We would like to have a custom admin role which is allowed for everything except of deleting snapshots. We could successfully create a custom role and assigned a testuser to this role.
The permissions seems to work, when connected via SSH to the CLI, the testuser can not delete snapshots. But when using the System Manager, the testuser is still allowed to delete snapshots.
the custom admin role looks like that: Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- vserver admin_custom DEFAULT all
volume snapshot delete none
Any idea why the behaviour in GUI and CLI is different? Does the role need different permissions for working correctly in GUI?
Thank you for your reply, yes I've already checked that FAQ.
User was created and set to this role with the following command: security login create -user-or-group-name testuser -application http -authmethod password -role admin_custom -vserver vserver
I did another test setting the volume snapshot permission to read only for that role: security login role create -role admin_customer -cmddirname "volume snapshot" -access readonly -vserver vserver
This works like expected, the user is not allowed to delete snapshot but also creating or modifying snapshot is prohibited. We do like that snapshot creation is allowed and only deletion is not allowed.
In the upper right corner of System Manager is two characters "< >" (greater than and less than). Click that and see what kind of API call System Manager is doing. That might provide a clue. Also reference the audit log. If it looks right, you may have to open a case so we can file a bug.