Virtualization Articles and Resources

How to use the RBAC User Creator for Data ONTAP

Introduction:

 

The RBAC User Creator forData ONTAP®  tool is a C# application that assists you in creating RBAC usernames within Data ONTAP.This application is used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.

 

The lists of privileges being created are stored in XML (ontapPrivs.xml). This was done for two primary reasons: 

     1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating

     2. Additional privileges and products can be added later without the need to recompile the application.

NOTE: An important feature of version 2.0 is the ability to add products without needing to recomplie the application

 

You can think of RBAC User Creator being a framework of sorts.  All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file.

 

RBAC User Creator has native support for the following products out of the box

 

  • Virtual Storage Console for VMware vSphere
  • OnCommand Balance
  • Snap Creator Framework
  • SnapDrive for Windows
  • VASA Provider for VMware vCenter
  • Storage Replication Adapter for VMware Site Recovery Manager
  • Virtual Storage Console for Citrix XenServer   
  • Virtual Storage Console for RHEV 
  • NetApp Recovery Manager for Citrix Sharefile 
  • OnCommand Unified Manager (DFM) 5.1
  • VMTurbo Operations Manager

Step 1: Install Tool

Install the tool by selecting "Run as Administrator".    Standard Installshield rules apply.  If you don't "Run as Administrator", the log file will not be created.

 

Step 2: Set Up Usernames and Privileges

In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC. In order to guide you along, the non-relevant sections are greyed out.

 

  • Simply enter the root or admin username and IP of the storage system you want to create the user on. 
  • Click the LOGIN button, and it will login and determine the controller type. 
  • If the storage system is running Clustered Data ONTAP, the list of Vservers will be displayed. 
  • RBAC User Creator supports creating users on the Cluster-Admin Vserver as well as on Data Vservers. Simply select the Vserver from the pull-down list.

NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.

 

For more details, please read the User Guide (attached below)

 

 

 

 

Step 3: Add Roles for Users

 

RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP

 

  • Simply select your VSC version you're using, and the roles you want the new user to have
  • Choose the product and product version
  • RBAC User Creator will merge all the privileges from the selected roles and combine them in a sorted list
  • Since there is an ONTAP limit in the number to privileges in a role, RBAC User Creator will create iterated roles names in the form of <rolename>.X.
  • In the case of Clustered Data ONTAP, it handles both the read-only and all-access privileges

If you are unsure on what privileges the new user will have, click on the PREVIEW button to preview the list. It will show you the sorted list of all the privileges to be added. If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username. Hopefully, this funcationalit will be added for Clustered Data ONTAP soon.

 

Step 4: Add Storage Systems

 

  • Login into your application
  • add the storage system using the new username

Resources:

 

  • Download RBAC User Creator for Data ONTAP
  • Comment below by @mentioning dbkelly (For any issues: include the ONTAPUserCreator.log file in your comment)

 

 

 

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.

Replies

That is a great idea Scott.   One of the things the RUC tool does today is query the controller to determine what roles/groups are already present.    I would need to change some things to make this work.  I will look into it.  Thanks

Thanks for the link back to the source for DFM requirements tderek. Currently I only added the OCUM/DFM v5 7-mode details to the xml file. Feel free to have a go at updating the xml file with other DFM versions and DOT versions. Pass it back to dbkelly when you think have it working.

Many hand make light work

Thanks Chris and tderek.    All the privileges are externalized in XML so users like yourself can add support for any product and/or for your own nefarious needs.    I'll add anything posted here in the next revision of the product.

Cheers,

-David

Hello David,

For some reason this app is unable to connect to a 3210 i have in the lab.  Here a snap from the log file. please advise ,thanks

13-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : 10.240.11.141
2013-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER
2013-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS
2013-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443
2013-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]:
2013-09-17 20:09:51,310 DEBUG [ZapiUtils.getNaServer]:
2013-09-17 20:09:51,326 DEBUG [ZapiUtils.getSystemVersion]: <system-get-version/>

2013-09-17 20:10:14,961 ERROR [ZapiUtils.getSystemVersion]: Could not connect to 10.240.11.141
2013-09-17 20:10:25,928 DEBUG [UserCreator.ValidateTextbox]: Clearing Validation field
2013-09-17 20:10:25,928 DEBUG [UserCreator.storageHostname_Validating]: Storage System : 10.240.11.142
2013-09-17 20:10:25,928 DEBUG [UserCreator.enableLoginButtonIfValid]: Entered ...)
2013-09-17 20:10:25,928 DEBUG [UserCreator.enableLoginButtonIfValid]: Enabling LOGIN button
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node All
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Discovery
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Create Clones
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Create Storage
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Modify Storage
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Destroy Storage
2013-09-17 20:10:26,583 DEBUG [UserCreator.vscOntapRoleTreeView_AfterCheck]: UN-checking node Backup-Recovery
2013-09-17 20:10:26,598 DEBUG [UserCreator.processLoginRequest]: Storage System : 10.240.11.142
2013-09-17 20:10:26,598 DEBUG [UserCreator.processLoginRequest]: Storage Username :  root
2013-09-17 20:10:26,598 DEBUG [UserCreator.processLoginRequest]: Storage Password : *HIDDEN*
2013-09-17 20:10:26,598 DEBUG [UserCreator.processLoginRequest]: Storage Port : 443
2013-09-17 20:10:26,598 DEBUG [UserCreator.processLoginRequest]: Storage useSSL : True
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : 10.240.11.142
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]:
2013-09-17 20:10:26,614 DEBUG [ZapiUtils.getNaServer]:

Release version 2.4.    This update adds support for VSC 4.2.1 and VSC 5.0 Beta, and a few minor bug fixes for missing privs in VSC and in OnCommand Balance.

I am still puzzled by the issue several folks have reported where system-get-version fails.    There appears to be some security setting on the controller that is prevent the RUC tool from logging in. 

Also, @tderek, I'm still working on adding the XML for the read-only access privileges for DFM.   Would you be interested in doing some testing for this?   I can send you an XML file with all the read-only roles listed.

brauntvr2swiss

First, Thank you for this good tool..

FYI:

In my vsc4.2.1 environment, I have to add following privilege after running RBAC2.4:

api-vfiler-get-*

Otherwise my Backups or add Backup Jobs doesn't work anymore after the upgrade from 4.2. to 4.2.1.

regards

Thomas

Thomas, thanks for the feedback.   I have forwarded your comment to the appropriate group responsible for the B&R functionality in VSC. 

In the meantime, you can simply open the ontapPrivs.xml file and add that privilege at the appropriate place in the file.   This should tied you over until I can get a fix out.    I'm working on a few other enhancements to the tool, so it may be a week or so until I get the next version out.

Cheers,

-David

bigtruckguy

Can this be set to allow quota management?

@bigtruckguy - Can you explain what you mean by 'quota management'?    If there is a missing API privilege, you can edit the ontapPrivs.xml file and add it yourself.

Handy tool!  Is it possible to work with domain users?  I tried but it didn't seem to understand them (in 7-mode at least).  As a workaround, having the ability to create a role (and not a user with a role) would allow us to use the tool to create the role, and then manually assign a domain user to it.  Or, if the user list could work with existing domain users we could create the domain user first manually and then have the tool create and apply the role to it.

Thanks,

Chris Madden

Storage Architect, NetApp EMEA

Chris,   Glad you like the tool.

I'm working on adding domain user support in the next version.   The user will need to already be an authorized user in your AD.

In the meantime, as a workaround you can create a temp local user with the RUC tool, then using the ONTAP CLI assign the role to the domain user as a second (manual) step.

Dear dbkelly,

Is it possible to integrate the oncommand 4.1.1.1 user creation ?

I've looked up https://kb.netapp.com/support/index?page=content&id=3012802 but I don't know if there are errors in the article since it's talking about adding a few extra lines.

Look at the spaces all over the place.

useradmin role modify balance_user -a nfs-exportfs-list-rules-2,api-nfs- api-volume-list-info-iter-start,api-volume-list-info-iter-next,api- volume-list-info-iter-end

Thanks for your time,

Niels


NVDWANSEM,

Wow.   I can't explain the spaces either.   Its definitely not valid syntax.   I have added your feedback to the KB article.

In the mean time, you can add the additional privileges to the ontapPrivs.xml file yourself.   Add the following 3 lines to the '<balance id="balance4014" label="OnCommand Balance 4.0.1.4">' node in the XML file.  The 'nfs-exportfs-list-rules-2' privilege is already included in the existing role.

            <api>api-volume-list-info-iter-start</api>

            <api>api-volume-list-info-iter-next</api>

            <api>api-volume-list-info-iter-end</api>


Hi David,

Thanks for your reply I will add those 3 lines in the xml.

Also used your tool to create a VSC 4.2.1 account and the messages file is showing me the following :

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-aggr-scrub-start' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-cifs-share-add' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-diagnosis-delete-alert' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-diagnosis-subscriptions-get' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-disk-sanown-filer-list-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fc-config-list-iter-end' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fcp-adapter-nameserver-list-iter-start' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fcp-ping' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fcp-ping-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fcp-set-cfmode' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-file-create-symlink' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fpolicy-get-secondary-servers-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fpolicy-server-list-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-fpolicy-volume-list-set' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-iscsi-isns-start' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-iscsi-target-alias-get-alias' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-lun-clone-split-start' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-lun-config-check-wwpn-conflicts-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-lun-get-comment' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-lun-lba-hole-range-query' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-net-config-get-active' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-nfs-exportfs-delete-rules' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-nfs-exportfs-fence-disable' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-perf-object-instance-list-info-iter-next' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-radius-server-add' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-reallocate-quiesce' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-snapdiff-iter-next' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-snapmirror-list-schedule' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-snapvault-get-all-softlocked-snapshots' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-snmp-trap-reset' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-storage-adapter-get-adapter-list' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-storage-array-update' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-storage-initiator-balance' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-system-get-vendor-info' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-test-schema-validator' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-volume-split' 

Wed Jan 22 06:13:15 CET [FILERNAME:useradmin.unauthorized.user:warning]: User 'u_vsc' denied access - missing required capability: 'api-volume-wafl-info'

Any suggestion on where to put those ?

We are running NetApp Release 8.1.3P2 7-Mode: Fri Aug 23 20:16:59 PDT 2013

Do you have DFM in your environment?   Check out BURTs 310141 and 501345.   Those ONTAP BURTs deal with VERY similar issues and are supposedly resolved in ONTAP 8.0.5, 8.1.2, and 8.2x.

Hi David,

I don't really understand your reply, yes we have DFM running but it seems it's missing those api's does it not ?

So I want to add these in your xml but was wondering where since you made some destingquisment  in the xml for VSC.

All, it's been a while since I have published updates to the tool.    Don't fret; development is still on-going, but due to trade compliance concerns, I have not been able to release it publicly.   With that said, Version 2.7 should be release shortly.   Lots of new products added!  

In the meantime, I have posted the latest version of the ontapPrivs.xml file.     "Upgrade" is easy.   Simply replace the one in the installation directory with this one and restart the RUC tool.

Dear dbkelly,

can you please share the link to download this tool "RBAC User Creator for DataOntap"

I would like the link to download this also.  I don't see it in the original post.  Am I missing something?

All, the download link was removed due to trade compliance concerns.   I can no longer publicly distribute the RUC tool via the NetApp Communities.   I have requested that the tool be moved to the NetApp Toolchest as it requires user authentication to verify the country of origin.       I am hoping new download link will be available within a week or so, but no telling.   

Kelly -

do you have an ETA on when the tool might make it to the tool chest?

The wait is finally over, the latest version of the RBAC User Creator tool tool (version 2.7.5171.15605) is once again available. Please follow the toolchest link to download

http://support.netapp.com/NOW/download/tools/rbac/

Awesome!  Thank you!

Running the new RBAC user creator tool, ONTAP 8.1.2P4 7-mode. Trying to create a VSC user (all privileges). After filling out all necessary fields, the tool generates the roles numbered as "vsc.2, vsc.3 and vsc.4". But an error is thrown "Error modifying <vsc_group>. Invalid role name". I noticed in the manual, the roles were numbered as ".0, .1 and .2". Could the tool be trying to assign a non-existent role, such as "vsc.1"?

jbartlett, can you take a screenshot of the RUC GUI and email me the log file.    If there is no log file, restart the RUC tool by selecting "Run as Administrator" and rerun the commands.

Hi Kelly,

For some reason, I cannot create rbac user for on command unified manager and balance. The drop down to select appropriate version is empty. Your help is appreciated.

Thanks

Where is the SDW 7.x XML file for the security access for this AWESOME tool?

Needed for cDOT 8.2 Support

Capture.PNG

to be precise: the loging with HTTP/HTTPS on SDW transport protocol settings is not working... the user VSADMIN is able to do so. I assume, there is a parameter missing...

question is: which one?

CHBROWN

I set up privileges for VSC 5 on CDOT 8.2.1 and it looks like "snapmirror list-destinations" is missing in order to update snapmirror / snapvault relationships with the tool.

2014-05-07 11:09:36,629 [backup:2e2b45b2c6056148f8de9f059fd8f396:] DEBUG - Executing ZAPI request snapmirror-get-destination-iter to CLUSTERIP:

<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE netapp SYSTEM 'file:/etc/netapp_filer.dtd'><netapp xmlns="http://www.netapp.com/filer/admin" version="1.0"><snapmirror-get-destination-iter><query><snapmirror-destination-info><source-volume>VOLUMENAME</source-volume></snapmirror-destination-info></query></snapmirror-get-destination-iter></netapp>

2014-05-07 11:09:36,629 [backup:2e2b45b2c6056148f8de9f059fd8f396:] DEBUG - Received ZAPI response for snapmirror-get-destination-iter from CLUSTERIP:

<?xml version='1.0' encoding='UTF-8' ?>

<!DOCTYPE netapp SYSTEM 'file:/etc/netapp_gx.dtd'>

<netapp version='1.21' xmlns='http://www.netapp.com/filer/admin'>

<results reason="Insufficient privileges: user &apos;VSCNAME&apos; does not have read access to this resource" status="failed" errno="13003"/></netapp>

2014-05-07 11:09:36,629 [backup:2e2b45b2c6056148f8de9f059fd8f396:] DEBUG - NaSnapMirrorUpdateAction->getSnapMirrorListDestinationsForVolume:Failed to retrieve intercluster or intracluster snapmirror relationship information : Insufficient privileges: user ‘VSCNAME does not have read access to this resource

is it maybe possible, to add a role for the remote support agent in cDot. Since we dont want the default admin role. I tried readonly roles, but then always the rsa test wasn't successful.

daehnrich.bsh,

You can create a new role yourself, simply follow the syntax of the existing products/roles in the XML file.   I would suggest you follow-up with the "Remote Support Agent" folks for the exact list of privileges required.

-David

i know and i tried to follow the permission rsa got in the past in our roles, but this wasn't successful.

Testing version RBAC-UC 2.7.5176.32418 (just checked, it's still the newest available one) on VSC 5, I get loads of "missing priviledges" (VSCadmin created with "All" capabilities for VSC5, also see at the end of the post for the list of roles/capabilities):

Sun Jul 27 04:00:54 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) discovery: Storage discovery task found this controller to 

be connected to an ESX host managed by vCenter or manually entered.

Sun Jul 27 04:00:55 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) VmDiscovery: vc.netapp.local[99393FE9-55D6-4F4-B056-

85CE97441FC5] (Total VMs=2):debian6Guest=1,winNetEnterpriseGuest=1

Sun Jul 27 04:00:57 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) HostDiscovery: vc.netapp.local[99393FE9-55D6-F24-B056-

85CE97441FC5] (Total Hosts=2):5.5.0=2

Sun Jul 27 04:00:59 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) PluginVersions: vc.netapp.local[99393FE9-55D64F24-B056-

85CE97441FC5] version=5.5.0 OS=Windows Server 2008 R2:cim-

ui=5.5,com.vmware.vim.eam=5.5,com.vmware.vim.inventoryservice=5.5,com.vmware.vim.ls=5.5,cm.vmware.vim.sms=5.5,com.vmware.vim.sps=5.0

Sun Jul 27 04:01:01 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) PluginVersions: vc.netapp.local

(5.5.0):com.vmare.vim.stats.report=1.0.0,com.vmware.vim.vsm=5.5,health-

ui=5.5,hostdiag=1.0,VirtualCenter=1.0,com.netapp.nvpf=5.0,com.netapp.nvpf.webclient=2014.04.01.11473

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-add'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-check-spare-low'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-create'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-destroy'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-get-filer-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-get-root-name'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-mediascrub-list-inf'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-mirror'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-modify-raid-type'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-offline'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-online'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-options-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-rename'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-restrict'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-scrub-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-scrub-resume'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-scrub-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-scrub-stop'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-scrub-suspend'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-set-option'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-space-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-split'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-verify-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-verify-resume'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-verify-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-verify-stop'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-verify-suspend'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-wafliron-commit'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-wafliron-reject'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-wafliron-review'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-wafliron-stop'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-force-takeover'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-giveback'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-hwassist-stats'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-hwassist-status'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-negotiated-failover-dsable'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-negotiated-failover-satus'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-service-disable'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-service-enable'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-takeover'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cg-commit'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cg-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-branchcache-hash-stt'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-branchcache-set-key

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-homedir-paths-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-list-config'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-nbalias-names-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-nbalias-names-set'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-session-list-iter-nxt'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-create-group-ile'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-create-passwdfile'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-site-list-ite-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-verify-passwdand-group'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-ace-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-ace-set'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-acl-list-iterend'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-acl-list-iterstart'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-change'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-list-iter-nex'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-list-iter-stat'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-start-on-target'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-stop-on-target'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-clock-get-timezone'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-clock-set-clock'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-copyoffload-copy-abort'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-copyoffload-copy-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-copyoffload-copy-status'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-copyoffload-modify'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-core-segment-config-modiy'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-core-segment-destroy'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-core-segment-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-core-segment-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-core-segment-status-get-ter'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-dfm-set-server-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-alert-definitin-get-iter'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-alert-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-alert-modify'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-config-get-ite'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-policy-definiton-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-subscriptions-et'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-subscriptions-et-iter'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-subsystem-confg-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-subsystem-confg-get-iter'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-disk-maint-list'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-disk-sanown-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-disk-sanown-remove-ownerhip'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-disk-swap'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-disk-unswap'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fc-config-adapter-disabl'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fc-config-list-iter-next

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-config-down'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-nameserver-lst-iter-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-reset-stats'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-set-partner'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-topology-lis-iter-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-zone-list-itr-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-node-set-name'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-service-stop'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcport-send-lip'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-get-snaplock-retenton-time-list-info-max'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-inode-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-read-symlink'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-rename-directory'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-set-space-reservatin-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-file-usage-result-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-flash-get-thresholds'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fpolicy-extensions'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fpolicy-get-policy-optios'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fpolicy-operations-list-et'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ic-config-show'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ic-reset-nic-auto-on'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-igroup-lookup-lun'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-adapter-reset-stat'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-auth-generate-chappassword'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-initiator-get-defalt-auth'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-interface-list-inf'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-isns-get-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-stats-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-target-alias-clearalias'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-target-alias-get-aias'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-license-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-license-v2-add'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-clear-persistent-resrvation-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-config-check-alua-coflicts-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-create-vld-metadir-etry'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-get-maxsize'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-get-space-reservatio-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-get-target-device-id

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-has-scsi-reservation'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-id-swap'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-initiator-logged-in'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-set-device-id'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-set-read-only'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ndmp-backup-abort'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-net-config-set-persisten'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-net-ipspace-assign'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-net-resolve'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-net-vlan-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-nfs-exportfs-check-permision'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-nfs-stats-top-clients-lit-iter-end'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-nfs-stats-top-clients-lit-iter-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-options-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-archive-get-headers

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-archive-get-instancs-iter-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-object-counter-listinfo'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-object-get-instance'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-object-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-portset-remove'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-priority-list-info-defaut'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-qtree-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-qtree-rename'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-quota-off'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-quota-report-iter-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-radius-service-stop'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-reallocate-on'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-registry-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-sis-set-config'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapdiff-iter-status'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snaplock-get-volume-compiance-clock'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snaplock-privileged-delee-file'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snaplock-set-log-volume'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapmirror-quiesce'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapmirror-set-sync-scheule'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapshot-get-schedule'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapshot-partial-restorefile-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapshot-restore-file-ino'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapshot-volume-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-primary-destintions-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-primary-get-reationship-status'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-primary-snapsht-schedule-status-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-remove-softloc'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-secondary-relaionship-status-list-iter-end'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-secondary-relaionship-status-list-iter-next'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-secondary-resyc-relationship'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snmp-trap-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-software-async-update'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-software-extract-metadat'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-storage-adapter-get-adaper-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-storage-adapter-get-adaper-list'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-storage-shelf-environmen-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-storage-shelf-list-info'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-test-iter-start'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-useradmin-role-add'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-useradmin-role-delete'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-useradmin-user-add'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-collect-command-lgs'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-dr-resync'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-get-allowed-protools'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-get-disallowed-prtocols'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-migrate-delete-qtee'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-migrate-running'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-migrate-state'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-performance-monitr-get-status'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vmservices-vsphere-credetial-get'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-get-language'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-rename'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-scrub-resume'

Sun Jul 27 04:01:02 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-set-total-files'

=============================================================================================================================

When creating an iSCSI datastore, the following error messages appeared:

Thu Jul 31 10:21:25 GMT [SC1:snmp.link.up:info]: Interface 4 is up

Thu Jul 31 10:21:25 GMT [SC1:netif.linkUp:info]: Ethernet e0d: Link up.

Thu Jul 31 10:21:40 GMT [SC1:snmp.link.up:info]: Interface 2 is up

Thu Jul 31 10:21:40 GMT [SC1:netif.linkUp:info]: Ethernet e0b: Link up.

Thu Jul 31 10:33:01 GMT [SC1:iscsi.service.startup:info]: iSCSI service startup

Thu Jul 31 10:34:51 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) discovery: Storage discovery task found this ontroller to

be connected to an ESX host managed by vCenter or manually entered.

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-add'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-aggr-get-filer-info'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cf-takeover'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-site-list-ite-end'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-share-list-iter-nex'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-stop-on-target'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-alert-get'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-policy-modify'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-diagnosis-subscriptions-reate'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-adapter-nameserver-lst-iter-start'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fcp-wwpnalias-get-alias-nfo'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-fpolicy-destroy-policy'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ipspace-list-info'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-adapter-stats-listinfo'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-initiator-add-auth

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-initiator-modify-cap-params'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-interface-disable'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-iscsi-isns-stop'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-license-v2-delete'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-create-vld-metadir-etry'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-lun-get-comment'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ndmp-backup-abort'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-ndmp-backup-shutdown-ndmd'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-archive-get-instancs-iter-next'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-perf-object-counter-listinfo'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-reallocate-off'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-sis-set-config'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snapvault-primary-snapsht-schedule-status-list-info'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-snmp-enable'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-storage-initiator-disk-pth-list-info'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-useradmin-user-modify-pasword'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-collect-command-lgs'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-vfiler-dr-delete'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-get-root-name'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-move-start'

Thu Jul 31 10:35:10 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-volume-scrub-stop'

Thu Jul 31 10:49:05 GMT [SC1:app.log.info:info]: vcenter: Provisioning and Cloning Capability 5.0: (0)  : Provisioning and Cloning Capability v5.0 createDatatore:

vcUserId: NETAPP\Administrator VMware Version:5.5.0 Build: 1623101 API: 5.5 datastoreName: DS_ISCSI1 datastoreSizeInMB: 10240 autoGrow: false growIncreent: null

maxGrowSize: null containerName: aggr_data volumeName: DS_ISCSI1 thinProvision: true protocol: ISCSI datastore cluster: null lun prefix: null

Thu Jul 31 10:49:07 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx02-687fc8d8 at IP addr 172.16.11.42

Thu Jul 31 10:49:07 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.11.41

Thu Jul 31 10:49:07 GMT [SC1:iscsi.warning:warning]: ISCSI: New session request from initiator iqn.1998-01.com.vmware:esx01-25cd3422, a session from this iniiator already

exists.

Thu Jul 31 10:49:07 GMT [SC1:iscsi.warning:warning]: ISCSI: New session request from initiator iqn.1998-01.com.vmware:esx02-687fc8d8, a session from this iniiator already

exists.

Thu Jul 31 10:49:08 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.11.41

Thu Jul 31 10:49:08 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx02-687fc8d8 at IP addr 172.16.11.42

Thu Jul 31 10:49:25 GMT [SC1:wafl.spacemgmnt.policyChg:info]: The space management policy for volume DS_ISCSI1 has changed: autosize volume growth increment 98720KB,

autosize volume maximum size 31981568KB, autosize state enabled.

Thu Jul 31 10:49:28 GMT [SC1:lun.map:info]: LUN /vol/DS_ISCSI1/DS_ISCSI1 was mapped to initiator group rcu_generated=0

Thu Jul 31 10:49:28 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.11.41

Thu Jul 31 10:49:28 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx02-687fc8d8 at IP addr 172.16.11.42

Thu Jul 31 10:49:28 GMT [SC1:iscsi.warning:warning]: ISCSI: New session request from initiator iqn.1998-01.com.vmware:esx01-25cd3422, a session from this iniiator already

exists.

Thu Jul 31 10:49:28 GMT [SC1:iscsi.warning:warning]: ISCSI: New session request from initiator iqn.1998-01.com.vmware:esx02-687fc8d8, a session from this iniiator already

exists.

Thu Jul 31 10:49:30 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.11.41

Thu Jul 31 10:49:30 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx02-687fc8d8 at IP addr 172.16.11.42

Thu Jul 31 10:49:36 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.11.41

Thu Jul 31 10:49:36 GMT [SC1:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1998-01.com.vmware:esx01-25cd3422 at IP addr 172.16.12.41

Thu Jul 31 10:51:56 GMT [SC1:app.log.info:info]: vcenter: Monitoring and Host Configuration sub-plugin 5.0: (0) discovery: Storage discovery task found this ontroller to

be connected to an ESX host managed by vCenter or manually entered.

Thu Jul 31 10:52:15 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-ou-list-iter-ext'

Thu Jul 31 10:52:15 GMT [SC1:useradmin.unauthorized.user:warning]: User 'VSCadmin' denied access - missing required capability: 'api-cifs-setup-verify-name'

SC1> Thu Jul 31 11:00:03 GMT [SC1:kern.uptime.filer:info]:  11:00am up  8 days,  7:58 0 NFS ops, 0 CIFS ops, 0 HTTP ops, 0 FCP ops, 2644 iSCSI ops

SC1> useradmin role list

Name:    VSCadminRole.1

Info:    This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

Allowed Capabilities: api-file-delete-file,api-file-get-file-info,api-file-read-file,api-file-write-file,api-iscsi-connection-list-info,api-iscsi-session-list-info,api-

lun-get-geometry,api-useradmin-domainuser-list,api-useradmin-group-list,cli-cifs,cli-df,cli-ifconfig,cli-mv,cli-ndmpcopy,cli-ndmpd,api-igroup-add,api-igroup-create,api-

igroup-set-attribute,api-lun-create-by-size,api-lun-create-from-file,api-lun-initiator-list-map-info,api-lun-map,api-lun-move,api-lun-online,api-lun-set-comment,api-lun-

unmap,api-nfs-exportfs-append-rules-2,api-nfs-exportfs-load-exports,api-nfs-exportfs-modify-rule-2,api-sis-enable,api-sis-start,api-sis-stop,api-snapmirror-break,api-

snapmirror-delete-schedule,api-snapmirror-get-status,api-snapmirror-initialize,api-snapmirror-off,api-snapmirror-on,api-snapmirror-release,api-snapmirror-resync,api-

snapmirror-set-schedule,api-snapmirror-update,api-snapshot-create,api-snapshot-set-reserve,api-vfiler-add-storage,api-volume-autosize-set,api-volume-clone-create,api-

volume-create,api-volume-restrict,api-volume-set-option

Name:    VSCadminRole.2

Info:    This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

Allowed Capabilities: cli-iscsi,cli-lun,cli-qtree,cli-vfiler,api-lun-resize,api-sis-disable,api-volume-size,api-file-punch-hole,api-lun-destroy,api-lun-offline,api-

volume-destroy,api-volume-offline,api-file-list-directory-iter-end,api-file-list-directory-iter-next,api-file-list-directory-iter-start,api-igroup-destroy,api-iscsi-

initiator-list-info,api-iscsi-node-get-name,api-lun-create-from-snapshot,api-lun-get-serial-number,api-lun-restore-status,api-nfs-exportfs-storage-path,api-snapmirror-

list-destinations,api-snapshot-delete,api-snapshot-rename,api-snapshot-restore-file,api-snapshot-restore-volume,api-vfiler-create,cli-snap,cli-system

Name:    VSCadminRole

Info:    This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

Allowed Capabilities: api-aggr-list-info,api-cf-get-partner,api-cf-status,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-initiators-list-info,api-fcp-

adapter-list-info,api-fcp-get-cfmode,api-fcp-node-get-name,api-fcp-service-status,api-igroup-list-info,api-iscsi-adapter-initiators-list-info,api-iscsi-adapter-list-

info,api-iscsi-portal-list-info,api-iscsi-service-status,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-net-ifconfig-get,api-nfs-exportfs-list-

rules-2,api-nfs-exportfs-list-rules,api-nfs-status,api-qtree-list,api-quota-report,api-snapmirror-get-volume-status,api-snapshot-list-info,api-snmp-get-next,api-snmp-

get,api-system-api-list,api-system-cli,api-system-get-info,api-system-get-ontapi-version,api-system-get-version,api-useradmin-user-list,api-vfiler-get-status,api-vfiler-

list-info,api-volume-autosize-get,api-volume-list-info-iter-end,api-volume-list-info-iter-next,api-volume-list-info-iter-start,api-volume-options-list-info,login-http-

admin,security-api-vfiler,security-priv-diagnostic,api-copyoffload-show,api-license-v2-list-info,api-feature-status-list-info,api-clone-*,api-fcp-port-name-list-

info,api-file-create-directory,api-file-delete-directory

Name:    admin

Info:

Allowed Capabilities: login-*,cli-*,api-*,security-*

Name:    audit

Info:

Allowed Capabilities: api-snmp-get,api-snmp-get-next

Name:    backup

Info:    Default role for NDMP privileges.

Allowed Capabilities: login-ndmp

Name:    compliance

Info:    Default role for compliance privileges.

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh,api-system-api-*,cli-

snaplock*,api-snaplock-*,api-file-*,compliance-*

Name:    none

Info:

Allowed Capabilities:

Name:    power

Info:

Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh

Name:    root

Info:

Allowed Capabilities: *

SC1> useradmin user list VSCadmin

Name: VSCadmin

Info: This is an auto-generated username created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

Rid: 131074

Groups: VSCadminGrp

Full Name:

Allowed Capabilities: api-aggr-list-info,api-cf-get-partner,api-cf-status,api-disk-list-info,api-ems-autosupport-log,api-fcp-adapter-initiators-list-info,api-fcp-

adapter-list-info,api-fcp-get-cfmode,api-fcp-node-get-name,api-fcp-service-status,api-igroup-list-info,api-iscsi-adapter-initiators-list-info,api-iscsi-adapter-list-

info,api-iscsi-portal-list-info,api-iscsi-service-status,api-lun-get-vdisk-attributes,api-lun-list-info,api-lun-map-list-info,api-net-ifconfig-get,api-nfs-exportfs-list-

rules-2,api-nfs-exportfs-list-rules,api-nfs-status,api-qtree-list,api-quota-report,api-snapmirror-get-volume-status,api-snapshot-list-info,api-snmp-get-next,api-snmp-

get,api-system-api-list,api-system-cli,api-system-get-info,api-system-get-ontapi-version,api-system-get-version,api-useradmin-user-list,api-vfiler-get-status,api-vfiler-

list-info,api-volume-autosize-get,api-volume-list-info-iter-end,api-volume-list-info-iter-next,api-volume-list-info-iter-start,api-volume-options-list-info,login-http-

admin,security-api-vfiler,security-priv-diagnostic,api-copyoffload-show,api-license-v2-list-info,api-feature-status-list-info,api-clone-*,api-fcp-port-name-list-

info,api-file-create-directory,api-file-delete-directory,api-file-delete-file,api-file-get-file-info,api-file-read-file,api-file-write-file,api-iscsi-connection-list-

info,api-iscsi-session-list-info,api-lun-get-geometry,api-useradmin-domainuser-list,api-useradmin-group-list,cli-cifs,cli-df,cli-ifconfig,cli-mv,cli-ndmpcopy,cli-

ndmpd,api-igroup-add,api-igroup-create,api-igroup-set-attribute,api-lun-create-by-size,api-lun-create-from-file,api-lun-initiator-list-map-info,api-lun-map,api-lun-

move,api-lun-online,api-lun-set-comment,api-lun-unmap,api-nfs-exportfs-append-rules-2,api-nfs-exportfs-load-exports,api-nfs-exportfs-modify-rule-2,api-sis-enable,api-

sis-start,api-sis-stop,api-snapmirror-break,api-snapmirror-delete-schedule,api-snapmirror-get-status,api-snapmirror-initialize,api-snapmirror-off,api-snapmirror-on,api-

snapmirror-release,api-snapmirror-resync,api-snapmirror-set-schedule,api-snapmirror-update,api-snapshot-create,api-snapshot-set-reserve,api-vfiler-add-storage,api-

volume-autosize-set,api-volume-clone-create,api-volume-create,api-volume-restrict,api-volume-set-option,cli-iscsi,cli-lun,cli-qtree,cli-vfiler,api-lun-resize,api-sis-

disable,api-volume-size,api-file-punch-hole,api-lun-destroy,api-lun-offline,api-volume-destroy,api-volume-offline,api-file-list-directory-iter-end,api-file-list-

directory-iter-next,api-file-list-directory-iter-start,api-igroup-destroy,api-iscsi-initiator-list-info,api-iscsi-node-get-name,api-lun-create-from-snapshot,api-lun-get-

serial-number,api-lun-restore-status,api-nfs-exportfs-storage-path,api-snapmirror-list-destinations,api-snapshot-delete,api-snapshot-rename,api-snapshot-restore-

file,api-snapshot-restore-volume,api-vfiler-create,cli-snap,cli-system

Password min/max age in days: 0/4294967295

Status: enabled

SC1> useradmin group list

Name: Administrators

Info: Members can fully administer the filer

Rid: 544

Roles: admin

Name: Backup Operators

Info: Members can bypass file security to backup files

Rid: 551

Roles: backup,none

Name: Compliance Administrators

Info: Members can perform compliance operations

Rid: 131072

Roles: compliance

Name: Guests

Info: Users granted Guest Access

Rid: 546

Roles: none

Name: Power Users

Info: Members that can share directories

Rid: 547

Roles: power

Name: Replicators

Info: not supported

Rid: 552

Roles: none

Name: Users

Info: Ordinary Users

Rid: 545

Roles: audit

Name: VSCadminGrp

Info: This is an auto-generated group created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

Rid: 131073

Roles: VSCadminRole,VSCadminRole.1,VSCadminRole.2

SC1>

So in conclusion: Either VSC 5 is trying to do a whole lof of 'unnecessary' stuff, or RBAC-UC is missing a whole lot of priviledges...

-Sebastian

Would it be possible to add an option to create a user for SnapProtect?

Thanks!

Dan

Hello,
 
we are using VSC5.0 with cDOT 8.2.2.
For the snapmirror/snapvault functionality, there is a missing credential, the smvi-server log says: "Executing ZAPI request snapmirror-get-destination-iter".
Which Fails with "NaSnapMirrorUpdateAction->getSnapMirrorListDestinationsForVolume:Failed to retrieve intercluster or intracluster snapmirror relationship information : Insufficient privileges: user 'vscadmin' does not have read access to this resource"
 
So I have added the appropiate credential, called "snapmirror list-destinations to the vscadmin role. With that changes, the SM/SV Updates are working fine...
 
regards
Piero

Hi,

 

     I'm new to RBAC with VMware.  My customer has VM admin priviledges and root on the 7-mode controllers.  He would like all other VM admins to view, while he can perform full NetApp administration via VSC.  Is this something your tool does?  Could you please explain high-level that process?  Thanks!

Thank you for the document. I am having an issue with resizing a datastore. I can successfully create, view and destroy the datastore, but I get this error when I try to reisze the DS. Any ideas?

 

the call failed on server, please see log for details

A new updated ontapPrivs.xml file has been added to the first post.     Please note the file will need to be renamed ontapPrivs-xml.txt --> ontapPrivs.xml.    

 

Steps

1) Download the ontapPrivs-xml.txt file from the first post

2) Change the name ontapPrivs-xml.txt --> ontapPrivs.xml

3) Copy it to the RUC tool installation directory.   (overwriting the existing file)

 

 

What's new?

- The new ontapPrivs.xml file adds support for VSC 4.2.2 (VMware)

Great tool, would like to review the source material but the link for VSC for VMware vSphere - NetApp KB#1010575 - Does not seem to work.

 

WINZ,  could you clarify your statement?    What doesn't work?    The privs in the KB article, the RUC tool, what?

I assume you were referring to the KB article link... try this one, the KB# changed.

NetApp KB#1013941

I found RBACCreator to be a great productivity saving tool as the documentation on RBAC requirements for SnapCreator is several pages long in a PDF file and would have taken a very long time to cut/paste or assemble a script to do this.

 

I do have a couple of suggestions for improvement:

It would be great if RBACCreator could use credentials other than root or admin (obviously a capabilties check on the logged in account would be needed) as the use of root/admin accounts is strongly discouraged.

 

An additional entry needed for use with SnapCreator (currently using 4.1.1)  and CDOT 8.2 (8.2.2P1).  Snapcreator fails with its default settings for ASUPs because "event generate-autosupport-log"  is needed. 

Support for VSC/VP 6.0 has been added.

 

 

Update Instructions

A new updated ontapPrivs.xml file has been added to the first post.     Please note the file will need to be renamed ontapPrivs-xml.txt --> ontapPrivs.xml.    

 

Steps

1) Download the ontapPrivs-xml.txt file from the first post

2) Change the name ontapPrivs-xml.txt --> ontapPrivs.xml

3) Copy it to the RUC tool installation directory.   (overwriting the existing file)

 

 

What's new?

- Added support for VSC/VP 6.0 (VMware)

- Added the missing privilege (event generate-autosupport-log) to SnapCreator 

Hello,

Nice tool. Would it be possible to inlcude user creation for SnapProtect/CommVault Simpana Intellisnap?

Regards,

JC

 

Edit: Didn't see that there was a second page of comment. This was already requested.

Hello

 Slick application.

 Is there a timeframe to update 8.3 roles with VSC 6.0? If there is no immediate timeline are you aware of a lis tof required roles, I could run with that. 

 

**Update, found the post regarding the replacement of the ontapPrivs.xml. Once I replaced it the role creation worked. -RO

 

Great tool, can you please include snapdrv version 7.XX  in the xml file, using 6.4.2 does not allow to mount to the iscsi lun

thank you

-Bk

Hi,

 

I wanted to use your role creator for Snapdrive 7.0.3 and Ontap 7-mode 8.2.3.

I used the XML-File from this post and got the error:

API FAILED: Could not add role <snapdrive>. Error: Invalid capability

 

I would like to repeat babukish11's request to include snapdrive 7.x.

 

Regards

 

 

Here is XML snippet for a user for the Oracle Enterprice Manager plugin.

I'm running DoT 8.2.1 7mode so that is what it’s been tested against.

 

<product id="oracleem" label="Oracle EM Cloud Control" description="Oracle Enterprise Manager Cloud Control">
    <oracleem id="oracleem12c" label="Oracle EM 12c">
        <seven-mode>
            <roles>
                <role id="oracleemRole" label="Oracle EM Role" description="This role allows Oracle EM to monitor NetApp storage (Read Only).">
                    <api>login-http-admin</api>
                    <api>api-system-get*</api>
                    <api>api-volume-list*</api>
                    <api>api-aggr-list*</api>
                    <api>api-snapmirror-get-status*</api>
                    <api>api-snapshot-reserve-list*</api>
                    <api>api-disk-list*</api>
                    <api>api-qtree-list*</api>
                    <api>api-license-list*</api>
                    <api>api-license-v2-list*</api>
                    <api>api-perf-object*</api>
                    <api>api-snapshot-list-info*</api>
                    <api>api-nfs-status</api>
                    <api>api-cifs-status*</api>
                    <api>api-net-ifconfig-get*</api>
                    <api>api-quota-report*</api>
                    <api>api-snmp-get</api>
                    <api>api-cf-status</api>
                    <api>api-ems-autosupport-log*</api>
                    <api>api-snapshot-list*</api>
                    <api>login-snmp</api>
                    <api>login-ssh</api>
                </role>
            </roles>
        </seven-mode>
    </oracleem>
  </product>

 

-Chris

Forums