ONTAP Discussions
ONTAP Discussions
I'd like to be able to secure an API user that would have read-only access to the filer. Going through RBAC, this seems possible, but there are too many options to successfully create a role based on this. The command errors as it's too long, and if I load it into a text file and run it using source, it reports the command is too long. I won't post the full list of "api-" RBAC roles I want to give the user as it's a bit big!
Is there an easy way of creating a read-only api-* user?
Hi Chris,
There is no easy way to create a role with privilage to access all read-only APIs. If you create a privilage with api-* then it provides access to all the APIs. You have to explicitly list out read only APIs like api-system-*, api-qtree-list-* .
Thanks,
Rashmi.
Thanks for the reply. However that's the problem I have. I've been through all the api- roles and highlighted the read-only ones, But the command line input buffer isn't long enough to accept this into a single role. If there was a way that I could add additional settings to an existing role, then I could build this up, but there doesn't seem to be, it just overwrites the existing settings.
You can use useradmin category APIs to overcome the limitations of CLI.
Thanks,
Rashmi.
Maybe you can break the api-* list to multiple roles, each one having different apis as capabilities. Then add these roles to a group, then assign a read only user to this group.
For example, create the roles you need.
Name: testrole
Info:
Allowed Capabilities: api-*
Name: login
Info:
Allowed Capabilities: cli-*,login-ssh,login-telnet
Create a group for these roles:
Name: testgrp
Info:
Rid: 131085
Roles: testrole,login
Assign user to this role.
Name: testuser
Info:
Rid: 131092
Groups: testgrp
Let me know if this works!