ONTAP Discussions

Question about security and management of aggregate

pylanglois
2,617 Views

Hi!

I work for an organization that have multiple departments. That organization have bought a new SAN managed by NetApp. That SAN is intended to be shared by all departments. Is it possible to manage the access to NetApp in order to control the scope of what each user (IT guy from each department) can do?

For instance, is it possible for techGuyOne to manage the aggrate1 without seeing/modifying/deleting the aggregrate2 that belong to techGuyTwo?

Thanks for your help!

4 REPLIES 4

boristetsis
2,617 Views

Hi

No it is not possible for a tech guy to manage aggregate1 without seeing/modifying/deleting the aggregrate2 that belongs to techGuyTwo. Whoever has the access rights to manage aggregate 1 can also manage aggregate 2.

There is an alternative instead of using aggregates you move one level up and use volumes. You use multistore to create vFilers (virtual filers). You assign each vfiler a volume as it's root volume. Each vfiler has it's own hostname and ip-address. Each vfiler has it's own root account and password. For each vfiler you can assign separate access rights and passwords. Each vfiler can be a member of a windows domain.

Regards

Boris

pylanglois
2,617 Views

Thanks for you answer, it is really appreciated.

vFiler seems to be an interesting alternative... What sort of management can be done from a vFiler SSH session?

As I understand it, the system storage manager creates one or more FlexVol and then assign them to a vFiler. Does this means that resizing a FlexVol and prioritize FlexVol between them with FlexShare can only be done by the system storage manager?

Does vFiler adds a lot of management for the system storage manager?

Thank you!

scottgelb
2,617 Views

vFilers do not support FCP at this time, so if Fibre Channel SAN, it isn't an option...but if NFS, iSCSI, CIFS it is an option.

vFiler management is done either through the main vfiler0 login or you can use non-interactive ssh into the vFiler itself.  So, the owner of a vFiler cannot get an interactive shell but can enter "ssh -l root vfilername command" and get command output.  There is no gui for vFilers at this time (although some actions can be done via windows MMC for share creation management for CIFS and also Provisioning Manager for resources).

The resizing commands need to be done from vFiler0, so the vfiler admin could not modify that setting for example.

pylanglois
2,617 Views

Thanks Scott Gelb and boristetsis, your help was very useful for me.

Public