Active IQ Unified Manager Discussions

NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

CAPATEL_NET1984
9,577 Views

I want to give access of a user to create/delete snapshot for the group of volumes.

can I create something like a resourcegroup where I can add all the volumes and give access of those to particular user for snahsot command dir?

OR is there a way to give access by volume names?

 

I see someone mentioned that I can use -query "-volume <vol_name>" but what if there are multiple volumes?

 

 

1 ACCEPTED SOLUTION

colsen
9,555 Views

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

View solution in original post

4 REPLIES 4

colsen
9,556 Views

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

Kamran_Alam
9,017 Views

Security roles have been successfully created but unable to login on OCSM when granted that roles to any of the users created manually.

 

Kindly suggest a solution if possible


@colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris



@colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris


 

colsen
8,991 Views

Hmmm - that first command in the list is the only thing you need to grant access via OCSM:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

 

Did you grant them all the appropriate "user login methods"?  They'll need 'http' for OCSM to work.  You can verify the allowed methods via the OCSM GUI (it's just the role creation you need to do via CLI).

 

Hope that helps,

 

Chris

adestiscompany
7,582 Views

Hello Chris,

 

your solution seems not to work with OCSM at least on version 9.4.

Access via SSH is possible but OCSM refuses access.

 

But instead such a user sees a lot more than just his/her vserver.

My test showed that via SSH the user was also able to view the volumes of all vservers.

And this might also be true for other things. Maybe the DEFAULT access allows to much.

 

Regards

Markus

Public