ONTAP Discussions

OnTAP Custom Role Not Working

TMADOCTHOMAS
16,020 Views

Hello,

I am trying to create a custom role to limit the rights of a domain-based service account we use exclusively to run PowerShell scripts. The role resides in the main cluster SVM and I've only given it rights to change the replication throttle setting as shown below. I assigned the role to the service account with the applications ssh and ontapi. When testing, it immediately generated this error: "Insufficient privileges: user '<username>' does not have read access to this resource".  Apparently I need to give at least read only access to a certain command to allow it to log on in the first place. Does anyone know what that would be?

 

Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs

1 ACCEPTED SOLUTION

jcolonfzenpr
15,599 Views

I test it also with:

security login role create -role script -cmddirname "DEFAULT" -access none -vserver cluster1

 

security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

 

security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

 

but you have to change a litter bit your scripts. 

 

 

Jonathan Colón | Blog | Linkedin

View solution in original post

25 REPLIES 25

TMADOCTHOMAS
2,315 Views

Thank you @jcolonfzenpr ! As useful as that tool is, unfortunately it doesn't provide equivalent OnTAP commands for the cmdlets.

TMADOCTHOMAS
1,809 Views

Nice @dbytes , and no I didn't go any further than DEFAULT = readonly

 

@jcolonfzenpr thanks for the tip!

dbytes
3,367 Views

Not sure if you ever figured this out.  I have set DEFAULT to readonly, set each dircmd to none, and then only the dircmds needed to all.  This works great.  I've attached a screenshot of the role I created.

Upon mentioning this to my network team, they mentioned the same behavior is on some CISCO switches.  You have to enable default so an account can login, then restrict from there.

For your question on the CIFS Share commands, I would suspect "vserver cifs share" could be set to readonly.

asoroka
1,532 Views

You're probably missing "version" command:

cluster1::*> security login role show -role script
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
cluster1 script DEFAULT none
version readonly
vserver cifs session file readonly
vserver cifs session file close all
vserver cifs session file show -hosting-volume cifs_vol readonly
5 entries were displayed.

TMADOCTHOMAS
1,521 Views

Thanks @asoroka ! I will have to give this a shot and see if that resolves the issue. Thank you!

Public