I have a customer who is interested in locking down some users to be able to access specific volumes and perform a limited set of operations on those volumes.

Sounds like a perfect scenario to use a custom role.  I've done some lab on demand testing to sound out the requirements.

The requirements for the role are to have the following commands avaialble.

vol snapshot create

vol snapshot delete

vol snapshot show

vol snapshot restore

set -confirmations off

So far so good.  The second requirement is that of each user should only be able to perform the above options on a specific set of volumes.  To make it easy lets call them

produser - accessing volumes prod*

testuser - accessing volumes test*

devuser - accessing volumes dev*

The issue I've hit is with the snap restore command set.

I can create a role with the following

sec login role create -role prodrole -cmddirname volume -query "-volume prod*" -access all

But this doesn't include the volume snapshot restore commands  So we add the follow

sec login role create -role prodrole -cmddirname volume snapshot -query "-volume prod*" -access all

again this doesn't include the volume snapshot restore commands.

So when we attempt to add this final extentionto the allowed commands

sec login role create -role prodrole -cmddirname volume snapshot restore  -query "-volume prod*" -access all 

"which includes the snapshot promote command"

The wildcard on the query is rejected.  So we can only add a single volume here, with multiple volumes required.  Is there way to list a set of volumes we can allow the user to perform restores for?  Pipe and command seperation doen't seem to apply.  I can't see anything in the documentation that hints at adding mulitple valid queries.

The prod, test and dev volumes are on the same vserver so to get the granularity we require if possible we'ed need to lock down the command