I have solved.......... and I think that the CLI example below can help some folks, anyway there is second big issue that I must understand!
It is NOT clear what are the real benefit to use a filter added via "Query"..............
In fact I have tried with a lot of test to create/modify some "role" (via CLI, it is most simple) to add some type of "query" but apparently the filters not running with a logics and apparently it is not possible to add a query for some the "cmddirname".
See the example below:
>security login role modify -vserver ITVARNAPPXX -role snap_role -access all -cmddirname "volume" -query "-aggr ITVARNAPPXXA_aggr1"
>security login role modify -vserver ITVARNAPPXX -role snap_role -access all -cmddirname "volume clone" -query "-vserver svm_share_XX"
ITVARNAPPXX::> security login role show -role snap_role
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
snap_role DEFAULT none
volume -aggr ITVARNAPPXXA_aggr1 all
volume clone -vserver svm_share_XX all
volume clone create all
volume clone show all
volume create all
volume delete all
volume modify all
volume offline all
volume show all
volume snapshot create all
volume snapshot delete all
volume snapshot modify all
volume snapshot show all
14 entries were displayed.
Above all it is not at all clear (for me.......) the mechanism into the "cmddirname" because, for a logics, there is a "father" and under the "sons" that they depend of his otherwise.........
In fact into my example, you can see the "role" where the specific userid is able to operate (by query) the "volume" command and - in theory - onto the indicated aggregate only but it is not true.
The second one command "volume clone" and here also the "role" should be able to operate into the indicated SVM only but it is not true.
Thanks to explain me how to create a "tree" of commands for the role with a permission to execute the commands only but for the specific filter (query) only otherwise the userid can create/remove the volumes/clone/snapshot into other SVM and so on!