ONTAP Discussions

Restricting volume operations in svm


Other than creating a bespoke role, is there anyway to prevent a Vserver/SVM user/administrator from being able to modify the size of a volume in their SVM?


I'd like to prevent volumes from multiple SVMs in the same aggregate from being able to consume beyond their allocated amount, but it looks like the SVM admins have control to make changes from within the SVM.


I understand I can restrict the ability to create new volumes, by not assigning any aggregates to the SVM aggregate allowed list, but this does not seem to prevent changes being made to already provisioned volumes.


I've tested this under the simulator (version 8.3.2RC1) and so far haven't found a way.


Thanks in advance




Hi Rob,


You can get this done via role creation on vserver level.


I created a testrole with the following abilities.



cmemile01::vserver security> security login role show -vserver data_svm -role testrole
           Role          Command/                                      Access
Vserver    Name          Directory                               Query Level
---------- ------------- --------- ----------------------------------- --------
data_svm   testrole      DEFAULT                                       none
data_svm   testrole      network                                       all
data_svm   testrole      snapmirror                                    all
data_svm   testrole      volume                                        readonly


When I go to vserver context and login with my user which was assigned the "testrole" the "volume size" command is not available.


cmemile01::vserver security> vserver context -username emile -vserver data_svm

Info: Use 'exit' command to return.

data_svm::> volume ?
  clone>                      Manage FlexClones
  efficiency>                 Manage volume efficiency
  file>                       File related commands
  qtree>                      Manage qtrees
  quota>                      Manage Quotas, Policies, Rules and Reports
  show                        Display a list of volumes
  show-footprint              Display a list of volumes and their data and metadata footprints in their associated aggregate.
  show-space                  Display space usage for volume(s)
  snapshot>                   Manage snapshots

data_svm::> volume size

Error: "size" is not a recognized command

Is this what you are trying to achieve?






Many thanks for the response. 


I was hoping to restrict this in another way other than by defining new roles, as that opens up other administration issues/burdens in a multitenant environment, hence my original question.


The ideal would to be able to restrict it at the cluster level for the SVM, a bit like under 7 mode where the volume changes that didn't affect the aggregate utilisation could be controlled from within the Vfiler, but anything that would affect the aggregate (vol size/autosize for instance) had to be completed at the vfiler0 level.


If roles are the only way, we'll have to get some automation in palce for it to ensure a consitent deployment model for each SVM stood up.