I need to create a user for Config Advisor. Config Advisor is going to be run by someone who is not a member of the storage team, infact they are an external partner engaged by a different team. I want to restrict privileges as much as possible.

I tried basing a user on the "READONLY" role but it will not get past the "Test Login" button. It seems to require the use of the command "system node run" which is a bit of a problem.

This is what I came up with:

security login role 
 create -role confadvisor -cmddirname "DEFAULT" -access readonly
 create -role confadvisor -cmddirname "security" -access none
 create -role confadvisor -cmddirname "security login password" -access all
 create -role confadvisor -cmddirname "set" -access all
 create -role confadvisor -cmddirname "system node run" -access all
 config show -role confadvisor -instance
 show -role confadvisor

security login
 create -username thirdp -role confadvisor -application ssh -authmethod password
 create -username thirdp -role confadvisor -application http -authmethod password
 create -username thirdp -role confadvisor -application ontapi -authmethod password
 create -username thirdp -role confadvisor -application console -authmethod password
 create -username thirdp -role confadvisor -application service-processor -authmethod password
 show -username thirdp

I am really not happy with allowing "system node run" since there is enough priviledge there to destroy a system.

• Can I do better than the above?
• Should I just insist on being present to enter the password?

Thanks for your help.