Active IQ Unified Manager Discussions

Managing 2 seperate groups

amir_soroka
2,626 Views

Hello,

My environment is like this:

Oncommand 5

2 NetApps:

na1 - 2 aggregates (aggrA, aggrB)

na2 - 1 aggregate (aggrC)

I have created 2 groups in the Oncommand (Operations Manager):

Group-COMPANY1 - can manage aggrA, aggrC

Group-COMAPNY2 - can manager aggrB

My requrement is let Copmany1 administrators to manage only their aggregates (aggregates A & C) and let company2 to manager their aggregate (B).

I've created a role in the Operations Manager that allow to each user to access only its aggregates.

But the question is how can I actaully let each administrator to manage his own group (like creating qtrees, resize volumes, creating shares).

I know I have the provisioning manager option, but I'm looking from something more trivial (like on sysetm manager concept)

Any idea how can I do this?

Thanks,

Amir

2 REPLIES 2

smoot
2,626 Views

Using the OnCommand suite, you'd have to go through Provisioning Manager and Protection Manager for all the active management tasks (i.e. creating volumes). For reporting and read-only purposes, OnCommand groups would be fine.

System Manager doesn't have any concept of access control so that won't help you. Once SysMgr has the filer credentials, it'll allow you to do anything.

ONTAP itself has an RBAC system but I believe it allows or restricts specific commands, but it's all or nothing. The user either has access to the "vol" command or not and once he does, he can run "vol size" on any volume. At least, that's my understanding but it's been a while since I've looked into it.

You could look into creating vFiler units and only giving your customers access to the vFilers but not the hosting filer.

I'm not that familiar with what a vFiler admin can do and what they can't. I think they can resize volumes and create shares but I don't know if they can create new volumes.

adaikkap
2,626 Views

Some response to pete's

ONTAP itself has an RBAC system but I believe it allows or restricts specific commands, but it's all or nothing. The user either has access to the "vol" command or not and once he does, he can run "vol size" on any volume. At least, that's my understanding but it's been a while since I've looked into it.

You are absolutely right, no change yet.

I'm not that familiar with what a vFiler admin can do and what they can't. I think they can resize volumes and create shares but I don't know if they can create new volumes.

True, create snapshots, delete them, but cant create volumes.

Regards

adai

Public