ONTAP Discussions

Restricting permissions to SVMs

We are required to manage devices using AD credentials and normally this is how it is setup(domain-tunnel + we grant access on cluster level)
vserver active-directory create -vserver SVM1 -account-name SVM1 -domain Domain_A -ou CN=Computers
security login domain-tunnel create -vserver SVM1
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application http -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ontapi -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ssh -authmethod domain -role admin

 

What I need to do now is segregate a newly created SVM9 so that:
- main "admin" account should be able to manage SVM9 as well as all others SVMs - this is already in place and inherited
- Domain_B\NetApp_AD_Admin_Group should be able to manage SVM9 - I've already joined it to the domain and it looks like I need to create an admin role on SVM level but it would not let me do something like DEFAULT and all - what's the simplest way to create all access admin role on SVM level?
- Domain_A\NetApp_AD_Admin_Group should have no access - finally, can I grant none permissions to this group?

Is that possible?

3 REPLIES 3

Re: Restricting permissions to SVMs

Hi,

 

A cluster admin has access to manage all the SVMs and cannot be denied to some of them.

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

Re: Restricting permissions to SVMs

Thanks,

I can revoke the cluster level access if that's the case - what's the simplest way to create all access admin role on SVM level?

G

Re: Restricting permissions to SVMs

Hello,

 

You should be able to create a role and assigned that role to the user when creating it on that specific SVM9.

A command like below:

 

security login role create -role <rolename> -vserver SVM9 -access all -cmddirname Default

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fsecurity__login__role__create.html

Then you use the role created to assign to the user once you created (security login create)

 

Thanks

 

View solution in original post

Cloud Volumes ONTAP
Review Banner
All Community Forums
Public