Active IQ Unified Manager Discussions

OnCommand Core 5.1 - Local user rights for DFM

SEANTRACY
4,953 Views

I am looking for advice on what to set up for rights on an a local account that DFM will log into the filers and run basic functions.   I am working with a customer who wants the minimal rights for DFM. They are using SnapDrive for windows.  Currently they are using  a regular  user account with  full root capabilities.

Thanks

5 REPLIES 5

adaikkap
4,953 Views

Sean,

         We dont have certified user with required capabilities enabled to do the ontap side work. What I have seen in my experience is that, many users create local users on the filer that belongs to admin group like dfmuser( essentially with root capabilites) to login to ontap via dfm.

Regards

adai

SEANTRACY
4,953 Views

Thank you for responding. I was thinking the same thing. Use a local account on the filers that has admin rights that dfm server can talk to. The customer is not keen on having the local dfm account have admin rights but it seems to be best practices as a number of things may not work well if it has less rights? You agree?

Thanks

Sean

adaikkap
4,953 Views

Hi Sean,

     You are correct.And I agree. If you go with limited capabilities, you will encounter problems with performance advisor, or protection manager functionality. Also OCUM uses ssh for some cases where there is lack of API or SNMP.

BTW if you wish you can start creating a role with all read-capabilities and based on trial and error keep adding them untill you don't get any error. But the next version of ONTAP may change some of these and you will have to redo this exercise again just incase there are ONTAP changes.

Regards

adai

SEANTRACY
4,953 Views

Hi, I do have another question. The customer I am working with wants to know if the local accounts on the filers need to have cli login capabilities. It seems in needs ssh and cli to work. They are asking would the api capabilities not work for log in?

My question is the minimal rights a local account needs for dfm to come in?

I have looked through a few docs and they don’t mention what the filer account has to be set to in order to function.

Thanks

adaikkap
4,953 Views

Hi Sean,

     As I said earlier, whenever there is a deficiency in the api, we use the cli to collect some monitoring data. In order to do that we need ssh capability to login to the controller and cli capability to execute this command.

Long time back during DOT 7G a colleague and I worked on this for a large NetApp customer. At that time we created a KB1011412. 

Though we titled it as ReadOnly strictly speaking its not readonly as it has system-cli capabilities.

Regards

adai

Public