Network and Storage Protocols

useradmin role and group will not work

richard_mackerras
5,303 Views

Hi,

Our Service Desk want access to the filer to close open files. This seems to be a problem at shift changes where a file remains locked which another user needs to edit. The preferred access tool is "Computer Management" (or alternatively Hyena).

If I put a Service desk user, or the AD group created for the purpose into the "Power Users"  they can do what they need to do.

If I put a Service desk user, or the AD group created for the purpose into a group I defined, using a role I defined, they get access denied.

toaster> useradmin domainuser list  -g  "Power users"

List of SIDS in Power users

S-1-5-...

toaster> useradmin domainuser list  -g  isservicedesk

List of SIDS in isservicedesk

S-1-5-...

toaster> cifs lookup S-1-5-...

name = AD\System - NetApp Operators

I have not changed the "Power Users" group

toaster> useradmin group list "Power Users"

Name: Power Users

Info: Members that can share directories

Rid: 547

Roles: power

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

toaster> useradmin role list power

Name:    power

Info:    Default role for power user privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

I have attempted to duplicate it twice, firstly with no NFS related access.

toaster> useradmin group list Service_Desk_Team

Name: Service_Desk_Team

Info: HEAT 01062308 - Oracle Ent Mananger

Rid: 131083

Roles: op_api_cifs

Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*

toaster> useradmin role list op_api_cifs

Name:    op_api_cifs

Info:    Service Desk Mananger - HEAT 01062308

Allowed Capabilities: cli-cifs*,cli-useradmin*,api-cifs-*,login-*,api-system-api-*

That didn't work, so I added back in the NFS access, then I made an exact copy of "Power Users" with all new names.

toaster> useradmin group list isservicedesk

Name: isservicedesk

Info: TS Service Desk

Rid: 131084

Roles: issdrole

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

toaster> useradmin role list issdrole

Name:    issdrole

Info:    CustServDesk

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*

Why then is it that the Power Users group lets them do their work, but the groups I defined don't?

I have other groups to create for other people but there is no point proceeding if I can't understand this.

I practiced this on an old FAS270 DOT 7.3.3P5, I need it to work on an IBM N-6240 (FAS3240) running Data ONTAP Release 8.1.2P4. It has not worked on either.

What am I missing?

Thanks,

Richard Mackerras

1 ACCEPTED SOLUTION

LMEIRELES
5,303 Views

Hi Richard,

I have the same problem.

Check this response from Netapp engineering:

Members of the custom users group doesn't have access to session management through MMC

http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=748112

TITLE:

Members of the custom users group doesn't have access to session management through MMC

DESCRIPTION:

The users can manage the sessions through MMC, only if they belong to Administrators or "Power Users" group.  The other custom group members can't manage this, even though the group they belong to has the roles of

"admin" and/or "power".  This occurs because the access check for session management through MMC is based on the RID that is assigned to the group and not theroles of the group.

WORKAROUND:

No workaround exists this feature is by the design

Thanks,

Luis Meireles

View solution in original post

2 REPLIES 2

LMEIRELES
5,304 Views

Hi Richard,

I have the same problem.

Check this response from Netapp engineering:

Members of the custom users group doesn't have access to session management through MMC

http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=748112

TITLE:

Members of the custom users group doesn't have access to session management through MMC

DESCRIPTION:

The users can manage the sessions through MMC, only if they belong to Administrators or "Power Users" group.  The other custom group members can't manage this, even though the group they belong to has the roles of

"admin" and/or "power".  This occurs because the access check for session management through MMC is based on the RID that is assigned to the group and not theroles of the group.

WORKAROUND:

No workaround exists this feature is by the design

Thanks,

Luis Meireles

richard_mackerras
5,303 Views

Hi Luis,

Thank you for the reply. I thought I must have been missing something really obvious because it didn't make sense and nobody else would engage with the question.

I have added the bug to my watch list.

Thank you for taking the time to post.

Richard

Public