I am looking for advice on what to set up for rights on an a local account that DFM will log into the filers and run basic functions. I am working with a customer who wants the minimal rights for DFM. They are using SnapDrive for windows. Currently they are using a regular user account with full root capabilities.
We dont have certified user with required capabilities enabled to do the ontap side work. What I have seen in my experience is that, many users create local users on the filer that belongs to admin group like dfmuser( essentially with root capabilites) to login to ontap via dfm.
Hi, I do have another question. The customer I am working with wants to know if the local accounts on the filers need to have cli login capabilities. It seems in needs ssh and cli to work. They are asking would the api capabilities not work for log in?
My question is the minimal rights a local account needs for dfm to come in?
I have looked through a few docs and they don’t mention what the filer account has to be set to in order to function.
As I said earlier, whenever there is a deficiency in the api, we use the cli to collect some monitoring data. In order to do that we need ssh capability to login to the controller and cli capability to execute this command.
Long time back during DOT 7G a colleague and I worked on this for a large NetApp customer. At that time we created a KB1011412.
Though we titled it as ReadOnly strictly speaking its not readonly as it has system-cli capabilities.
Thank you for responding. I was thinking the same thing. Use a local account on the filers that has admin rights that dfm server can talk to. The customer is not keen on having the local dfm account have admin rights but it seems to be best practices as a number of things may not work well if it has less rights? You agree?
You are correct.And I agree. If you go with limited capabilities, you will encounter problems with performance advisor, or protection manager functionality. Also OCUM uses ssh for some cases where there is lack of API or SNMP.
BTW if you wish you can start creating a role with all read-capabilities and based on trial and error keep adding them untill you don't get any error. But the next version of ONTAP may change some of these and you will have to redo this exercise again just incase there are ONTAP changes.