ONTAP Discussions

Custom Role with no permissions to delete Snapshots using System Manager


We would like to have a custom admin role which is allowed for everything except of deleting snapshots. We could successfully create a custom role and assigned a testuser to this role.

The permissions seems to work, when connected via SSH to the CLI, the testuser can not delete snapshots. But when using the System Manager, the testuser is still allowed to delete snapshots.


the custom admin role looks like that:
Role Command/ Access Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
vserver admin_custom DEFAULT all

                                                 volume snapshot delete none


Any idea why the behaviour in GUI and CLI is different? Does the role need different permissions for working correctly in GUI?

Thank you for any suggestions



Have you checked this:
FAQ: Custom roles for administration of ONTAP 

Also did you verify that you logged in with the user that doesn't have permission? How did you manage to set the role for that user?


Thank you for your reply, yes I've already checked that FAQ.

User was created and set to this role with the following command:
security login create -user-or-group-name testuser -application http -authmethod password -role admin_custom -vserver vserver


I did another test setting the volume snapshot permission to read only for that role:
security login role create -role admin_customer -cmddirname "volume snapshot" -access readonly -vserver vserver

This works like expected, the user is not allowed to delete snapshot but also creating or modifying snapshot is prohibited. We do like that snapshot creation is allowed and only deletion is not allowed.



Actually this KB should do the job:

How to use RBAC to prevent deletion of snapshots and volumes 

Kindly let me know if it works


this is exactly what I tried first, but unfortunately this works only in CLI.  when using GUI still i'm still able to delete snapshots


In the upper right corner of System Manager is two characters "< >" (greater than and less than). Click that and see what kind of API call System Manager is doing. That might provide a clue. Also reference the audit log. If it looks right, you may have to open a case so we can file a bug.