topic Re: read-only access for powershell toolkit in SolidFire and HCI

read-only access for powershell toolkit

EamonnH — Wed, 04 Jun 2025 12:48:05 GMT

Hi,

Does anyone have a definitive list of the APIs that need to be granted to allow read-only access from powershell? We're trying to automate reporting, but we need to ensure there is no possibility of the script changing anything.

Any and all advice gratefully received.

Regards,

Eamonn

Re: read-only access for powershell toolkit

elementx — Tue, 26 Feb 2019 15:38:43 GMT

You don't grant access to APIs, you grant access to cluster admins.

PS /home/sean> get-help New-SFClusterAdmin -examples

NAME
New-SFClusterAdmin

SYNOPSIS
[Cluster] Adds a new cluster admin.

-------------------------- EXAMPLE 1 --------------------------

PS C:\>New-SFClusterAdmin -Username AdminUser -Password NewPass -Access "nodes","drives"

Adds a cluster admin user with full access to the "nodes" and "drives" groups of API methods.

The most common access levels are:

"administrator" - Full access to all API methods
"reporting" - Access to only readonly API methods with some limitations

Add one of these reporting accounts. Whatever this guy does, the only thing he can do is Get-*.

PS /home/sean> New-SFClusterAdmin -Username DirkD -Password B00GInites -AcceptEula:$true -Access reporting

AuthMethod : Cluster
Access : {administrator}
ClusterAdminID : 1
Username : admin
Attributes :

AuthMethod : Cluster
Access : {read, reporting, volumes}
ClusterAdminID : 6
Username : sean
Attributes : {}

AuthMethod : Cluster
Access : {read, reporting}
ClusterAdminID : 7
Username : DirkD
Attributes : {}

Now this account can Get-* all sorts of info including this below.

PS /home/sean> Connect-SFCluster 192.168.1.30 -Username DirkD -Password B00GInites

PS /home/sean> Get-SFAccount -AccountID 1

AccountID : 1
Username : vcenter
Status : active
Volumes : {5, 6}
InitiatorSecret : WOWWOWWOW
TargetSecret : 0dD':6n9T4$:.UB3

But at least some things are off limits.

PS /home/sean> Get-SFClusterAdmin
Get-SFClusterAdmin : xPermissionDenied: xPermissionDenied
At line:1 char:1
+ Get-SFClusterAdmin
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidResult: (SolidFire.Cluster.Get.GetSFClusterAdmin:GetSFClusterAdmin) [Get-SFClusterAdmin], Exception
+ FullyQualifiedErrorId : 0,SolidFire.Cluster.Get.GetSFClusterAdmin
StorageContainerID : 00000000-0000-0000-0000-000000000000
Attributes : {}

If you want to prevent read-access to iSCSI accounts and passwords, you could set up one PS script to run as User A, and save output to a folder owned by User B, that way you can control what info is accesseed through User A, and User B could be normal staff without access to sensitive data.

Re: read-only access for powershell toolkit

mbeattie — Tue, 26 Feb 2019 22:31:01 GMT

Hi Eamonn,

The first response to your question appears to be based on NetApp Solidfire? Could you please specify what systems you are trying to automate reporting for? If you want to automate reporting for Clustered DATA ONTAP then it would make more sense create a read-only database user in OCUM used for querying to the information that OCUM has already discovered about the clusters in your environment rather than invoke API's to query the clusters directly.

If you want to automate reporting for Clustered Data ONTAP systems then the following may be of interest to you:

https://blog.netapp.com/more-ways-to-extract-the-data-you-need-from-oncommand-unified-manager/

https://www.netapp.com/us/media/tr-4565.pdf

/Matt

Re: read-only access for powershell toolkit

elementx — Wed, 27 Feb 2019 00:34:22 GMT

> The first response to your question appears to be based on NetApp Solidfire?

Well, the question has been posted under https://community.netapp.com/t5/SolidFire-PowerShell-Discussions/.

If it's ment for another section perhaps it could be re-posted (with additional detail) to the right area of the forums to lessen the confusion.

Re: read-only access for powershell toolkit

mbeattie — Wed, 27 Feb 2019 00:38:56 GMT

Didn't notice that when i replied. A fair and valid point

/Matt

Re: read-only access for powershell toolkit

mbeattie — Wed, 27 Feb 2019 01:08:32 GMT

Hi,

One option to consider (that actually relates to solidfire ) and assuming you have WFA in your environment would be to add the solidfire system (or systems) to WFA using this pack from the automation store:

https://automationstore.netapp.com/pack-detail.shtml?packUuid=cac25243-4e66-4630-a58d-ee16c7d93217&packVersion=1.0.0

Once the solidfire system\systems are aquired by the WFA datasource the configuration of your systems will reside in the "solidfire" database on the WFA server which you could query as a read only user. This way you wouldn't need to provide any API access directly to the solidfire systems directly for reporting purposes although the solidfire credentials to acquire the datasource would need to be configured within WFA.

/Matt