2015-05-28 02:35 PM
I have a CDOT cluster on 8.3. My manager wants individual business units to manage their own vserver via System Manager.
It is my understanding that it is not currently possible for System Manager to manager an individual vserver on a cdot array.
It this true?
If it is true, are there any plans to provide this capability in the future?
Solved! SEE THE SOLUTION
2015-05-29 12:03 AM
my name is Chriz Ott, I'm working with NetApp as a Principal Architect.
Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.
Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.
There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.
A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).
Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.
I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.
P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.
2015-07-03 03:57 AM
I would like to ask you about this topic.
I would like to perform individual business units to manage their own vserver via System Manager,too.
The OnCommand System Manager 8.3 is included with Data ONTAP as a web service.
It seems that cDot8.3 has "vserver services web access" command.
Can we manage an individual vserver on a cdot array to a certain degree ?
2017-09-21 06:35 AM
I am running 9.1 now.. and still no posiblilty to give indivual SVM gui access.
it would be a nice feature
"/sysmgr/SysMgr.html " svm
The requested URL /sysmgr/SysMgr.html was not found on this server.
2017-09-21 08:34 AM
Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM). We have done this with the system administrators for our Oracle E-Business Suite systems and they're able to do almost everything they need to do. The process looks something like this:
security login role create -role <ROLE NAME> -cmddirname DEFAULT -access readonly
security login role create -role <ROLE NAME> -cmddirname "volume qtree" -query "-vserver <SVM NAME>" -access all
security login role create -role <ROLE NAME> -cmddirname "vserver export-policy" -query "-vserver <SVM NAME>" -access all
vserver services web access create -vserver <CLUSTER SVM> -name sysmgr -role <ROLE NAME>
security login create -user-or-group-name <USERNAME> -application http -authentication-method password -role <ROLE NAME>
security login create -user-or-group-name <USERNAME> -application ontap -authentication-method password -role <ROLE NAME>
security login create -user-or-group-name <USERNAME> -application ssh -authentication-method password -role <ROLE NAME>
This is actually preferable to an SVM-by-SVM user account for us in that these sysadmins have multiple SVMs and would need accounts on each one. We overcome this by applying a wildcard to the query object of the role - since our SVMs follow a standard naming convention we just grant them access to any SVM named "oracle-*". Also, we wanted to limit some of what they could do inside the SVM and being an SVMadmin would have been too permissive for our use case.
Hope that helps,
2018-02-23 06:55 AM
@colsen_lanl_gov, I am trying your recommended alternative. I assume this works with domain groups, right (where auth method is domain and not password)? I'm having difficulty with applying this to two SVMs. In the query I entered:
-query "-vserver <svm1> <svm2>"
There was no error, but the user wasn't able to log on to the cluster via System Manager. I tried again with just one SVM and they still couldn't log on. Any ideas?