We have an app that is using the OnTap REST api to create snapshots of specific volumes.
We would like to create a service account that ONLY has the rights to create snapshots on specified volumes.
Using the CLI we can create a "rest-role" that has all access to all volumes:
modify -vserver dc1-netsim -role SmartBackupRest -api /api/storage/volumes -access all
But when we try to lock this down to a specific operation:
create -vserver dc1-netsim -role SmartBackupRest -api /api/storage/volumes/snapshots -access all
we get "URI does not exist"
and if we try to use the actual URI called by the app (including the volume ID):
create -vserver dc1-netsim -role SmartBackupRest -api /api/storage/volumes/d9616397-
a06b-4da4-931d-ee22f7bffeec/ snapshots -access all
we get "Invalid character detected in URI."
How are we meant to lock the role down effectively?