my name is Chriz Ott, I'm working with NetApp as a Principal Architect.
Thank you very much for your question, your usecase is one of the use-cases cDOT was designed for - Secure Multi Tenancy.
Unfortunately you are correct, currently it is not possible to manage individual SVMs using the System Manager.
There are definitely plans to bring this functionality into System Manager, however in the past they have been defered for the benefit of other features.
A workaround could be using WFA (Worflow Automation) to provide certain "operational tasks" that application owners would usually require and have WFA take care of RBAC (including intergration into an existing LDAP).
Another way would be to use our SnapManager products for individual applications such as SQL, Exchange, Sharepoint etc. to connect to the SVM and manager their storage.
I hope this answer is usefull for you, please don't hesitate to come back to me in case you have more questions.
P.S. if you feel this answer is useful, please KUDO or "correct answer" so other people may find it faster.
P.S. if you feel this post is useful, please KUDO or “accept as a solution" so other people may find it faster.
Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM). We have done this with the system administrators for our Oracle E-Business Suite systems and they're able to do almost everything they need to do. The process looks something like this:
This is actually preferable to an SVM-by-SVM user account for us in that these sysadmins have multiple SVMs and would need accounts on each one. We overcome this by applying a wildcard to the query object of the role - since our SVMs follow a standard naming convention we just grant them access to any SVM named "oracle-*". Also, we wanted to limit some of what they could do inside the SVM and being an SVMadmin would have been too permissive for our use case.
@colsen, I am trying your recommended alternative. I assume this works with domain groups, right (where auth method is domain and not password)? I'm having difficulty with applying this to two SVMs. In the query I entered:
-query "-vserver <svm1> <svm2>"
There was no error, but the user wasn't able to log on to the cluster via System Manager. I tried again with just one SVM and they still couldn't log on. Any ideas?
Although OCSM access can't be enabled at an SVM-by-SVM level, you can create your SVM administrators a top-level cluster account and then grant their role individualized permissions to their SVM (thus granting them access via OCSM).
But this wouldn´t work in a multidomain environemnt, where all SVMs have different VLAN and different IP nets.
With this setup, we would have to open FW for each user who would like to manager thier SVMs.
If SVM-by-SVM would be enalbled, they could just access the same adress via webbrowser if we changed the LIF's firewall policy to mgmt.