Take a look at this link

https://library.netapp.com/ecmdocs/ECMP1196890/html/man1/na_useradmin.1.html

You can use useradmin to control user access.  You can probably create an account with certain capabilities and fine tune it to your use.

I have to laugh at NetApp. they make creating a read only account mission impossible. If anyone disagrees, please provide your complete commands to do this.

===========================

A sixth capability, filerview-readonly, is unused and ignored. - what does this mean? can this used or not?

See this for more info on that capability

http://hd.kvsconsulting.us/netappdoc/733docs/html/ontap/rnote/rel_notes/concept/c_oc_rn_feat73-admin-filerview-readonly-capability.html

I dont think it's impossible, it's just a matter of knowing what capabilities you need to give granularity to a role.

I think you need to determine what you need from this account and what are you trying to do exactly.

What does your API script do?

You have 2 different issues I believe.  You would need to invoke a RBAC users on the filer to insure that some CLI commands could not be run nor login to the filer.  However with PowerShell (PS) depending on what APIs you are calling or invoking if you can access .Net framework and issue commands the user restrictions no longer apply at that point.  You can issue any public API that the system would allow and that you are aware to call upon in the .Net framework

That's just wrong. With RBAC, you can restrict a user to certain API calls (anything that begins with "api-") just as you can limit the CLI commands that user can exceute.

For example, for one of my applications I have the following user that only has read-only API access to the system info, aggregate, volume and snapshot information. The user does not have CLI access at all, and attempts to access other API calls will be logged and rejected:

useradmin role add myrole -a login-http-admin,api-system-get-info,api-aggr-list-info,api-volume-list-info,api-snapshot-list-info

useradmin group add mygroup -r myrole

useradmin user add myuser -g mygroup

It's not impossible. In fact it's quite easy as long as we're talking about the HTTP API here (and I assume we do, since we're in the NMSDK API area of the forum).

However, I would agree that creating a read-only CLI user is not possible, since there are some corner cases (like the vfiler commands, if I remember correctly) where destructive and read-only commands are not separated well enough.

Here's an example for a read-only API user, though:

useradmin role add myrole -a login-http-admin,api-system-get-info,api-aggr-list-info,api-volume-list-info,api-snapshot-list-info

useradmin group add mygroup -r myrole

useradmin user add myuser -g mygroup

I am not sure I follow you Oliver.  You called out what I said was wrong.  Was that about the RBAC or the PS?  You then restated my comment about the RBAC and gave a CLI example about the creation of a RBAC user.  Did you mean what I stated about the Powershell was wrong?

I stated , "You would need to invoke a RBAC users on the filer to insure that some CLI commands could not be run nor login to the filer." and you said

"With RBAC, you can restrict a user to certain API calls (anything that begins with "api-") just as you can limit the CLI commands that user can exceute."

The statement that prompted my reply was "However with PowerShell (PS) depending on what APIs you are calling or invoking if you can access .Net framework and issue commands the user restrictions no longer apply at that point."

That's wrong because of course you can restrict which APIs are available to PowerShell users. But maybe I just misunderstood what you wrote somewhere.

The point that I was trying to get across is that CLI access and API access have different sets of capabilities that pertain to them, and if you want to properly restrict a user that has access to both CLI and API, you need to consider both when setting up RBAC.

What if I need to just create a read-only account with all the show commands or commands which cannot change filer configuration? Are we able to create such read-only account in 7-mode?