Active IQ Unified Manager Discussions

Netapp Harvest Read Only Role Access




I am new to netapp harvest and trying to set up the metrics collection.I followed the documentation in setting up netapp-harvest role but when I grant cluster identity show permissions I would see permissions added to modify and create after running the command, is there a way to restrict netapp harvest to use on show commands instead of modify and create?


For example I see 

security login role create -role netapp-harvest-role -cmddirname "network interface show"

Warning: This operation will also affect the following commands:
    "network interface create"
    "network interface delete"
    "network interface modify"

The above happens on all the listed commands in the document and I end up having below permissions after installation 

netapp-harvest-role DEFAULT                                 none
                               cluster identity modify                 readonly
                               cluster identity show                   readonly
                               cluster modify                          readonly
                               cluster show                            readonly
                               lun create                              readonly
                               lun modify                              readonly
                               lun show                                readonly
                               network interface create                readonly
                               network interface delete                readonly
                               network interface modify                readonly
                               network interface show                  readonly
                               qos workload delete                     readonly
                               qos workload modify                     readonly
                               qos workload show                       readonly
                               statistics                              readonly
                               system node modify                      readonly
                               system node show                        readonly
                               version                                 readonly


Could someone assist me  if we can restrict the role only to show commands as given in the installation or the above is by design 


Thank you 



No worries, that is still effectively a read-only access.

As you can see, even the "create" subcommand is marked with "readonly", which basically means it cannot create anything :). You can verify that, if you want, by logging in into that account and trying to create or modify things. 

As a side note, I personally use the built-in "readonly" role for Harvest. It allows to read anything, but not to modify or create.
Recent versions of Harvest add additional capabilities, which won't work if you follow the old guide and only add those listed commands to the custom role. Using the "readonly" role should always work, even when Harvest gets new features. Obviously, if you want to limit even the read access to only specific sections, you need to use the purpose-built role.


Understood thank you for the response