Been looking at the SC (3.4.0) framework for a week or so. I am wondering if it is considered to be a useful platform for delegating control of filer operations (snapshots, clones, snapmirror and snapvault updates). Right now I have a handful of users that have to run such operations and as such they have accounts on various filers with the minimum privileges needed to perform such operations. However, the filer RBAC controls are far too wide and I can't limit these operations to particular volumes, for example. I like the idea of using our DFM server to set up a proxy by which all commands go through but I have to provide a simple interface so that snapshots and clones (et cetera) may be run from shell scripts.
From my research it would appear that a SC server would be required for each platform that needs to initiate such operations. Am I correct in this?
It also appears that you cannot configure DFM proxy via the GUI because it insists on a filer's credentials being entered. I have not tried CLI configuration as yet.
Has anyone else used this mechanism to delegate control in this manner or am I really trying to use the wrong tool here?
Yes SC can initiate all APIs through DFM proxy which means users would need access to the scServer or run their own scServer. This is limitted however to things Snap Creator does which I think was clear by your statment. So you cant just send any API or CLI command to DFM server through Snap Creator.
As for support in GUI, you are correct in 3.4 it is only supported through CLI. In 3.5 which releases on Jan 12 2012 it will also be fully supported in GUI. We also added RBAC capabilities in SC itself for those who want to control things more granular so that combo + DFM proxy makes an interesting use case
Re: Snapcreator as a mechanism for delegating data protection operations