ONTAP Discussions

Create custom Role for Veeam backup integration

TroyPayne
2,882 Views

I want to backup my SMB/CIFS share on my FAS2750.

Need to add the filer as a storage object in Veeam 11.

Authentication fails when adding the filer into Veeam using a local user assigned the built in NetApp role called "backup".

I can successfully add the filer into Veeam if I specify the filer admin account. I don't want to use the admin account.

 

I opened a support case with Veeam and they said I need to specify additional permissions per this guide.

https://helpcenter.veeam.com/archive/backup/110/vsphere/required_permissions.html#netapp-data-ontap-lenovo-thinksystem-dm-permissions

 

The section titled CDOT (NAS Backup Integration) The specified permissions are not found in OnTap 9.12.1

For example need to grant DEFAULT the "readonly" permission. 

TroyPayne_0-1679947200995.png

 

DEFAULT is not available. Merely a long list of /api/blahblahblah

TroyPayne_1-1679947287451.png

 

Yet there it is. Plain as day on the admin role.

TroyPayne_2-1679947381430.png

 

What am I missing?

1 ACCEPTED SOLUTION

Ontapforrum
2,848 Views

I guess by default, pre-defined (built-role) role such as "backup" is set to NONE for DEFAULT command/directory and cannot be modified. However, you can create a custom role and assign it to the user as necessary.

 

For example- According to the "section titled CDOT (NAS Backup Integration) for Veeam you shared", it requires following capabilities.

 

Create a custom role:
::> security login role create -role backup_veeam -cmddirname DEFAULT -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname security -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname "security login" -access readonly -query ""
::> security login role create -role backup_veeam -cmddirname "volume snapshot" -access all -query ""
::> security login role create -role backup_veeam -cmddirname vserver -access all -query ""
::> security login role create -role backup_veeam -cmddirname "vserver nfs" -access all -query ""

 


You can verify added capabilities:
::> security login role show -role backup_veeam

 

 

Create a user or assign the existing user the above role:
::> security login create -user-or-group-name netapp_veeam -application ontapi -role backup_veeam -authmethod <password/doman>

 

I don't know if this will help resolve it, but give it a try.

 

Definitions:

Command directory = Refers to a directory in the CLI.
Role = Refers to a collection of capabilities or privileges.
Access control = The capability is specified as an ‘access control’ on a ‘command directory’ or a ‘command’.

 

 

Related:
What is this DEFAULT rule and why is it getting created?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A__Custom_roles_for_administration_of_ONTAP#What_is_this_DEFAULT_...

 

View solution in original post

2 REPLIES 2

Ontapforrum
2,849 Views

I guess by default, pre-defined (built-role) role such as "backup" is set to NONE for DEFAULT command/directory and cannot be modified. However, you can create a custom role and assign it to the user as necessary.

 

For example- According to the "section titled CDOT (NAS Backup Integration) for Veeam you shared", it requires following capabilities.

 

Create a custom role:
::> security login role create -role backup_veeam -cmddirname DEFAULT -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname security -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname "security login" -access readonly -query ""
::> security login role create -role backup_veeam -cmddirname "volume snapshot" -access all -query ""
::> security login role create -role backup_veeam -cmddirname vserver -access all -query ""
::> security login role create -role backup_veeam -cmddirname "vserver nfs" -access all -query ""

 


You can verify added capabilities:
::> security login role show -role backup_veeam

 

 

Create a user or assign the existing user the above role:
::> security login create -user-or-group-name netapp_veeam -application ontapi -role backup_veeam -authmethod <password/doman>

 

I don't know if this will help resolve it, but give it a try.

 

Definitions:

Command directory = Refers to a directory in the CLI.
Role = Refers to a collection of capabilities or privileges.
Access control = The capability is specified as an ‘access control’ on a ‘command directory’ or a ‘command’.

 

 

Related:
What is this DEFAULT rule and why is it getting created?
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A__Custom_roles_for_administration_of_ONTAP#What_is_this_DEFAULT_...

 

TroyPayne
2,797 Views

Amazing!

Thank you very much Ontapforrum.

Your explanation makes perfect sense.

The commands provided worked like a charm.

 

So refreshing to get a straight, accurate answer.

Public