Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

"Read only" cli- user



I would like to configure on our NetApp storage systems, an user which will be allowed to connect himself via ssh, and that will be only allowed any non-modifying commands.

For example, I would like to allow him commands like those :

vol status <volname>

aggr status -r (or -s / -f)

rdfile <filepath>

snap list

lun show -m -g <igroup_name>

But not allow him commands like those :

vol size <volname> +Xg

aggr add <aggr_name> <ndisks> / aggr offline <aggr_name>

wrfile <filepath>

snap delete

lun offline <lunpath>

Does someone knows if (or already have) such a role with corresponding capabilities exists ?

If not, where can I find an exhaustive list of all existing capabilities so that I can build such a role ?

Best Regards,




Where can I find info for 8.x?



As you mentioned, the "Role-Based Access Controls in Data ONTAP™: Granular Administration of Capabilities" doc is a great one.

It explains (with examples) how to implement RBAC.

At the end of the document (page 9), there's a list of all cli- capabilities.

The problem it that this document is now 4+ years old.

I'm sure that, since then, new capabilities have been implemented in DOT.

I was not able to find any up-to-date list of implemented capabilities for DOT 7.2.4 7.2.5 7.2.6 or 7.3.

I would be really interested in a per release exhaustive list of implemented capabilities.

Moreover with such year-2004 capabilities, when for example the cli-aggr-* is granted to a role users with this one assigned he will not only be able to perform "aggr status -r/-s/-f" but also aggr offline/destroy commands.

I want to be more granular than that.

I hope that this is possible with the new capabilities that were probably introduced in DOT since then.

It will be really great if someone already implemented such a role that is limited to "read-only" cli- capabilities.



OnTap sysadmin guide seems to be a good place to start for any changes to this capability.

I'm looking in the 7.3 sysadmin guide http://now.netapp.com/NOW/knowledge/docs/ontap/rel73/pdfs/ontap/sysadmin.pdf

There is a filerview-readonly option - GUI only of course.

On page 109:

Grants the specified role read-only access to FilerView.

This capability type includes only the

filerview-readonly capability, which grants the

specified role the capability to view but not change

manageable objects on systems managed by FilerView.


There is no predefined role or group for read-only

FilerView access. You must first assign the

filerview-readonly capability to a role and

then assign the role to a group, before you can create

a user in such a group.



A colleague already informed me about this filerview-readonly capability that was introduced in DOT 7.3.

At page 107 from the "Data ONTAP® 7.3 System Administration Guide", there is a short list of capabilities present in DOT 7.3.

Does anybody knows if I can find an exhaustive per-release capability list ?

Some of our systems are still running DOT 7.2, and anyway my goal is to defile a read only role for cli- commands.

It will be great if I can add a bunch of cli- capabilities into a role so that it would behave like the filerview-readonly role, but on the cli side.

I already tried with cli-readonly, also on DOT 7.3, but there's no such a capability yet defined.

To be granular I need to know all capabilities that exists, I really searched for this, and I was not able to find such a list yet.



You can check the capabilities of a NetApp via API (or just via the ZExplore tool).

The API call to consider would be: system -> system-api-list

In the XML output, see attachment, you could grep for "<name>" and then for things like "read" and "list"... those should be your "safe APIs"

Have fun



It would be nice to find that exhaustive list that you are requesting.  Funny that no one from NetApp seems to have one.  Seems to be the case on a few matters that have come up.  Like things are only partially thought through.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner