The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.

That's a possibility. I guess it has to read the role to know what it's rights are :). I'll try that and update the thread with the results.

Defining custom roles:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-910E18E9-B83C-41BF-8A68-C1806FEB6177.html

cluster1::> security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

cluster1::> security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application console -authentication-method password -role script -vserver cluster1

I logged in as jocolon user with script role assigned 
cluster1::> vserver options -vserver cluster1 -option-name
encryption.data_at_rest_encryption.disable_by_default
replication.create_data_protection_rels.enable
replication.dst_snapshot_op_ems.enable
replication.feature1.enable
replication.ls_mirrors_on_data_volumes.enable
replication.mirror_initialize_priority
replication.mirror_update_priority
replication.reservation.dst.high_pri_xfer_pct
replication.reservation.dst.low_pri_xfer_pct
replication.reservation.src.high_pri_xfer_pct
replication.reservation.src.low_pri_xfer_pct
replication.restore_priority
replication.throttle.enable
replication.throttle.incoming.max_kbs
replication.throttle.outgoing.max_kbs
replication.throttle.outgoing.max_kbs_objstore
replication.vault_initialize_priority
replication.vault_update_priority
snmp.enable
volmove.throttle.enable

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs -option-value 45

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs

cluster1
replication.throttle.outgoing.max_kbs
45 -

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.incoming.max_kbs -option-value 2

Error: command failed: not authorized for that command

cluster1::> ?
exit Quit the CLI session
history Show the history of commands for this CLI session
man Display the on-line manual pages
redo Execute a previous command
rows Show/Set the rows for this CLI session
top Go to the top-level directory
up Go up one directory
vserver> Manage Vservers

cluster1::>

@paul_stejskal unfortunately that command didn't do the trick. I may experiment with some other security login commands.

@jcolonfzenpr thank you for showing me your testing of my issue! Do you have a suggestion for how to get the desired results?

can you share the powershell script?

Yes, here it is:

# Import the OnTAP module and create the cluster connection variable
Clear-Host
Import-Module DataONTAP
$CLUSTER = Connect-NcController -Name <cluster_name>

# Throttle snapmirror transfers
Invoke-NaSsh -Name $CLUSTER -Command "options -option-name replication.throttle.outgoing.max_kbs 3125"

That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.

It's getting hung up here:

$CLUSTER = Connect-NcController -Name albflnacl01p

Error says : 

Connect-NcController : Insufficient privileges: user '<username>' does not have read access to this resource

Here is the role. As you can see I tried setting the command/directory to "security login" but that didn't work either.

----------------------------------------------------------------------------------

Vserver: <vserver>
Role Name: script
Command / Directory: DEFAULT
Access Level: none
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs
----------------------------------------------------------------------------------

Any ideas or suggestions?

can you add one extra role setting like this?

Vserver: <vserver>
Role Name: script
Command / Directory: vserver
Access Level: readonly
Query:

FYI I found the following which answers my question for 7-mode. Anyone know a cdot equivalent?

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/Determining-Ontap-privileges-needed-for-powershell-script/td-p/16210

@jcolonfzenpr I will try that and see if it works.

i think this is not needed!

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

I do the testing and it work by adding a role setting to the DEFAULT as readonly.

Security role creation:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Create and apply role to a user:

security login create -user-or-group-name jocolon -application ontapi -authentication-method password -role script -vserver cluster1
security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

Create the powershell credential object:

PS C:\Users\Administrator.DEMO> $cred = (Get-Credential)

Display powershell credential object:
PS C:\Users\Administrator.DEMO> $cred

UserName Password
-------- --------
jocolon System.Security.SecureString

I changed your script a litter bit:
PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs 3125"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:24:50

1 entry was modified.

Display the modified option:

PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:25:06

cluster1
replication.throttle.outgoing.max_kbs 3125 -

I learn something new today! Thanks

Thanks @jcolonfzenpr . It actually works with just the following two lines:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.

Thanks @jcolonfzenpr . I reset DEFAULT back to none and added vserver in as readonly, but that didn't work either. I do realize I had one error in the script I showed earlier. Invoke-NaSsh should read Invoke-NcSsh. 

@jcolonfzenpr , for the record I decided to go ahead and modify the role to make DEFAULT readonly, as this is at least an improvement on how it works now. It does lock it down a good bit from being a full admin to having limited rights. I have a case open with NetApp and still want to narrow this down even further to give it read only rights only to the commands needed to log in.

If support provides a solution please share it here so other user with similar need can benefit.

also i forgot to metion you can ask for help on the slack channel of netapp.io

https://join.slack.com/t/netapppub/shared_invite/zt-ki0sse86-6ihXPApFepvu0Nx~YibCtA

@jcolonfzenpr I definitely will! Thanks for the tip on slack, I will check that out.

On a related note, I've been testing things out on the script I posted earlier in this thread. The "DEFAULT"/readonly setting + additional rule works great for this script. I've now checked out the other PowerShell scripts I want to give permission to, and forgot that I'm using native PowerShell commands for those scripts, such as Get-NcCifsShare and Get-NcCifsShareAcl for example. At the moment it works fine since all commands are set to readonly, but if I'm able to lock "DEFAULT" down further I will need to know which NetApp commands correspond to the PowerShell commands. Do you know of a PDF that details which native NetApp commands correspond to PowerShell toolkit commands?

yesterday i asked the same question on the slack channel:

The answer:

If you’ve installed the netapp powershell toolkit - run “show-nchelp” and it’ll open your browser with the full help documentation with tabs for categories, full sorted list, etc