ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

How do I create a role for (HTTPS) access to a specific SVM?

Michael_K
11 hours ago
119 Views

Dear Community,

 

We would like to set up a separate role for our trainees on our cluster. This role should

- Enable read-only access to the entire cluster

- Complete access to a dedicated Test_SVM that is available for training purposes

 

It is often said, that this is not possible for a specific SVM, but there is even a KB article that can serve as a basis for this ("How to set up and configure RBAC in ONTAP to limit administrator access to specific volumes or SVMs" From <https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_to_set_up_and_configure_RBAC_in_ONTAP_to_limit_administrator_access_to_specific_volumes_or_SVM...>)

 

The problem with this, however, is that when creating the role for ’-cmddirname DEFAULT -access readonly’ for the special Test_SVM “readonly” is not possible, but “none” is always suggested:

 

FASxxxxx::> security login role create role -role Restricted_Azubi_Role -cmddirname DEFAULT -access readonly -query ‘’ -vserver SVM_TESTxxxxx

 

Error: command failed: The only valid value for access is ‘none’ for a Vserver role when the specified command directory is ‘DEFAULT’

 

FAS27501::>

 

What am I doing wrong? Any ideas?

Many thanks and best regards

 

Michael

0 Kudos
Tags (2)
2 REPLIES 2

TMACMD
NetApp A-Team
7 hours ago
64 Views

Right. You always start off with the default read only and then bills from there. There is an option called query where you can specify things like “vserver Test_svm” to limit the full access.

 

 Play and test with that. 

i worked with a customer to build a role that specifically gave them access to work on snapmirror relationships between two specific svms and it worked like a charm

0 Kudos

TMACMD
NetApp A-Team
7 hours ago
62 Views

Additionally here is a bit I sent a customer

 

Look: the “query” part is the import part that limits the scope of the command. If you do (from the CLI) “man snapmirror release”, look at the supported arguments. There is no “-vserver” argument. There are “-source-vserver” and “-destination-vserver”. So the command would look something like this:

 

security login role create -role Rolex -cmddirname "snapmirror release" -access all -query "-source-vserver srcsvm"

 

Look at the MAN pages. Review them. Check out the arguments. The -query, if you use it, must contain one or more of those supported arguments.

0 Kudos
All Community Forums
Public