Microsoft Virtualization Discussions

Permissions required for PowerShell Cmdlets

NETAPP_USER_NAME
7,287 Views

Does anyone know if there is a document that specifies which permissions are
required to run each of the PowerShell cmdlets?  For example, a simple script to
modify volume quotas and run reports requires the user to have access to the
following commands:

  • >version  (Runs after the Connect-NcController cmdlet)
  • >volume quota *    (Required to query or modify quotas)
  • >jobs show    (Required when running Start-NcQuotaResize)

Once I figured this out, things went as planned but it took a bit of
troubleshooting to figure out the correct permissions.  If this was documented
somewhere it would make the scripting much easier.

4 REPLIES 4

vinith
7,287 Views

Hello Pitt,

The User account which you use to connect to the controller should have the appropriate permission on the filer so that it can invoke cmdlets on the controller.

Thanks,

Vinith

bsti
7,287 Views

I don't think they are centrally documented anywhere, but one thing that will help you is to examine the help for the cmdlets in question.  Under the Notes section (usually), it will detail the apis that get used by the cmdlet.  I think most if not all cmdlets map to an API on the back-end.  Use the list of APIs used to determine which api-* permissions you need to assign to your roles.

For example, Get-NaVol uses these APIs according to the help:

API: volume-list-info-iter-start, volume-list-info-iter-next, volume-list-info-iter-end, volume-list-info

So create a new role with the following capability:  api-volume-*

New-NaRole -Role test -Capabilities api-volume-*

cknight
7,287 Views

You can use Get-NaHelp or Get-NcHelp to see which APIs are used:

PS C:\> Get-NaHelp -Category aggr | select name, api | ft -AutoSize

Name                   Api

----                   ---

Add-NaAggr             {aggr-add}

Confirm-NaAggrSpareLow {aggr-check-spare-low}

Get-NaAggr             {aggr-list-info}

Get-NaAggrFilerInfo    {aggr-get-filer-info}

Get-NaAggrMediaScrub   {aggr-mediascrub-list-info}

Get-NaAggrOption       {aggr-options-list-info}

Get-NaAggrScrub        {aggr-scrub-list-info}

Get-NaAggrSpace        {aggr-space-list-info}

Get-NaAggrVerify       {aggr-verify-list-info}

New-NaAggr             {aggr-create}

New-NaAggrMirror       {aggr-mirror}

Remove-NaAggr          {aggr-destroy}

Rename-NaAggr          {aggr-rename}

Resume-NaAggrScrub     {aggr-scrub-resume}

Resume-NaAggrVerify    {aggr-verify-resume}

Set-NaAggr             {aggr-online, aggr-offline, aggr-restrict}

Set-NaAggrOption       {aggr-set-option}

Set-NaAggrRaidType     {aggr-modify-raid-type}

Split-NaAggrMirror     {aggr-split}

Start-NaAggrScrub      {aggr-scrub-start}

Start-NaAggrVerify     {aggr-verify-start}

Stop-NaAggrScrub       {aggr-scrub-stop}

Stop-NaAggrVerify      {aggr-verify-stop}

Suspend-NaAggrScrub    {aggr-scrub-suspend}

Suspend-NaAggrVerify   {aggr-verify-suspend}

NETAPP_USER_NAME
7,287 Views

Thanks for all the posts.  The Get-NaHelp cmdlet that you mentioned will be extremely helpful.  I'm trying to control access with custom roles so this will allow me to restrict access to only the API commands necessary.

Thanks,

Bill

Public