We are required to manage devices using AD credentials and normally this is how it is setup(domain-tunnel + we grant access on cluster level)
vserver active-directory create -vserver SVM1 -account-name SVM1 -domain Domain_A -ou CN=Computers
security login domain-tunnel create -vserver SVM1
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application http -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ontapi -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ssh -authmethod domain -role admin

What I need to do now is segregate a newly created SVM9 so that:
- main "admin" account should be able to manage SVM9 as well as all others SVMs - this is already in place and inherited
- Domain_B\NetApp_AD_Admin_Group should be able to manage SVM9 - I've already joined it to the domain and it looks like I need to create an admin role on SVM level but it would not let me do something like DEFAULT and all - what's the simplest way to create all access admin role on SVM level?
- Domain_A\NetApp_AD_Admin_Group should have no access - finally, can I grant none permissions to this group?

Is that possible?