ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

Custom Role with no permissions to delete Snapshots using System Manager

esolva
‎2022-03-31 12:47 AM
1,186 Views

We would like to have a custom admin role which is allowed for everything except of deleting snapshots. We could successfully create a custom role and assigned a testuser to this role.

The permissions seems to work, when connected via SSH to the CLI, the testuser can not delete snapshots. But when using the System Manager, the testuser is still allowed to delete snapshots.

 

the custom admin role looks like that:
Role Command/ Access Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
vserver admin_custom DEFAULT all

                                                 volume snapshot delete none

 

Any idea why the behaviour in GUI and CLI is different? Does the role need different permissions for working correctly in GUI?

Thank you for any suggestions

5 REPLIES 5

tahmad
NetApp
‎2022-03-31 10:14 PM
1,112 Views

Have you checked this:
FAQ: Custom roles for administration of ONTAP 

Also did you verify that you logged in with the user that doesn't have permission? How did you manage to set the role for that user?

esolva
‎2022-03-31 10:28 PM
In response to tahmad
1,109 Views

Thank you for your reply, yes I've already checked that FAQ.

User was created and set to this role with the following command:
security login create -user-or-group-name testuser -application http -authmethod password -role admin_custom -vserver vserver

 

I did another test setting the volume snapshot permission to read only for that role:
security login role create -role admin_customer -cmddirname "volume snapshot" -access readonly -vserver vserver

This works like expected, the user is not allowed to delete snapshot but also creating or modifying snapshot is prohibited. We do like that snapshot creation is allowed and only deletion is not allowed.

 

0 Kudos

tahmad
NetApp
‎2022-03-31 11:25 PM
In response to esolva
1,102 Views

Actually this KB should do the job:

How to use RBAC to prevent deletion of snapshots and volumes 

Kindly let me know if it works

esolva
‎2022-04-01 07:27 AM
In response to tahmad
1,076 Views

this is exactly what I tried first, but unfortunately this works only in CLI.  when using GUI still i'm still able to delete snapshots

0 Kudos

paul_stejskal
NetApp
‎2022-04-01 03:15 PM
In response to esolva
1,049 Views

In the upper right corner of System Manager is two characters "< >" (greater than and less than). Click that and see what kind of API call System Manager is doing. That might provide a clue. Also reference the audit log. If it looks right, you may have to open a case so we can file a bug.

0 Kudos
All Community Forums
Public