Other than creating a bespoke role, is there anyway to prevent a Vserver/SVM user/administrator from being able to modify the size of a volume in their SVM?
I'd like to prevent volumes from multiple SVMs in the same aggregate from being able to consume beyond their allocated amount, but it looks like the SVM admins have control to make changes from within the SVM.
I understand I can restrict the ability to create new volumes, by not assigning any aggregates to the SVM aggregate allowed list, but this does not seem to prevent changes being made to already provisioned volumes.
I've tested this under the simulator (version 8.3.2RC1) and so far haven't found a way.
You can get this done via role creation on vserver level.
I created a testrole with the following abilities.
cmemile01::vserver security> security login role show -vserver data_svm -role testrole
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
data_svm testrole DEFAULT none
data_svm testrole network all
data_svm testrole snapmirror all
data_svm testrole volume readonly
When I go to vserver context and login with my user which was assigned the "testrole" the "volume size" command is not available.
cmemile01::vserver security> vserver context -username emile -vserver data_svm
Info: Use 'exit' command to return.
data_svm::> volume ?
clone> Manage FlexClones
efficiency> Manage volume efficiency
file> File related commands
qtree> Manage qtrees
quota> Manage Quotas, Policies, Rules and Reports
show Display a list of volumes
show-footprint Display a list of volumes and their data and metadata footprints in their associated aggregate.
show-space Display space usage for volume(s)
snapshot> Manage snapshots
data_svm::> volume size
Error: "size" is not a recognized command
I was hoping to restrict this in another way other than by defining new roles, as that opens up other administration issues/burdens in a multitenant environment, hence my original question.
The ideal would to be able to restrict it at the cluster level for the SVM, a bit like under 7 mode where the volume changes that didn't affect the aggregate utilisation could be controlled from within the Vfiler, but anything that would affect the aggregate (vol size/autosize for instance) had to be completed at the vfiler0 level.
If roles are the only way, we'll have to get some automation in palce for it to ensure a consitent deployment model for each SVM stood up.