Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2017-09-12
01:31 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
we use a seperate role for compliance scripts ... (custom)
added the
-cmddirname "system node run" -access all
-cmddirname "set" -access all
for testing, this will be reduced to the dedicated commands, thanks for the keep in mind thoughts
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2017-09-12
06:41 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Is OCUM running those compliance scripts as well? Adding the 'system node run' tree with 'all' access opens up the roles capabilities by quite a bit, just a quick thought.
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2017-09-12
08:09 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
sure you are right, the compliance tool will have a seperate user and will run fro another system, so it is not addressed to ocum itself.
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2017-09-12
11:11 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hello,
Okay - so I get the honorary "follow the rules dummy" award. Anyway, I looked at your role list and saw the "metrocluster modify/show" and said "oh, we don't run metrocluster" so I didn't add those. My colleague said, "well maybe if it gets a deny on any call it says discover failed". We added those two permissions and voila - it works.
We'll let it run against our COOP cluster and make sure things look good and then apply it to the other clusters.
Thanks so much for the list - wish I had just followed it correctly in the first place!
Chris
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2017-09-12
11:34 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Happens to all of us at one point or another! I'm glad that OCUM is no longer complaining about failed polling. I haven't had a chance to test out 7.2 with this custom role yet - let me know if you see any issues.
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2018-02-26
11:15 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
On Ontap 9.3, the cluster vserver already has a service called "spi" in the admin role (and type admin). Wouldn't this conflict with the commands you've listed?
(cluster)::> vserver services web access show
Vserver Type Service Name Role
-------------- -------- ---------------- ----------------
(cluster) admin spi admin
-Ed
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2018-03-01
07:21 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
It's quite likely it would, yes. I'm curious to see how a 9.1/9.2 cluster with that previous set of commands run is impacted after upgrading to 9.3. I'll add this to the list of things to check on.
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2018-04-12
09:00 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
To close this one out -
I spun up a new 9.1 simulator, upgraded it to 9.3, and was able to run the previous command set without any issues or collisions. I'm adding it to an OCUM 7.3 instance now to see how things look.
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2018-07-23
06:30 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi,
I followed your instructions and created on ontap 9.1P9 the ocum_readonly with your readonly role.
The OCUM 9.4 doesn't add the new cluster with following error message:
"Mon Jul 23 13:15:26 2018 scxxxxx [kern_audit:info:1865] 8503e8000082515d :: scxxxxx:ontapi :: 10.xxx.xxx.xx:42836 :: scxxxxx:ocum_readonly :: Insufficient privileges: user 'ocum_readonly' does not have write access to this resource :: ONTAPI :: Error"
Is it possible to have detailed readonly role for ontapi requests?
thx bjoern
Re: howto create separate, least priveledged role for OCUM Service Account user ?
2018-07-23
08:12 AM
- Bookmark
- Permalink
- Email to a Friend
- Report Inappropriate Content
Hi bjoern,
I haven't tested this role with OCUM 9.4 yet unfortunately, but will take a look when I have some free time.