https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136583#M2516 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/62248">@treydock</a>,</P><P>&nbsp;</P><P>Just a couple of things before using the system-cli API...please remember that it is an unsupported, "private", API, so we do actively discourage it's use.&nbsp; It also has some quirks, noteably it has a buffer in the return output that, when it overflows, may incorrectly report that the call fails.</P><P>&nbsp;</P><P>That being said, system-cli is the CLI equivalent of "system node run", so the user executing the command must have permission to that set of commands via ONTAPI.</P><P>&nbsp;</P><P>Hope that helps.</P><P>&nbsp;</P><P>Andrew</P> Thu, 07 Dec 2017 17:43:15 GMT asulliva 2017-12-07T17:43:15Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136582#M2515 <P>I am attempting to run "system-cli" calls that show some statistics.&nbsp; I am using a user called "monitor" that has role "readonly" [1] .&nbsp; This is on ONTAP 9.2.&nbsp; I keep getting "</P><P class="p1"><SPAN class="s1">Insufficient privileges: user \'monitor\' does not have write access to this resource" when I use the "system-cli" API [2] call but the exact same command works just fine via SSH [3].</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">What am I missing in the readonly role that would prevent access only when running the command via system-cli?</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">Thanks,</SPAN></P><P class="p1"><SPAN class="s1">- Trey</SPAN></P><P class="p1">&nbsp;</P><P class="p1"><SPAN class="s1">[1]:</SPAN></P><P class="p1">&nbsp;</P><PRE>netapp-home::&gt; security login show -user-or-group-name monitor Vserver: netapp-home Authentication Acct Is-Nsswitch User/Group Name Application Method Role Name Locked Group ---------------- ----------- --------- ---------------- ------ ----------- monitor console password readonly no no monitor http password readonly no no monitor ontapi password readonly no no monitor ssh password readonly no no monitor ssh publickey readonly - no 5 entries were displayed. netapp-home::&gt; security login role show -role readonly Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- netapp-home readonly DEFAULT readonly security none security login password all security login role show-user-capability all set all 5 entries were displayed.</PRE><P>&nbsp;</P><P class="p1"><SPAN class="s1">[2]:</SPAN></P><P class="p1">&nbsp;</P><PRE>&gt;&gt;&gt; from NetApp.NaServer import * &gt;&gt;&gt; s = NaServer('netapp-home', 1, 31) &gt;&gt;&gt; s.set_style('LOGIN') &gt;&gt;&gt; s.set_admin_user('monitor', 'OMIT') &gt;&gt;&gt; s.set_transport_type('HTTPS') &gt;&gt;&gt; import shlex &gt;&gt;&gt; cmd = shlex.split('statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01') &gt;&gt;&gt; args = NaElement('args') &gt;&gt;&gt; for arg in cmd: ... args.child_add(NaElement('arg', arg)) ... &gt;&gt;&gt; cli = NaElement('system-cli') &gt;&gt;&gt; cli.child_add(args) &gt;&gt;&gt; cli.child_add(NaElement('priv', 'diagnostic')) &gt;&gt;&gt; out = s.invoke_elem(cli) &gt;&gt;&gt; out.sprintf() u'&lt;results status="failed" errno="13003" reason="Insufficient privileges: user \'monitor\' does not have write access to this resource"&gt;&lt;/results&gt;\n' &gt;&gt;&gt; s.set_admin_user('admin', 'OMIT') &gt;&gt;&gt; out = s.invoke_elem(cli) &gt;&gt;&gt; out.sprintf() u'&lt;results status="passed"&gt;\n\t&lt;cli-output&gt;\n\nObject: nfsv4_diag\nInstance: nfs4_diag\nStart-time: 12/7/2017 11:11:00\nEnd-time: 12/7/2017 11:11:00\nScope: netapp-home01\n\n Counter Value\n -------------------------------- --------------------------------\n storePool_ByteLockAlloc 11\n storePool_ByteLockMax 1024005\n storePool_ClientAlloc 1305\n storePool_ClientMax 102402\n storePool_CopyStateAlloc 0\n storePool_CopyStateMax 10241\n storePool_DelegAlloc 32298\n storePool_DelegMax 1024002\n storePool_DelegStateAlloc 32298\n storePool_DelegStateMax 1024010\n storePool_LayoutAlloc 0\n storePool_LayoutMax 1024005\n storePool_LayoutStateAlloc 0\n storePool_LayoutStateMax 1024010\n storePool_LockStateAlloc 11\n storePool_LockStateMax 1024002\n storePool_OpenAlloc 204365\n storePool_OpenMax 1024002\n storePool_OpenStateAlloc 204365\n storePool_OpenStateMax 1024010\n storePool_OwnerAlloc 129643\n storePool_OwnerMax 1024002\n storePool_StateRefHistoryAlloc 0\n storePool_StateRefHistoryMax 9216008\n storePool_StringAlloc 130910\n storePool_StringMax 1024002\n26 entries were displayed.\n\n&lt;/cli-output&gt;\n\t&lt;cli-result-value&gt;1&lt;/cli-result-value&gt;\n&lt;/results&gt;\n' &gt;&gt;&gt; </PRE><P>&nbsp;</P><P class="p1"><SPAN class="s1">[3]:</SPAN></P><PRE>$ ssh -l monitor netapp-home "set diag; statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01" Password: Object: nfsv4_diag Instance: nfs4_diag Start-time: 12/7/2017 11:07:05 End-time: 12/7/2017 11:07:05 Scope: netapp-home01 Counter Value -------------------------------- -------------------------------- storePool_ByteLockAlloc 11 storePool_ByteLockMax 1024005 storePool_ClientAlloc 1303 storePool_ClientMax 102402 storePool_CopyStateAlloc 0 storePool_CopyStateMax 10241 storePool_DelegAlloc 32145 storePool_DelegMax 1024002 storePool_DelegStateAlloc 32145 storePool_DelegStateMax 1024010 storePool_LayoutAlloc 0 storePool_LayoutMax 1024005 storePool_LayoutStateAlloc 0 storePool_LayoutStateMax 1024010 storePool_LockStateAlloc 11 storePool_LockStateMax 1024002 storePool_OpenAlloc 204158 storePool_OpenMax 1024002 storePool_OpenStateAlloc 204158 storePool_OpenStateMax 1024010 storePool_OwnerAlloc 129557 storePool_OwnerMax 1024002 storePool_StateRefHistoryAlloc 0 storePool_StateRefHistoryMax 9216008 storePool_StringAlloc 130822 storePool_StringMax 1024002 26 entries were displayed.</PRE> Wed, 04 Jun 2025 14:16:14 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136582#M2515 treydock 2025-06-04T14:16:14Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136583#M2516 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/62248">@treydock</a>,</P><P>&nbsp;</P><P>Just a couple of things before using the system-cli API...please remember that it is an unsupported, "private", API, so we do actively discourage it's use.&nbsp; It also has some quirks, noteably it has a buffer in the return output that, when it overflows, may incorrectly report that the call fails.</P><P>&nbsp;</P><P>That being said, system-cli is the CLI equivalent of "system node run", so the user executing the command must have permission to that set of commands via ONTAPI.</P><P>&nbsp;</P><P>Hope that helps.</P><P>&nbsp;</P><P>Andrew</P> Thu, 07 Dec 2017 17:43:15 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136583#M2516 asulliva 2017-12-07T17:43:15Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136585#M2518 <P><a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/8479">@asulliva</a>&nbsp;Thanks.</P><P>&nbsp;</P><P>In case others come across this I had to modify a non-builtin role and use that role to make the necessary changes:</P><P>&nbsp;</P><PRE>netapp-home::&gt; security login role create -vserver netapp-home -role monitor -access all -cmddirname "system node run" -query "-command statistics *"</PRE> Thu, 07 Dec 2017 18:31:29 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/136585#M2518 treydock 2017-12-07T18:31:29Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/145727#M2813 <P>What is the equvalent call through the API for this command?</P> <P>&nbsp;</P> <PRE>statistics show -object nfsv4_diag -instance nfs4_diag -counter storePool_* -raw -node netapp-home01"</PRE> <P>&nbsp;Thank you for the heads up.</P> Fri, 04 Jan 2019 21:57:40 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/Role-privileges-necessary-to-run-system-cli-API-calls/m-p/145727#M2813 beszan 2019-01-04T21:57:40Z