can run and be very judicious with the "-query" option which will limit the user to only run things in their own SVM</P><P>&nbsp;</P><P>I would love to be proven wrong, but as far as I know there is no way to "limit" GUI access to an SVM.</P><P>It is a catch 22... You can specify "rest-role" but they are targeted to a data svm. the GUI is the admin svm.</P><P>If I provide access to the GUI, I need to find a way to limit (which again, I do not think is possible)</P><P>&nbsp;</P><P>Hopefully this is a bit clearer than mud.</P> Wed, 10 Sep 2025 15:49:33 GMT https://community.netapp.com/t5/ONTAP-Discussions/Ontap-gui-login-with-diffent-active-directory-domains/m-p/463079#M45149 TMACMD 2025-09-10T15:49:33Z