2008-12-16 06:57 AM
Has anybody ever used the OM as a RBAC proxy?
The aim of the game is to allow certain users only access to "their" storage objects.
It seems as if volume & lun creation and modification can be triggered through the OM but some how I don't find a way to
create snapshots for those created volumes.
Any ideas where I might look?
2008-12-16 08:08 AM
Greetings. Please find below, my response to your queries.
You can create user-defined roles in OM, & you can give access only to those objects(such as Storage Systems, Volumes, Qtrees...)
Later you can assign these roles to OM users, so that they get access only to a restricted set of objects.
Refer to section 'Controlling Administrative User Access' in the OM Admin guide for more details
"creation of snapshots:"
You cannot use OM to create snapshots or even Volumes. Check with "Provisioning Manager" product for more details.
You can create LUN only on Windows, by using Host Agent & SnapDrive for Windows procuct.
Let me know if you need more details on the same.
2008-12-16 10:21 PM
As Ravindra Kumar reminded me of "dfm run cmd".
You can do most of the filer operations from OM, if you are familiar with ONTAP CLI.
Steps to run a command from OM, on one or more Storage System(s)
for single Storage System:
1. Go to 'Appliance Details' for a Storage system
2. On the left hand side, look for 'Appliance Tools', and click on 'Run a Command'
3. It takes you to 'Run Command' page, where you can enter ONTAP command 'Appliance Command'
4. This will create a 'run job' & the result will be available under a link in the same 'Run Command' page
Note: If you have created any object say volume or qtree, using 'Run Command',
you need to either refresh the monitoring samples manually or wait for it to run automatically according to the monitoring interval set value
2009-01-09 06:08 PM
SnapDrive for Unix also supports the use of RBAC permissions where the capabilities of that user can be defined within Operations Manager (essentially SDU uses Operations Manager as it's RBAC authority)
This is described in much more detail here:
2009-01-11 05:08 PM
You can also define command aliases using "dfm run alias import". Command aliases allow you to define permissions needed to execute the command. I haven't used that command in years, so I don't remember the exact details of what you can allow or deny.
2009-01-13 02:52 AM
Thank you very much ... that is a good hint
Grüsse / Greetings
Professional Service Consultant
Gladbecker Str. 5
+49 (0) 211 43718 568 Tel
+49 (0) 211 43718 22 Fax
+49 (0) 151 12055 898 Mobil
Diese e-Mail kann vertrauliche und/oder rechtlich geschützte
Informationen enthalten. Wenn Sie nicht der richtige Adressat sind
oder diese e-Mail irrtümlich erhalten haben, informieren Sie bitte
sofort den Absender und vernichten Sie diese e-Mail. Das unerlaubte
Kopieren sowie die unbefugte Weitergabe dieser e-Mail und ihrer
Inhalte ist nicht gestattet.
This e-mail may contain confidential and/or privileged information. If
you are not the intended addressee or have received this e-mail in
error, please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.
Network Appliance GmbH, Bretonischer Ring 6, 85630 Grasbrunn,
Handelsregister: AG München HRB113907, Geschäftsführer: Manfred Reitner
Am 10.01.2009 um 03:08 schrieb rich fenton:
A new message was posted in the thread "Using the OM as a RBAC
proxy? / creation of snapshots through OM?":
Author : rich fenton
2009-01-25 09:11 AM
Another of our customers was able to use OM as an RBAC proxy by using the DFM server API's.
For a description of how this was done check out my blog.
The key idea is that you use resource groups to configure the objects, assign permissions to those objects and then have wrapper scripts to perform the operations you want to do.