I have a problem with "GUI" (ONTAP 9 Custer mode) concerning the "Query" on Role ->Role Attribute.
In fact the NetApp documentatin (that I have found) is incomplete........... because it is not listed the sintax................the example is only one "-aggr <aggrname>" but the question is what is the sintax to add other query?
I would thanks in advance for the help and attention (:-))
Hi, I have solved.......... and I think that the CLI example below can help some folks, anyway there is second big issue that I must understand!
It is NOT clear what are the real benefit to use a filter added via "Query"..............
In fact I have tried with a lot of test to create/modify some "role" (via CLI, it is most simple) to add some type of "query" but apparently the filters not running with a logics and apparently it is not possible to add a query for some the "cmddirname".
See the example below:
>security login role modify -vserver ITVARNAPPXX -role snap_role -access all -cmddirname "volume" -query "-aggr ITVARNAPPXXA_aggr1"
>security login role modify -vserver ITVARNAPPXX -role snap_role -access all -cmddirname "volume clone" -query "-vserver svm_share_XX"
ITVARNAPPXX::> security login role show -role snap_role Role Command/ Access Vserver Name Directory Query Level ---------- ------------- --------- ----------------------------------- -------- ITVARNAPPXX snap_role DEFAULT none volume -aggr ITVARNAPPXXA_aggr1 all volume clone -vserver svm_share_XX all volume clone create all volume clone show all volume create all volume delete all volume modify all volume offline all volume show all volume snapshot create all volume snapshot delete all volume snapshot modify all volume snapshot show all 14 entries were displayed.
Above all it is not at all clear (for me.......) the mechanism into the "cmddirname" because, for a logics, there is a "father" and under the "sons" that they depend of his otherwise.........
In fact into my example, you can see the "role" where the specific userid is able to operate (by query) the "volume" command and - in theory - onto the indicated aggregate only but it is not true.
The second one command "volume clone" and here also the "role" should be able to operate into the indicated SVM only but it is not true.
Thanks to explain me how to create a "tree" of commands for the role with a permission to execute the commands only but for the specific filter (query) only otherwise the userid can create/remove the volumes/clone/snapshot into other SVM and so on!