First cmdlet always fails with limited role.

ckeith — Fri, 11 Apr 2025 12:40:05 GMT

I'm trying to abide by the Least Privilege model and create a role that only has the privileges needed to run a PowerShell script I plan to run that has these cmdlets:

Connect-NcController
Get-NcFile
new-ncsymlink
add-nccifssymlink
Remove-NcCifsSymlink
Remove-NcFile

I have figured out that the Connect-NcController runs a few APIs before it returns so it needs exact privileges. Here is what I have in my role so far:

> security login rest-role show -vserver prod1 -role createlink
            Role                              Access
Vserver     Name          API                 Level
----------  ------------- ------------------- ------
prod1       createlink     /api/cluster       readonly
                           /api/protocols/cifs/unix-symlink-mapping
                                              all
                           /api/storage/volumes
                                              readonly
                           "/api/storage/volumes/*/files"
                                              all
                           /api/svms          readonly

When I run Connect-NcController, pointing to a vserver, with the credentials of the account that is assigned the limited role, it seems to connect just fine. However, no matter which cmdlet I run afterward, I get the following error:

The remote server returned an error: (403) Forbidden.

After that one failed cmdlet, the rest of them run just fine. If I authenticate with an account that has more privileges (e.g. vsadmin-volume) it doesn't have this issue. So, I assume it is a privilege problem, but I have no way of knowing which one. As far as I can tell 'security audit log show' doesn't show API calls that were declined for lack of permission so I can't figure it out that way. I already added the /api/clusters and /api/svms to get as far as I have.

One oddity that I did see from 'security audit log show' was when I run with the limited role, I see this API get called, but never finish (i.e. I only see the "Pending" and not "Sucess" or "Error")

GET /api/private/cli/system/node/virtual-machine/instance/show-settings?fields=consumer :: Pending

When I run with an account with more privileges, that API call finishes. I tried giving permissions to that API path to my limited role, but it didn't seem to help, in that the problem is still there, and that API never seems to generate any results.

If anyone has any ideas how to resolve this problem, I would be greatly appreciative. Is there a way to get the cmdlets to show the APIs it is making?

And if you can't help with that, can you help me totally suppress the error message? I tried adding -ErrorAction SilentlyContintue but I still see an error.

Here is the script I am running:

$controller = "198.19.255.116" # Vserver Management port
#
# This is the path to where you want the symbolic link to reside using
# a full path starting with /vol/volume_name/
$fileToCreate = "/vol/app1/testlink"
#
# This is where you want the link to point to. It should NOT start with
# /vol/volume_name/ and MUST end with a '/'. For a UNIX client, it will
# be redirected to this path.
$whereToPointTo = "/test-destination/subdir/"
#
# For a CIFS client, with a CIFS Symbolic link, they don't follow the
# path the UNIX link points to, it is more of a pattern match
# and is replaced with what $cifsPath is set to.
$cifsPath = "/cifspath/"
#
# If using a "wide" CIFS Symbolic link, the client can be redirected to
# another CIFS share as well as the path. But, in this case, we are
# using a "local" CIFS Symbolic Link, so the client will be redirected
# to the same share where the link resides.
$shareName = "app1"
#
# Create credentials based on the username and password above.
$connection = Connect-NcController -Name $controller -Credential(Get-Credential)
if ($connection -ne $null) {
  Write-Host "Connected to $controller as $username."
  #
  # Since for some strings reason the first call always fails, so just do one and ignore it.
  # Unfortunately, this command generates an error message no matter what I set the ErrorAction
  # to. There might be another command that will honor it.
  Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
} else {
  Write-Host "Failed to connect to $controller!"
  exit
}
#
# Check to see if the file already exists. If it does, remove it.
$fileProperties = Get-NcFile -Path $fileToCreate -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
if ($fileProperties -ne $null ) {
  write-host "Removing cifssymlink $whereToPointTo"
  Remove-NcCifsSymlink -UnixPath $whereToPointTo -Confirm:$false
  Write-Host "Removing UNIX link $fileToCreate"
  Remove-NcFile -Path $fileToCreate -Confirm:$false
}

write-host "Creating new UNIX symlink $fileToCreate to $whereToPointTo"
new-ncsymlink –target $whereToPointTo –linkname $fileToCreate
write-host "Creating new cifs symlink for $whereToPointTo should redirect to $sharename$whereToPointTo$cifsPath"
add-nccifssymlink –unixpath $whereToPointTo -cifspath $cifsPath -locality local –sharename $shareName

Re: First cmdlet always fails with limited role.

SAP-Basis — Tue, 27 Jan 2026 08:02:46 GMT

Hi,

we do have exactly the same problem using REST. We are using custom roles and with ONTAPI calls everything is working. Now we try to get everything running with REST but each time the first call of a cmdlet after the connection is established fails. We tried using RBAC roles and with REST roles, but the behaviour is the same. The second call (just using arrow up) executes successfully.

Did you find a solution for that?

Re: First cmdlet always fails with limited role.

ckeith — Tue, 27 Jan 2026 13:32:51 GMT

Nope. In my script I just always do some command that I know will fail so I just ignore it and move on. It's not pretty, but it works.

Re: First cmdlet always fails with limited role.

SAP-Basis — Wed, 28 Jan 2026 16:25:21 GMT

Okay, thanks. That was my first intention, but it felt so "wrong".
But sometimes problems just don't want to be solved 😉

Re: First cmdlet always fails with limited role.

Sean2 — Wed, 15 Apr 2026 17:29:06 GMT

It tries to get the cluster version, try adding readonly access to the "/api/cluster" api endpoint

Re: First cmdlet always fails with limited role.

ckeith — Wed, 15 Apr 2026 22:49:34 GMT

Thanks Sean2, but if you look at the first line of the output from the `security login rest-role show -vserver prod1 -role createlink` command that I listed above you will see that I already had that.

Re: First cmdlet always fails with limited role.

mbeattie — Thu, 16 Apr 2026 05:17:44 GMT

Hi Keith,

Have you tried using "security login role create" instead of "security login rest-role create"? I seem to recall there were issues with rest role delegations. I posted an example here:

https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/RBAC-over-RestRoles/m-p/164281

Hope that helps

/Matt

topic Re: First cmdlet always fails with limited role. in Microsoft Virtualization Discussions

First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.

Re: First cmdlet always fails with limited role.