Active IQ Unified Manager Discussions

how to create separate, least priveledged role for OCUM Service Account user ?

IMHOTEPSON
16,169 Views

We have OCUM 7.1 with integrated (linked with cert) OCPM, by policy it is not allowed to use the default admin role for the service account which will gather the Filers.

So we need to create a seperate role with the required permissions and add the user to this role.

 

Does anyone know if there is a howto ?? (i found one for DFM 7-Mode but not for OCUM cDOT) or can advise howto do this ?

 

regards imho

 

https://en.wikipedia.org/wiki/Principle_of_least_privilege

1 ACCEPTED SOLUTION

joele
15,807 Views

Upfront warning - this user setup below is not approved by NetApp support and they won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc.  I don't expect any issues with this configuration but wanted to be as clear on this as possible.

 

I've had success using a limited role with OCUM/OPM 7.1 using the commands below:

 

security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role

 

Here's the rationale for the commands above.  

 

- A limited role is setup with access to the 'cluster application-record' command tree. This is where ONTAP tracks what OCUM/OPM/WFA instances are managing the cluster.

- OCUM also demands access to the 'metrocluster' command tree and polling fails without this access.
- A SPI role is created to allow OCUM/OPM to pull performance files.
- A login is created with http/ontapi access. All connectivity should be through API calls for most metrics, or HTTP calls to the SPI interface to pull performance data.

View solution in original post

23 REPLIES 23

IMHOTEPSON
7,325 Views

sure you are right, the compliance tool will have a seperate user and will run fro another system, so it is not addressed to ocum itself.

colsen
7,306 Views

Hello,

 

Okay - so I get the honorary "follow the rules dummy" award.  Anyway, I looked at your role list and saw the "metrocluster modify/show" and said "oh, we don't run metrocluster" so I didn't add those.  My colleague said, "well maybe if it gets a deny on any call it says discover failed".  We added those two permissions and voila - it works.

 

We'll let it run against our COOP cluster and make sure things look good and then apply it to the other clusters.

 

Thanks so much for the list - wish I had just followed it correctly in the first place!

 

Chris

joele
7,304 Views

@colsen

 

Happens to all of us at one point or another!  I'm glad that OCUM is no longer complaining about failed polling.  I haven't had a chance to test out 7.2 with this custom role yet - let me know if you see any issues.

Public