When trying to create a "read only" user within OCUM 5.1 we have enabled the following:
User has the GlobalRead role
User has the GlobalReport role
User has a custom role, which inherits from GlobalRead with the capability dfm.database.read enabled for the Global group.
I am still getting:
[a45wdzz@nasnom02 ~]$ dfm user list
Error: To use the list command, you must have Global DFM Database Read capability.
[a45wdzz@nasnom02 ~]$ dfm controller list
There are no controllers.
There are several pieces of documentation that reference the "global database read" capability, but that is not a listed role and I don't see any other references inside the GUI to this capability, other than on that global group.
Granting the "GlobalRead" role to a user account is the same as "global database read". It grants the user account read-only access to the entire DB and allows them to view anything within DFM (a.k.a. OnCommand Unified Manager) in a read-only fashion. You should not need to grant the GlobalReport role if a user has GlobalRead, as they'll already be able to run reports.
Unless you have a need to nail-down a role's visibility to only a particular resource group, or a particular storage object, I wouldn't bother with a custom role in this situation. The built-in "GlobalRead" role should get you exactly what you're looking for. That would be the only role I'd assign to the account.
Re: Enabling the "Global Database Read" capability
This user account should definitely not require root or sudo access. DFM relies on the hosting operating system's authentication system. So, so long as the user is known to the linux server, you should be able to add it to DFM as an administrative user with the GlobalRead role.
Is this Linux server using an LDAP server for users? If so, you may need to configure LDAP within the DFM server.