I need to create a custom role that allows a group of administrators from AD_domain_A to manage all bar one PCI DSS SVM. That last PCI DSS SVM is joined to another domain (AD_domain_B) and will be managed via SSH directly to the SVM admin lif as I understand that ONTAP System Manager is only available on cluster level.
I tried creating a custom role AD_Admin as attached on cluster level which grants access to the group of administrators from AD_domain_A, I then added that same AD group to vsadmin role within the non-PCI SVMs but the resulting access is not AD_Admin + vsadmin. I think I possibly incorrectly assumed that the permissions will be additive and ad admins can't resize volumes etc.
What is the best way to setup this role? Do I need to add, as part of the AD_Admin role definition, something like this but that would mean listing all commands and repeating this for all SVMs?
security login role create -role AD_Admin -cmddirname "volume modify" -access all -query "-vserver svm1"