topic Re: Netapp Harvest Read Only Role Access in Active IQ Unified Manager Discussions

Netapp Harvest Read Only Role Access

abhilashchinthalapudi — Wed, 04 Jun 2025 11:10:23 GMT

Hello

I am new to netapp harvest and trying to set up the metrics collection.I followed the documentation in setting up netapp-harvest role but when I grant cluster identity show permissions I would see permissions added to modify and create after running the command, is there a way to restrict netapp harvest to use on show commands instead of modify and create?

For example I see

security login role create -role netapp-harvest-role -cmddirname "network interface show"

Warning: This operation will also affect the following commands:
"network interface create"
"network interface delete"
"network interface modify"

The above happens on all the listed commands in the document and I end up having below permissions after installation

netapp-harvest-role DEFAULT none
cluster identity modify readonly
cluster identity show readonly
cluster modify readonly
cluster show readonly
lun create readonly
lun modify readonly
lun show readonly
network interface create readonly
network interface delete readonly
network interface modify readonly
network interface show readonly
qos workload delete readonly
qos workload modify readonly
qos workload show readonly
statistics readonly
system node modify readonly
system node show readonly
version readonly

Could someone assist me if we can restrict the role only to show commands as given in the installation or the above is by design

Thank you

Re: Netapp Harvest Read Only Role Access

bkamil — Wed, 13 May 2020 12:00:06 GMT

No worries, that is still effectively a read-only access.

As you can see, even the "create" subcommand is marked with "readonly", which basically means it cannot create anything :). You can verify that, if you want, by logging in into that account and trying to create or modify things.

As a side note, I personally use the built-in "readonly" role for Harvest. It allows to read anything, but not to modify or create.
Recent versions of Harvest add additional capabilities, which won't work if you follow the old guide and only add those listed commands to the custom role. Using the "readonly" role should always work, even when Harvest gets new features. Obviously, if you want to limit even the read access to only specific sections, you need to use the purpose-built role.

Re: Netapp Harvest Read Only Role Access

abhilashchinthalapudi — Fri, 15 May 2020 23:48:59 GMT

Understood thank you for the response