ONTAP Discussions

Restricting permissions to SVMs

ppadmgeo1

We are required to manage devices using AD credentials and normally this is how it is setup(domain-tunnel + we grant access on cluster level)
vserver active-directory create -vserver SVM1 -account-name SVM1 -domain Domain_A -ou CN=Computers
security login domain-tunnel create -vserver SVM1
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application http -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ontapi -authmethod domain -role admin
security login create -vserver [cluster] -user-or-group-name Domain_A\NetApp_AD_Admin_Group -application ssh -authmethod domain -role admin

 

What I need to do now is segregate a newly created SVM9 so that:
- main "admin" account should be able to manage SVM9 as well as all others SVMs - this is already in place and inherited
- Domain_B\NetApp_AD_Admin_Group should be able to manage SVM9 - I've already joined it to the domain and it looks like I need to create an admin role on SVM level but it would not let me do something like DEFAULT and all - what's the simplest way to create all access admin role on SVM level?
- Domain_A\NetApp_AD_Admin_Group should have no access - finally, can I grant none permissions to this group?

Is that possible?

1 ACCEPTED SOLUTION

hmoubara

Hello,

 

You should be able to create a role and assigned that role to the user when creating it on that specific SVM9.

A command like below:

 

security login role create -role <rolename> -vserver SVM9 -access all -cmddirname Default

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fsecurity__login__role__create.html

Then you use the role created to assign to the user once you created (security login create)

 

Thanks

 

View solution in original post

3 REPLIES 3

GidonMarcus

Hi,

 

A cluster admin has access to manage all the SVMs and cannot be denied to some of them.

 

Gidi

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

ppadmgeo1

Thanks,

I can revoke the cluster level access if that's the case - what's the simplest way to create all access admin role on SVM level?

G

hmoubara

Hello,

 

You should be able to create a role and assigned that role to the user when creating it on that specific SVM9.

A command like below:

 

security login role create -role <rolename> -vserver SVM9 -access all -cmddirname Default

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fsecurity__login__role__create.html

Then you use the role created to assign to the user once you created (security login create)

 

Thanks

 

Public