Data Infrastructure Management Software Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Data Infrastructure Management Software Discussions

Start a New Post

NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

CAPATEL_NET1984
‎2017-08-21 09:01 AM

I want to give access of a user to create/delete snapshot for the group of volumes.

can I create something like a resourcegroup where I can add all the volumes and give access of those to particular user for snahsot command dir?

OR is there a way to give access by volume names?

 

I see someone mentioned that I can use -query "-volume <vol_name>" but what if there are multiple volumes?

 

 

0 Likes
View By:
4 Replies
Reply
4 REPLIES 4

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

colsen
NetApp A-Team
‎2017-08-21 12:21 PM

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

View solution in original post

0 Likes
4 Replies
Reply

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

Kamran_Alam
‎2017-12-14 06:45 AM

Security roles have been successfully created but unable to login on OCSM when granted that roles to any of the users created manually.

 

Kindly suggest a solution if possible

@colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

@colsen_lanl_gov wrote:

Hello,

 

You'll have to run a lot of this from the CLI as when I've created role rules from OCSM it's not formatting the commands quite right (especially when you put wildcards in the query argument).  Anyway, here is the list of commands that we used to allow sysadmins access to all of the things they needed to do inside the SVMs they're reponsible for:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

(Grants them read-only at the top level so they can use System Manager - otherwise they'll have to SSH directly into the SVM)

 

security login role create -role sys_admin_role -cmddirname "volume qtree" -query "-vserver oracle*" -access all

(Grants them the ability to manage qtrees in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "vserver export-policy" -query "-vserver oracle*" -access all

(Grants them the ability to manage export policy in any SVM named "oracle*")

 

security login role create -role sys_admin_role -cmddirname "volume snapshot" -query "-vserver oracle*" -access all

(Grants them the ability to manage snapshots in any SVM named "oracle*")

 

Then you can create cluster-level accounts and grant that role to those users.  Anyway, you'll need to organize things by SVM or name all your volumes with the same prefix, then you can scope the role rules to a list of objects/containers that match the pattern you specify.  If all the volumes in question are within a single SVM, then you can scope the role (or even the user account) to just that SVM.

 

ONTAP9 reference for security login role stuff:  http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-920%2FTOC__security__login.html

 

Hope that helps,

 

Chris

 

0 Likes
4 Replies
Reply

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

colsen
NetApp A-Team
‎2017-12-14 11:02 AM

Hmmm - that first command in the list is the only thing you need to grant access via OCSM:

 

security login role create -role sys_admin_role -cmddirname DEFAULT -access readonly

 

Did you grant them all the appropriate "user login methods"?  They'll need 'http' for OCSM to work.  You can verify the allowed methods via the OCSM GUI (it's just the role creation you need to do via CLI).

 

Hope that helps,

 

Chris

0 Likes
4 Replies
Reply

Re: NetApp C-Mode access: how to give access of only particular volumes to a user for snapshots

adestiscompany
‎2018-09-20 04:40 AM

Hello Chris,

 

your solution seems not to work with OCSM at least on version 9.4.

Access via SSH is possible but OCSM refuses access.

 

But instead such a user sees a lot more than just his/her vserver.

My test showed that via SSH the user was also able to view the volumes of all vservers.

And this might also be true for other things. Maybe the DEFAULT access allows to much.

 

Regards

Markus

0 Likes
4 Replies
Reply
Cloud Volumes ONTAP
Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public