Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Custom Role with no permissions to delete Snapshots using System Manager
2022-03-31
12:47 AM
3,183 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We would like to have a custom admin role which is allowed for everything except of deleting snapshots. We could successfully create a custom role and assigned a testuser to this role.
The permissions seems to work, when connected via SSH to the CLI, the testuser can not delete snapshots. But when using the System Manager, the testuser is still allowed to delete snapshots.
the custom admin role looks like that:
Role Command/ Access Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
vserver admin_custom DEFAULT all
volume snapshot delete none
Any idea why the behaviour in GUI and CLI is different? Does the role need different permissions for working correctly in GUI?
Thank you for any suggestions
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked this:
FAQ: Custom roles for administration of ONTAP
Also did you verify that you logged in with the user that doesn't have permission? How did you manage to set the role for that user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply, yes I've already checked that FAQ.
User was created and set to this role with the following command:
security login create -user-or-group-name testuser -application http -authmethod password -role admin_custom -vserver vserver
I did another test setting the volume snapshot permission to read only for that role:
security login role create -role admin_customer -cmddirname "volume snapshot" -access readonly -vserver vserver
This works like expected, the user is not allowed to delete snapshot but also creating or modifying snapshot is prohibited. We do like that snapshot creation is allowed and only deletion is not allowed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually this KB should do the job:
How to use RBAC to prevent deletion of snapshots and volumes
Kindly let me know if it works
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is exactly what I tried first, but unfortunately this works only in CLI. when using GUI still i'm still able to delete snapshots
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the upper right corner of System Manager is two characters "< >" (greater than and less than). Click that and see what kind of API call System Manager is doing. That might provide a clue. Also reference the audit log. If it looks right, you may have to open a case so we can file a bug.
