Microsoft Virtualization Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

Ask a Question

Permissions required for PowerShell Cmdlets

NETAPP_USER_NAME
‎2013-08-12 08:27 AM
5,983 Views

Does anyone know if there is a document that specifies which permissions are
required to run each of the PowerShell cmdlets?  For example, a simple script to
modify volume quotas and run reports requires the user to have access to the
following commands:

  • >version  (Runs after the Connect-NcController cmdlet)
  • >volume quota *    (Required to query or modify quotas)
  • >jobs show    (Required when running Start-NcQuotaResize)

Once I figured this out, things went as planned but it took a bit of
troubleshooting to figure out the correct permissions.  If this was documented
somewhere it would make the scripting much easier.

0 Kudos
View By:
4 REPLIES 4

vinith
NetApp Alumni
‎2013-08-13 02:17 AM
5,983 Views

Hello Pitt,

The User account which you use to connect to the controller should have the appropriate permission on the filer so that it can invoke cmdlets on the controller.

Thanks,

Vinith

bsti
‎2013-08-14 07:20 AM
5,983 Views

I don't think they are centrally documented anywhere, but one thing that will help you is to examine the help for the cmdlets in question.  Under the Notes section (usually), it will detail the apis that get used by the cmdlet.  I think most if not all cmdlets map to an API on the back-end.  Use the list of APIs used to determine which api-* permissions you need to assign to your roles.

For example, Get-NaVol uses these APIs according to the help:

API: volume-list-info-iter-start, volume-list-info-iter-next, volume-list-info-iter-end, volume-list-info

So create a new role with the following capability:  api-volume-*

New-NaRole -Role test -Capabilities api-volume-*

0 Kudos

cknight
NetApp
‎2013-08-14 11:10 AM
5,983 Views

You can use Get-NaHelp or Get-NcHelp to see which APIs are used:

PS C:\> Get-NaHelp -Category aggr | select name, api | ft -AutoSize

Name                   Api

----                   ---

Add-NaAggr             {aggr-add}

Confirm-NaAggrSpareLow {aggr-check-spare-low}

Get-NaAggr             {aggr-list-info}

Get-NaAggrFilerInfo    {aggr-get-filer-info}

Get-NaAggrMediaScrub   {aggr-mediascrub-list-info}

Get-NaAggrOption       {aggr-options-list-info}

Get-NaAggrScrub        {aggr-scrub-list-info}

Get-NaAggrSpace        {aggr-space-list-info}

Get-NaAggrVerify       {aggr-verify-list-info}

New-NaAggr             {aggr-create}

New-NaAggrMirror       {aggr-mirror}

Remove-NaAggr          {aggr-destroy}

Rename-NaAggr          {aggr-rename}

Resume-NaAggrScrub     {aggr-scrub-resume}

Resume-NaAggrVerify    {aggr-verify-resume}

Set-NaAggr             {aggr-online, aggr-offline, aggr-restrict}

Set-NaAggrOption       {aggr-set-option}

Set-NaAggrRaidType     {aggr-modify-raid-type}

Split-NaAggrMirror     {aggr-split}

Start-NaAggrScrub      {aggr-scrub-start}

Start-NaAggrVerify     {aggr-verify-start}

Stop-NaAggrScrub       {aggr-scrub-stop}

Stop-NaAggrVerify      {aggr-verify-stop}

Suspend-NaAggrScrub    {aggr-scrub-suspend}

Suspend-NaAggrVerify   {aggr-verify-suspend}

NETAPP_USER_NAME
‎2013-08-14 11:54 AM
In response to cknight
5,983 Views

Thanks for all the posts.  The Get-NaHelp cmdlet that you mentioned will be extremely helpful.  I'm trying to control access with custom roles so this will allow me to restrict access to only the API commands necessary.

Thanks,

Bill

0 Kudos
All Community Forums
Public