https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40770#M8344 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you want to do is possible, but impossibly documented.&nbsp; There is a TR on RBAC&nbsp; (<A href="http://media.netapp.com/documents/tr-3358.pdf" target="_blank">http://media.netapp.com/documents/tr-3358.pdf</A>) and info in the System Administration Guide but drilling down to the subcategories is no easy task.&nbsp; The best overview I've found is to use DFM/OM where you get an expandable list of role capabilites. </P><P></P><P>To add your domain user/group simple use: useradmin domainuser add DOMAIN\administrators_group -g administrators (or some other group that you create with the desired roles).</P><P></P><P>There is a capability (or there are a number of volume capabilites) that you can assign to a role, then the role to your new filer group, then to your AD administrators group via the above command (or with 'modify' if it exists) . </P><P></P><P>You will need something like 'useradmin role create vol_admin -c "Role for volume admin" -a login-*,cli-df,cli-vol*,cli-qtree* '&nbsp; which will still go a bit farther than just resizing volumes.&nbsp; If you use FilerView, then you need a bunch of the 'api-*' roles as well.&nbsp; Finding a place where all of these are defined is probably the biggest problem if you don't have DFM.&nbsp; Assign the role to a group 'useradmin group add</P><P></P><P>Good luck.</P></BODY></HTML> Tue, 05 Apr 2011 08:29:13 GMT shaunjurr 2011-04-05T08:29:13Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40766#M8343 <HTML><HEAD></HEAD><BODY><P>hi Guys,</P><P></P><P>We are working with several Netapp filers (Ontap ver. 7.3.x) which conneted to windows 2003 domain through cifs setup.</P><P>Till now, we have been using mainly root user for login to administer the machines and perform monitoring and automation tasks.</P><P>Now, we want to integrate our Active Directory users, to be able login to machines with their peronal user name.</P><P>In regard to the above, I have two questions:</P><P>1. Is there an options to add Active Directory global group to Netapp local group? for example:</P><P>useradmin group add Administrators DomainName\storage_admins</P><P>2. Is there a defined role which gives a user permission to resize a volume / lun but not to change any global storage settings?</P><P></P><P>thanks,</P><P>Igal</P></BODY></HTML> Thu, 05 Jun 2025 06:57:09 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40766#M8343 igalkatzir 2025-06-05T06:57:09Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40770#M8344 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you want to do is possible, but impossibly documented.&nbsp; There is a TR on RBAC&nbsp; (<A href="http://media.netapp.com/documents/tr-3358.pdf" target="_blank">http://media.netapp.com/documents/tr-3358.pdf</A>) and info in the System Administration Guide but drilling down to the subcategories is no easy task.&nbsp; The best overview I've found is to use DFM/OM where you get an expandable list of role capabilites. </P><P></P><P>To add your domain user/group simple use: useradmin domainuser add DOMAIN\administrators_group -g administrators (or some other group that you create with the desired roles).</P><P></P><P>There is a capability (or there are a number of volume capabilites) that you can assign to a role, then the role to your new filer group, then to your AD administrators group via the above command (or with 'modify' if it exists) . </P><P></P><P>You will need something like 'useradmin role create vol_admin -c "Role for volume admin" -a login-*,cli-df,cli-vol*,cli-qtree* '&nbsp; which will still go a bit farther than just resizing volumes.&nbsp; If you use FilerView, then you need a bunch of the 'api-*' roles as well.&nbsp; Finding a place where all of these are defined is probably the biggest problem if you don't have DFM.&nbsp; Assign the role to a group 'useradmin group add</P><P></P><P>Good luck.</P></BODY></HTML> Tue, 05 Apr 2011 08:29:13 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40770#M8344 shaunjurr 2011-04-05T08:29:13Z https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40779#M8347 <HTML><HEAD></HEAD><BODY><P>There is a more recent RBAC TR - 4062</P></BODY></HTML> Wed, 25 Apr 2012 15:25:31 GMT https://community.netapp.com/t5/Active-IQ-Unified-Manager-Discussions/ldap-intergration-amp-role-base-access/m-p/40779#M8347 igalkatzir 2012-04-25T15:25:31Z