How do I create a role for (HTTPS) access to a specific SVM?

Michael_K · ‎2024-07-18

Dear Community,

We would like to set up a separate role for our trainees on our cluster. This role should

- Enable read-only access to the entire cluster

- Complete access to a dedicated Test_SVM that is available for training purposes

It is often said, that this is not possible for a specific SVM, but there is even a KB article that can serve as a basis for this ("How to set up and configure RBAC in ONTAP to limit administrator access to specific volumes or SVMs" From <https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_to_set_up_and_configure_RBAC_in_ONTAP_to_limit_administrator_access_to_specific_volumes_or_SVM...>)

The problem with this, however, is that when creating the role for ’-cmddirname DEFAULT -access readonly’ for the special Test_SVM “readonly” is not possible, but “none” is always suggested:

FASxxxxx::> security login role create role -role Restricted_Azubi_Role -cmddirname DEFAULT -access readonly -query ‘’ -vserver SVM_TESTxxxxx

Error: command failed: The only valid value for access is ‘none’ for a Vserver role when the specified command directory is ‘DEFAULT’

FAS27501::>

What am I doing wrong? Any ideas?

Many thanks and best regards

Michael

TMACMD · ‎2024-07-18

Right. You always start off with the default read only and then bills from there. There is an option called query where you can specify things like “vserver Test_svm” to limit the full access.

Play and test with that.

i worked with a customer to build a role that specifically gave them access to work on snapmirror relationships between two specific svms and it worked like a charm

TMACMD · ‎2024-07-18

Additionally here is a bit I sent a customer

Look: the “query” part is the import part that limits the scope of the command. If you do (from the CLI) “man snapmirror release”, look at the supported arguments. There is no “-vserver” argument. There are “-source-vserver” and “-destination-vserver”. So the command would look something like this:

security login role create -role Rolex -cmddirname "snapmirror release" -access all -query "-source-vserver srcsvm"

Look at the MAN pages. Review them. Check out the arguments. The -query, if you use it, must contain one or more of those supported arguments.

Michael_K · ‎2024-07-21

Hello,
Thank you for your reply.

The problem already exists with the "DEFAULT read only"!

If I execute the command as in the KB article mentioned above, the error occurs that ‘Read only’ cannot be used for vserver with DEFAULT!

FAS27501::> security login role create -role Restricted_Azubi_Role -cmddirname DEFAULT -access readonly -query "" -vserver SVM_TEST

Error: command failed: The only valid value for access is ‘none’ for a Vserver role when the specified command directory is ‘DEFAULT’

FAS27501::>

In the KB example ‘-vserver SVM_TEST’ is also not set in quotation marks (""), these are all after the term 'query' (-query "").

Otherwise I get the following error:

FAS27501::> security login role create -role Restricted_Azubi_Role -cmddirname DEFAULT -access readonly -query "-vserver SVM_TEST"

Error: The DEFAULT entry cannot have a query

command failed: failed to set field "query" to "-vserver SVM_TEST"

FAS27501::>

I can create other roles, but not DEFAULT readonly for the vserver.

Best regards

Michael

TMACMD · ‎2024-07-22

Sorry, I didn’t realize you were actually trying to add to DEFAULT. the thing is, DEFAULT is a catch all. You can’t add anything extra. You specify Default with access of none to disallow everything then you specifically add the exact commands you want to use and if needed specify extra info using the query argument