Thank you for responding. I was thinking the same thing. Use a local account on the filers that has admin rights that dfm server can talk to. The customer is not keen on having the local dfm account have admin rights but it seems to be best practices as a number of things may not work well if it has less rights? You agree?

Thanks

Sean

Hi Sean,

     You are correct.And I agree. If you go with limited capabilities, you will encounter problems with performance advisor, or protection manager functionality. Also OCUM uses ssh for some cases where there is lack of API or SNMP.

BTW if you wish you can start creating a role with all read-capabilities and based on trial and error keep adding them untill you don't get any error. But the next version of ONTAP may change some of these and you will have to redo this exercise again just incase there are ONTAP changes.

Regards

adai

Hi, I do have another question. The customer I am working with wants to know if the local accounts on the filers need to have cli login capabilities. It seems in needs ssh and cli to work. They are asking would the api capabilities not work for log in?

My question is the minimal rights a local account needs for dfm to come in?

I have looked through a few docs and they don’t mention what the filer account has to be set to in order to function.

Thanks

Hi Sean,

     As I said earlier, whenever there is a deficiency in the api, we use the cli to collect some monitoring data. In order to do that we need ssh capability to login to the controller and cli capability to execute this command.

Long time back during DOT 7G a colleague and I worked on this for a large NetApp customer. At that time we created a KB1011412. 

Though we titled it as ReadOnly strictly speaking its not readonly as it has system-cli capabilities.

Regards

adai