What is the security login show output? And did you set up a security login show?

The service account has two entries, one for the ontapi application and one for the ssh application. Previously the role was set at admin, and I just changed the role to the new 'script' role with limited rights to see if it would work. I manually ran the script both before and after the change. While set to admin it worked fine of course, but when I switched it to the new role, it generated the error I mentioned. I think there's a command path I need to give read only access to but don't know what that would be.

That's a possibility. I guess it has to read the role to know what it's rights are :). I'll try that and update the thread with the results.

Defining custom roles:

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.pow-adm-auth-rbac%2FGUID-910E18E9-B83C-41BF-8A68-C1806FEB6177.html

cluster1::> security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1

cluster1::> security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

cluster1::> security login create -user-or-group-name jocolon -application console -authentication-method password -role script -vserver cluster1

I logged in as jocolon user with script role assigned 
cluster1::> vserver options -vserver cluster1 -option-name
encryption.data_at_rest_encryption.disable_by_default
replication.create_data_protection_rels.enable
replication.dst_snapshot_op_ems.enable
replication.feature1.enable
replication.ls_mirrors_on_data_volumes.enable
replication.mirror_initialize_priority
replication.mirror_update_priority
replication.reservation.dst.high_pri_xfer_pct
replication.reservation.dst.low_pri_xfer_pct
replication.reservation.src.high_pri_xfer_pct
replication.reservation.src.low_pri_xfer_pct
replication.restore_priority
replication.throttle.enable
replication.throttle.incoming.max_kbs
replication.throttle.outgoing.max_kbs
replication.throttle.outgoing.max_kbs_objstore
replication.vault_initialize_priority
replication.vault_update_priority
snmp.enable
volmove.throttle.enable

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs -option-value 45

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.outgoing.max_kbs

cluster1
replication.throttle.outgoing.max_kbs
45 -

cluster1::> vserver options -vserver cluster1 -option-name replication.throttle.incoming.max_kbs -option-value 2

Error: command failed: not authorized for that command

cluster1::> ?
exit Quit the CLI session
history Show the history of commands for this CLI session
man Display the on-line manual pages
redo Execute a previous command
rows Show/Set the rows for this CLI session
top Go to the top-level directory
up Go up one directory
vserver> Manage Vservers

cluster1::>

@paul_stejskal unfortunately that command didn't do the trick. I may experiment with some other security login commands.

@jcolonfzenpr thank you for showing me your testing of my issue! Do you have a suggestion for how to get the desired results?

can you share the powershell script?

Yes, here it is:

# Import the OnTAP module and create the cluster connection variable
Clear-Host
Import-Module DataONTAP
$CLUSTER = Connect-NcController -Name <cluster_name>

# Throttle snapmirror transfers
Invoke-NaSsh -Name $CLUSTER -Command "options -option-name replication.throttle.outgoing.max_kbs 3125"

That's the one for throttling. The one for unthrottle is the same except "unlimited" at the end instead of 3125. This is used on multiple remote offices and works fine as long as the account has full admin rights. I'm trying to reduce the service account rights down to just the ones it needs to perform the task.

It's getting hung up here:

$CLUSTER = Connect-NcController -Name albflnacl01p

Error says : 

Connect-NcController : Insufficient privileges: user '<username>' does not have read access to this resource

Here is the role. As you can see I tried setting the command/directory to "security login" but that didn't work either.

----------------------------------------------------------------------------------

Vserver: <vserver>
Role Name: script
Command / Directory: DEFAULT
Access Level: none
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

Vserver: <vserver>
Role Name: script
Command / Directory: vserver options
Access Level: all
Query: -option-name replication.throttle.outgoing.max_kbs
----------------------------------------------------------------------------------

Any ideas or suggestions?

can you add one extra role setting like this?

Vserver: <vserver>
Role Name: script
Command / Directory: vserver
Access Level: readonly
Query:

FYI I found the following which answers my question for 7-mode. Anyone know a cdot equivalent?

https://community.netapp.com/t5/Microsoft-Virtualization-Discussions/Determining-Ontap-privileges-needed-for-powershell-script/td-p/16210

@jcolonfzenpr I will try that and see if it works.

i think this is not needed!

Vserver: <vserver>
Role Name: script
Command / Directory: security login
Access Level: readonly
Query:

I do the testing and it work by adding a role setting to the DEFAULT as readonly.

Security role creation:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Create and apply role to a user:

security login create -user-or-group-name jocolon -application ontapi -authentication-method password -role script -vserver cluster1
security login create -user-or-group-name jocolon -application ssh -authentication-method password -role script -vserver cluster1

Create the powershell credential object:

PS C:\Users\Administrator.DEMO> $cred = (Get-Credential)

Display powershell credential object:
PS C:\Users\Administrator.DEMO> $cred

UserName Password
-------- --------
jocolon System.Security.SecureString

I changed your script a litter bit:
PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs 3125"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:24:50

1 entry was modified.

Display the modified option:

PS C:\Users\Administrator.DEMO> Invoke-NcSsh -Name cluster1 -Credential $cred -Command "vserver options -option-name replication.throttle.outgoing.max_kbs"

NcController : cluster1
Value :

Last login time: 1/30/2021 15:25:06

cluster1
replication.throttle.outgoing.max_kbs 3125 -

I learn something new today! Thanks

Thanks @jcolonfzenpr . It actually works with just the following two lines:

security login role create -role script -cmddirname "DEFAULT" -access readonly -vserver cluster1
security login role create -role script -cmddirname "vserver options" -access all -query "-option-name replication.throttle.outgoing.max_kbs" -vserver cluster1

Having said that, I don't want to give even read only rights to EVERYTHING. My goal is to give only the minimal rights required, which means read only rights just to the command or command directory required to be able to log in.