Upfront warning - this user setup below is not approved by NetApp support and they won't take any responsibility for failed polling, missing data, alarms not triggering/catching issues, etc. I don't expect any issues with this configuration but wanted to be as clear on this as possible.
I've had success using a limited role with OCUM/OPM 7.1 using the commands below:
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname DEFAULT -access readonly
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "cluster application-record" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster modify" -access all
security login role create -vserver <cluster_vserver> -role ocum_readonly_role -cmddirname "metrocluster show" -access all
vserver services web access create -vserver <cluster_vserver> -name spi -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application ontapi -authmethod password -role ocum_readonly_role
security login create -vserver <cluster_vserver> -user ocum_readonly -application http -authmethod password -role ocum_readonly_role
Here's the rationale for the commands above.
- A limited role is setup with access to the 'cluster application-record' command tree. This is where ONTAP tracks what OCUM/OPM/WFA instances are managing the cluster.
- OCUM also demands access to the 'metrocluster' command tree and polling fails without this access.
- A SPI role is created to allow OCUM/OPM to pull performance files.
- A login is created with http/ontapi access. All connectivity should be through API calls for most metrics, or HTTP calls to the SPI interface to pull performance data.