Ontap gui login with diffent active directory domains

ORCUN_USTURALI

Hello to all

We got a customer with 3 diferent Active Directory domains, for example AAA.corp,BBB.corp and CCC.corp.

we had created 3 different SVM in ontap 9.16 and created volumes and shares. Everything is fine.

when i want to let domain admins logon to GUI of netapp (system manager) with domain admin accounts , but not reaching anything else then their own SVM ,

yet we couldnt do it,

can logon with ActiveDirectory accounts when we let permission with Cluster SVM ,but then can reach everything

created RBAC role, and assigned role to users ,then we can logon but that time, can reach all SVM systems

what can you advise to do,?

thanks

TMACMD

I am pretty sure this will not work in your case...Much of the GUI is REST-related and this trick does not work with REST:

when creating RBAC, many forget about the -query option.

security login role create -role corpAAA_admin -cmddirname volume -query "-vserver svm_AAA" -access all

Basically, you have a couple choices:

1. you can give the admins ability to "login" to their own SVM, but they will be limited to CLI access.

2. you can give the admins ability t "login" to the main cluster, but you define EVERY command they can run and be very judicious with the "-query" option which will limit the user to only run things in their own SVM

I would love to be proven wrong, but as far as I know there is no way to "limit" GUI access to an SVM.

It is a catch 22... You can specify "rest-role" but they are targeted to a data svm. the GUI is the admin svm.

If I provide access to the GUI, I need to find a way to limit (which again, I do not think is possible)

Hopefully this is a bit clearer than mud.

Ontap gui login with diffent active directory domains

New video on NetApp KB TV

NetApp Wins ASP Award for 8th year in a row!

Site Operation Hours via NSS

New video on NetApp KB TV