ONTAP Discussions

Custom role required with access to only few SVMs


I need to create a custom role that allows a group of administrators from AD_domain_A to manage all bar one PCI DSS SVM. That last PCI DSS SVM is joined to another domain (AD_domain_B) and will be managed via SSH directly to the SVM admin lif as I understand that ONTAP System Manager is only available on cluster level.


I tried creating a custom role AD_Admin as attached on cluster level which grants access to the group of administrators from AD_domain_A, I then added that same AD group to vsadmin role within the non-PCI SVMs but the resulting access is not AD_Admin + vsadmin. I think I possibly incorrectly assumed that the permissions will be additive and ad admins can't resize volumes etc.


What is the best way to setup this role? Do I need to add, as part of the AD_Admin role definition, something like this but that would mean listing all commands and repeating this for all SVMs?

security login role create -role AD_Admin -cmddirname "volume modify" -access all -query "-vserver svm1"





Thanks hmoubara,

I've seen this FAQ but it does not cover what I need - the crux of the question is how a cluster custom role can grant selective permissions in only selected SVMs  as above...