ONTAP Discussions

Read Only User

chriskranz
6,699 Views

I'd like to be able to secure an API user that would have read-only access to the filer. Going through RBAC, this seems possible, but there are too many options to successfully create a role based on this. The command errors as it's too long, and if I load it into a text file and run it using source, it reports the command is too long. I won't post the full list of "api-" RBAC roles I want to give the user as it's a bit big!

Is there an easy way of creating a read-only api-* user?

4 REPLIES 4

rashmid
6,699 Views

Hi Chris,

There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .

Thanks,

Rashmi.

chriskranz
6,699 Views

Thanks for the reply. However that's the problem I have. I've been through all the api- roles and highlighted the read-only ones, But the command line input buffer isn't long enough to accept this into a single role. If there was a way that I could add additional settings to an existing role, then I could build this up, but there doesn't seem to be, it just overwrites the existing settings.

rashmid
6,699 Views

You can use useradmin category APIs to overcome the limitations of CLI.

Thanks,

Rashmi.

nagendrk
6,699 Views

Maybe you can break the api-* list to multiple roles, each one having different apis as capabilities. Then add these roles to a group, then assign a read only user to this group.

For example, create the roles you need.

Name: testrole

Info:

Allowed Capabilities: api-*

Name: login

Info:

Allowed Capabilities: cli-*,login-ssh,login-telnet

Create a group for these roles:

Name: testgrp

Info:

Rid: 131085

Roles: testrole,login

Assign user to this role.

Name: testuser

Info:

Rid: 131092

Groups: testgrp

Let me know if this works!

Public