Active IQ Unified Manager Discussions

ldap intergration & role base access

igalkatzir
3,550 Views

hi Guys,

We are working with several Netapp filers (Ontap ver. 7.3.x) which conneted to windows 2003 domain through cifs setup.

Till now, we have been using mainly root user for login to administer the machines and perform monitoring and automation tasks.

Now, we want to integrate our Active Directory users, to be able login to machines with their peronal user name.

In regard to the above, I have two questions:

1. Is there an options to add Active Directory global group to Netapp local group? for example:

useradmin group add Administrators DomainName\storage_admins

2. Is there a defined role which gives a user permission to resize a volume / lun but not to change any global storage settings?

thanks,

Igal

1 ACCEPTED SOLUTION

shaunjurr
3,550 Views

Hi,

What you want to do is possible, but impossibly documented.  There is a TR on RBAC  (http://media.netapp.com/documents/tr-3358.pdf) and info in the System Administration Guide but drilling down to the subcategories is no easy task.  The best overview I've found is to use DFM/OM where you get an expandable list of role capabilites.

To add your domain user/group simple use: useradmin domainuser add DOMAIN\administrators_group -g administrators (or some other group that you create with the desired roles).

There is a capability (or there are a number of volume capabilites) that you can assign to a role, then the role to your new filer group, then to your AD administrators group via the above command (or with 'modify' if it exists) .

You will need something like 'useradmin role create vol_admin -c "Role for volume admin" -a login-*,cli-df,cli-vol*,cli-qtree* '  which will still go a bit farther than just resizing volumes.  If you use FilerView, then you need a bunch of the 'api-*' roles as well.  Finding a place where all of these are defined is probably the biggest problem if you don't have DFM.  Assign the role to a group 'useradmin group add

Good luck.

View solution in original post

2 REPLIES 2

shaunjurr
3,551 Views

Hi,

What you want to do is possible, but impossibly documented.  There is a TR on RBAC  (http://media.netapp.com/documents/tr-3358.pdf) and info in the System Administration Guide but drilling down to the subcategories is no easy task.  The best overview I've found is to use DFM/OM where you get an expandable list of role capabilites.

To add your domain user/group simple use: useradmin domainuser add DOMAIN\administrators_group -g administrators (or some other group that you create with the desired roles).

There is a capability (or there are a number of volume capabilites) that you can assign to a role, then the role to your new filer group, then to your AD administrators group via the above command (or with 'modify' if it exists) .

You will need something like 'useradmin role create vol_admin -c "Role for volume admin" -a login-*,cli-df,cli-vol*,cli-qtree* '  which will still go a bit farther than just resizing volumes.  If you use FilerView, then you need a bunch of the 'api-*' roles as well.  Finding a place where all of these are defined is probably the biggest problem if you don't have DFM.  Assign the role to a group 'useradmin group add

Good luck.

igalkatzir
3,550 Views

There is a more recent RBAC TR - 4062

Public