ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

OnTAP Custom Role Not Working

TMADOCTHOMAS
‎2021-01-27 12:38 PM
12,928 Views

Hello,

I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource".  Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?

 

Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs

0 Kudos
View By:
Tags (1)
1 ACCEPTED SOLUTION

jcolonfzenpr
‎2021-02-01 07:54 AM
In response to TMADOCTHOMAS
12,507 Views

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

View solution in original post

0 Kudos
25 REPLIES 25

TMADOCTHOMAS
‎2021-02-03 06:38 AM
In response to jcolonfzenpr
1,837 Views

Thank you @jcolonfzenpr ! As useful as that tool is, unfortunately it doesn't provide equivalent OnTAP commands for the cmdlets.

0 Kudos

TMADOCTHOMAS
‎2021-09-24 06:38 AM
In response to jcolonfzenpr
1,331 Views

Nice @dbytes , and no I didn't go any further than DEFAULT = readonly

 

@jcolonfzenpr thanks for the tip!

0 Kudos

dbytes
‎2021-09-22 10:01 AM
In response to TMADOCTHOMAS
2,889 Views

Not sure if you ever figured this out.  I have set DEFAULT to readonly, set each dircmd to none, and then only the dircmds needed to all.  This works great.  I've attached a screenshot of the role I created.

Upon mentioning this to my network team, they mentioned the same behavior is on some CISCO switches.  You have to enable default so an account can login, then restrict from there.

For your question on the CIFS Share commands, I would suspect "vserver cifs share" could be set to readonly.

Preview file
29 KB
0 Kudos

asoroka
NetApp
‎2023-01-29 01:09 AM
1,054 Views

You're probably missing "version" command:

cluster1::*> security login role show -role script
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
cluster1 script DEFAULT none
version readonly
vserver cifs session file readonly
vserver cifs session file close all
vserver cifs session file show -hosting-volume cifs_vol readonly
5 entries were displayed.

0 Kudos

TMADOCTHOMAS
‎2023-01-30 06:06 AM
1,043 Views

Thanks @asoroka ! I will have to give this a shot and see if that resolves the issue. Thank you!

0 Kudos
All Community Forums
Public