ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

System Manager GUI Manage Individual vserver on CDOT

NEWNETAPP987
‎2015-05-28 02:35 PM
16,864 Views

Hi,

I have a CDOT cluster on 8.3.  My manager wants individual business units to manage their own vserver via System Manager.

 

It is my understanding that it is not currently possible for System Manager to  manager an individual vserver on a cdot array.

 

It this true?

 

If it is true, are there any plans to provide this capability in the future?

 

Thanks,

View By:
1 ACCEPTED SOLUTION

chott
NetApp
‎2015-05-29 12:03 AM
16,832 Views

Hi,

my name is Chriz Ott, I'm working with NetApp as a Principal Architect.

 

Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.

 

Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.

There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.

 

A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).

Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.

 

I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.

 

Cheers chriz

 

P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.

View solution in original post

11 REPLIES 11

chott
NetApp
‎2015-05-29 12:03 AM
16,833 Views

Hi,

my name is Chriz Ott, I'm working with NetApp as a Principal Architect.

 

Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.

 

Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.

There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.

 

A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).

Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.

 

I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.

 

Cheers chriz

 

P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.

P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.

Mikky
‎2015-07-03 03:57 AM
In response to chott
16,655 Views

I would like to ask you about this topic.
I would like to perform individual business units to manage their own vserver via System Manager,too.

The OnCommand System Manager 8.3 is included with Data ONTAP as a web service.


It seems that cDot8.3 has "vserver services web access" command.
https://library.netapp.com/ecmdocs/ECMP12452955/html/vserver/services/web/modify.html

 

Can we manage an individual vserver on a cdot array to a certain degree ?

 

Best regards,

0 Kudos

fredgrieco
‎2015-09-11 05:26 AM
16,372 Views

Mikky,

 

It looks like you can only enable ontapi access on the vserver level using this, and not the "portal" and "compat" services.

 

Fred

0 Kudos

artur_alikulov
‎2016-10-15 10:46 AM
15,609 Views

Hi. Any news regarding possibility to manage SVM by vsadmin via System Manager?

0 Kudos

clemens
‎2017-09-21 06:35 AM
In response to artur_alikulov
14,830 Views

Hi,

 

I am running 9.1 now.. and still no posiblilty to give indivual SVM gui access.

it would be a nice feature

"/sysmgr/SysMgr.html " svm

Not Found

The requested URL /sysmgr/SysMgr.html was not found on this server.

0 Kudos

colsen
NetApp A-Team
‎2017-09-21 08:34 AM
14,802 Views

Hello,

 

Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).  We have done this with the system administrators for our Oracle E-Business Suite systems and they're able to do almost everything they need to do.  The process looks something like this:

 

security login role create -role <ROLE NAME> -cmddirname DEFAULT -access readonly

security login role create -role <ROLE NAME> -cmddirname "volume qtree" -query "-vserver <SVM NAME>" -access all

security login role create -role <ROLE NAME> -cmddirname "vserver export-policy" -query "-vserver <SVM NAME>" -access all

vserver services web access create -vserver <CLUSTER SVM> -name sysmgr -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application http -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ontap -authentication-method password -role <ROLE NAME>

security login create -user-or-group-name <USERNAME> -application ssh -authentication-method password -role <ROLE NAME>

  

This is actually preferable to an SVM-by-SVM user account for us in that these sysadmins have multiple SVMs and would need accounts on each one.  We overcome this by applying a wildcard to the query object of the role - since our SVMs follow a standard naming convention we just grant them access to any SVM named "oracle-*".  Also, we wanted to limit some of what they could do inside the SVM and being an SVMadmin would have been too permissive for our use case.

 

Hope that helps,

 

Chris

 

TMADOCTHOMAS
‎2018-02-23 06:55 AM
In response to colsen
13,668 Views

@colsen, I am trying your recommended alternative. I assume this works with domain groups, right (where auth method is domain and not password)? I'm having difficulty with applying this to two SVMs. In the query I entered:

 

-query "-vserver <svm1> <svm2>"

 

There was no error, but the user wasn't able to log on to the cluster via System Manager. I tried again with just one SVM and they still couldn't log on. Any ideas?

0 Kudos

connoisseur
‎2018-11-12 03:10 AM
In response to colsen
9,563 Views
@colsen wrote:

 

Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).

 

But this wouldn´t work in a multidomain environemnt, where all SVMs have different VLAN and different IP nets.

With this setup, we would have to open FW for each user who would like to manager thier SVMs.

 

If SVM-by-SVM would be enalbled, they could just access the same adress via webbrowser if we changed the LIF's firewall policy to mgmt.

0 Kudos

TMADOCTHOMAS
‎2018-02-22 11:20 AM
13,709 Views

Anybody know if this feature has been added in 9.2 (which we are currently on) or 9.3?

0 Kudos

rcasero
‎2018-04-10 11:08 AM
13,060 Views

Have NetApp corrected this in 9.2 and above ?

0 Kudos

mikeburger
‎2018-07-23 01:31 PM
In response to rcasero
9,747 Views

Not as of yet.

0 Kudos
Announcements
All Community Forums
Public