Microsoft Virtualization Discussions

Connecting to cluster generates a "Insufficient privileges" when using the default readonly role

cc2
4,421 Views

Hi,

Does anyone have an idea about what minimum permissions is required to connect to ontap? 

I am using the default readonly role and every read command that I have tried works.
However in the auditlogs I keep getting an Insufficient privileges.

The Connect-NcController tries to write to a file  /etc/powershell.

The audit log shows the following :

 

<netapp version='1.0' xmlns='http://www.netapp.com/filer/admin'><system-cli>^M <args>^M <arg>node</arg>^M <arg>run</arg>^M <arg>controller-a</arg>^M <arg>-command</arg>^M <arg>wrfile</arg>^M <arg>/etc/powershell</arg>^M <arg>;</arg>^M <arg>node</arg>^M <arg>run</arg>^M <arg>controller-a</arg>^M <arg>-command</arg>^M <arg>wrfile</arg>^M <arg>-a</arg>^M <arg>/etc/powershell</arg>^M <arg>// File generated by the Data ONTAP PowerShell Toolkit: powershell.usagelog.version=1: powershell.usagelog.lastupdated=1644250226: powershell.cmdlet.CONNECTNCCONTROLLER.count=1: powershell.cmdlet.GETNCVOL.count=1: powershell.usagelog.timestamp=1644250226: </arg>^M </args>^M <priv>advanced</priv>^M </system-cli></netapp>^M :: Pending:

1 ACCEPTED SOLUTION

cc2
4,220 Views

For anyone else that has this issue, I found a workaround by setting the variable "$DataONTAP_SkipEmsReport = $true"

View solution in original post

7 REPLIES 7

NetApp_SR
4,336 Views

Others have had the same question. Please see if the below link helps to answer your question.

 

https://community.netapp.com/t5/ONTAP-Discussions/PowerShell-user-ReadOnly-does-not-have-write-access-to-this-resource/td-p/429950

 

cc2
4,312 Views

Hi and thank you for your replay.

I have read those suggestions and unfortunatly they do not help.
I am using the readonly role and it has the default command with permission readonly as mentioned in one of those posts.

 

Here is the permissions from the readonly role if that helps.

Command/ Access
Directory Query Level
--------- ----------------------------------- --------

DEFAULT readonly
security readonly
security login password all
security login publickey all
security login role show-user-capability all
set all

cc2
4,221 Views

For anyone else that has this issue, I found a workaround by setting the variable "$DataONTAP_SkipEmsReport = $true"

rjefferis
3,227 Views

Hi cc2, sorry could you confirm how/where you are setting that variable please. I am getting the same problem. Thanks

 

cc2
3,223 Views

Hi, rjefferis.

You can just add it in the beginning of your scrip. As long as the variable is set before you connect it should be fine.

$DataONTAP_SkipEmsReport = $true
Connect-NcController -Name "ontapcluster1"

 

 

rjefferis
3,222 Views

ah ha, sorry! Thanks for the quick reply!! Have a great christmas

cc2
3,216 Views

No problem, 
Happy Christmas

Public