Virtualization Articles and Resources

How to use the RBAC User Creator for Data ONTAP

Introduction:

 

The RBAC User Creator forData ONTAP®  tool is a C# application that assists you in creating RBAC usernames within Data ONTAP.This application is used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.

 

The lists of privileges being created are stored in XML (ontapPrivs.xml). This was done for two primary reasons: 

     1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating

     2. Additional privileges and products can be added later without the need to recompile the application.

NOTE: An important feature of version 2.0 is the ability to add products without needing to recomplie the application

 

You can think of RBAC User Creator being a framework of sorts.  All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file.

 

RBAC User Creator has native support for the following products out of the box

 

  • Virtual Storage Console for VMware vSphere
  • OnCommand Balance
  • Snap Creator Framework
  • SnapDrive for Windows
  • VASA Provider for VMware vCenter
  • Storage Replication Adapter for VMware Site Recovery Manager
  • Virtual Storage Console for Citrix XenServer   
  • Virtual Storage Console for RHEV 
  • NetApp Recovery Manager for Citrix Sharefile 
  • OnCommand Unified Manager (DFM) 5.1
  • VMTurbo Operations Manager

Step 1: Install Tool

Install the tool by selecting "Run as Administrator".    Standard Installshield rules apply.  If you don't "Run as Administrator", the log file will not be created.

 

Step 2: Set Up Usernames and Privileges

In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC. In order to guide you along, the non-relevant sections are greyed out.

 

  • Simply enter the root or admin username and IP of the storage system you want to create the user on. 
  • Click the LOGIN button, and it will login and determine the controller type. 
  • If the storage system is running Clustered Data ONTAP, the list of Vservers will be displayed. 
  • RBAC User Creator supports creating users on the Cluster-Admin Vserver as well as on Data Vservers. Simply select the Vserver from the pull-down list.

NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.

 

For more details, please read the User Guide (attached below)

 

 

 

 

Step 3: Add Roles for Users

 

RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP

 

  • Simply select your VSC version you're using, and the roles you want the new user to have
  • Choose the product and product version
  • RBAC User Creator will merge all the privileges from the selected roles and combine them in a sorted list
  • Since there is an ONTAP limit in the number to privileges in a role, RBAC User Creator will create iterated roles names in the form of <rolename>.X.
  • In the case of Clustered Data ONTAP, it handles both the read-only and all-access privileges

If you are unsure on what privileges the new user will have, click on the PREVIEW button to preview the list. It will show you the sorted list of all the privileges to be added. If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username. Hopefully, this funcationalit will be added for Clustered Data ONTAP soon.

 

Step 4: Add Storage Systems

 

  • Login into your application
  • add the storage system using the new username

Resources:

 

  • Download RBAC User Creator for Data ONTAP
  • Comment below by @mentioning dbkelly (For any issues: include the ONTAPUserCreator.log file in your comment)

 

 

 

Warning!

This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.

Replies
We have a new FAS8040 with cdot 8.3. We now want to set the permissions so that our VMware colleagues they can manage LUN's on this new system. The RDAC tool shows the error message: Command failed: Invalid Operation. We have selected the same privileges as in 7-Mode. The selected role has been created on the SVM (by the RDAC tool), however, not the Admin. Our colleagues get the message 'Insufficient privileges' when they want to log in with the admin user.
Does anyone have an idea?

sanadmin_do, please email the RUC tool log file and I will take a look.    A screenshot is useful as well.

 

 

-David

 

I am one step further. Once I use the RBAC commands entered via the console. For some I get the message: 'command failed: failed to set field "cmddirname" to "name_of_the_command". Example: "vserver servies UNIX usershow" or "lun igroup new" with access "all" or "read only"

Here is another update:

 

OnCommand Balance 4.2.0.0 for 7-mode

    <balance id="balance4200" label="OnCommand Balance 4.2.0.0">
      <seven-mode>
        <roles>
          <role id="balanceRole" label="Balance Role" description="This role allows for the discovery all the connected storage controllers.">
            <api>api-aggr-list-info</api>
            <api>api-cf-status</api>
            <api>api-cifs-share-list-*</api>
            <api>api-cifs-status</api>
            <api>api-clock-get-timezone</api>
            <api>api-disk-list-info</api>
            <api>api-fcp-adapter-list-info</api>
            <api>api-license-list-info</api>
            <api>api-license-v2-list-info</api>
            <api>api-lun-get-geometry</api>
            <api>api-lun-get-serial-number</api>
            <api>api-lun-list-info</api>
            <api>api-lun-map-list-info</api>
            <api>api-lun-stats-list-info</api>
            <api>api-nfs-exportfs-list-*</api>
            <api>api-nfs-status</api>
            <api>api-perf-object-counter-list-info</api>
            <api>api-perf-object-get-*</api>
            <api>api-perf-object-instance-list-info</api>
            <api>api-perf-object-list-info</api>
            <api>api-qtree-list</api>
            <api>api-snapshot-delete</api>
            <api>api-system-cli</api>
            <api>api-system-get-info</api>
            <api>api-system-get-version</api>
            <api>api-useradmin-group-list</api>
            <api>api-useradmin-role-list</api>
            <api>api-useradmin-user-list</api>
            <api>api-vfiler-list-info</api>
            <api>api-volume-get-root-name</api>
            <api>api-volume-list-info-iter-start</api>
            <api>api-volume-list-info-iter-next</api>
            <api>api-volume-list-info-iter-end</api>
            <api>api-volume-size</api>
            <api>cli-fcp</api>
            <api>cli-ifconfig</api>
            <api>cli-options</api>
            <api>cli-rdfile</api>
            <api>cli-vfiler</api>
            <api>login-http-admin</api>
            <api>security-api-vfiler</api>
          </role>
        </roles>
      </seven-mode>
    </balance>

Enjoy!

Hello,

 

Is there any plan to add support for SnapProtect sometimes soon?

 

Thanks and regards,

 

Uwe

Thsi is a great tool! Can you please include OnCommand Insight user creation too? Customers sometimes find it frustrating to create all of the capabilities per commandline, controller by controller. This would streamline the installation prep work.

 

this are the capabilities required (as of OCI version 7.x) 

For ONTAP 7mode 8.1 or earlier the following capabilities are required:

login-http-admin,api-system-get-info,api-system-get-*,api-license-list-info,api-fcp-adapterlist-info,cli-fcp,api-cf-status,api-disk-list-info,api-aggr-list-info,api-volume-list-*,api-volumeget-root-name,api-lun-list-info,api-lun-get-*,api-lun-map-list-info,api-qtree-list,api-lunstats-list-info,api-system-cli,cli-rdfile,cli-ifconfig,api-vfiler-list-info,security-api-vfiler,api-nfsstatus,api-nfs-exportfs-list-*,api-cifs-status,api-cifs-share-list-*,api-perf-object-list-info,apiperf-object-counter-list-info,api-perf-object-get-*,api-useradmin-group-list,api-useradminrole-list,api-snapmirror-get-status,api-snapmirror-list-*,api-storage-disk-get-iter,cli-options,api-net-ifconfig-get,api-aggr-space-list-info,cli-df,api-snapshot-reserve-listinfo,api-flash-device-list-info,cli-date,cli-snap,api-iscsi-service-status,api-quota-report,api-iscsi-node-get-name,api-iscsi-tpgroup-list-info,api-iscsi-portal-list-info,api-iscsi-session-list-info,api-iscsi-initiator-auth-list-info,api-perf-object-instance-list-info,api-fcp-servicestatus,api-volume-clone-split-estimate

 

For ONTAP 7mode 8.2+ the following capabilities are required:

login-http-admin,api-system-get-info,api-system-get-*,api-license-list-info,api-fcp-adapterlist-info,cli-fcp,api-cf-status,api-disk-list-info,api-aggr-list-info,api-volume-list-*,api-volumeget-root-name,api-lun-list-info,api-lun-get-*,api-lun-map-list-info,api-qtree-list,api-lunstats-list-info,api-system-cli,cli-rdfile,cli-ifconfig,api-vfiler-list-info,security-api-vfiler,api-nfsstatus,api-nfs-exportfs-list-*,api-cifs-status,api-cifs-share-list-*,api-perf-object-list-info,apiperf-object-counter-list-info,api-perf-object-get-*,api-useradmin-group-list,api-useradminrole-list,api-snapmirror-get-status,api-snapmirror-list-*,api-storage-disk-get-iter,api-license-v2-list-info,cli-options,api-net-ifconfig-get,api-aggr-space-list-info,cli-df,api-snapshot-reserve-list-info,api-flash-device-list-info,cli-date,cli-snap,api-iscsi-servicestatus,api-quota-report,api-iscsi-node-get-name,api-iscsi-tpgroup-list-info,api-iscsi-portallist-info,api-iscsi-session-list-info,api-iscsi-initiator-auth-list-info,api-perf-object-instancelist-info,api-fcp-service-status, api-volume-clone-split-estimate

 

For

Clustered Data ONTAP, these are the steps to create a read-only user account:

o

Log into the NetApp storage system by using an SSH client and run the following

command (case sensitive):

o

security login role create –role test –cmddirname DEFAULT –access readonly

o

Security login create –username useraccount –application ontap –authmethod

password –role test-vserver storgename

 

 

 

 

Hope that can be done to simplify user creation for our management tools.

Best regards

Oliver 

hi guys,

 

great tool but it doesn't work in 8.3P2 in combination with VSC 6.

altough in the changelog is see: Added support for VSC/VP 6.0 (VMware)  - i cannot choose VSC6 in the dialog box - i always used VSC5 instead and generated the commands offline and inserted them into CLI -

the bad thing - it seems that some commands for the role doesn't exist in 8.3 anymore - e.g. "vserver services unix-user create" > cmddirname not found :-(

 

perhaps you can fix this - really love to use RBAC tool.

 

thanks AJ

hi guys,

 

since no one answered i created the file by my own for VSC with RBAC settings for direct connected SVM - i attached the commands below so perhaps it helps someone else - was really a mess to get the commands into a file - it's only for 8.3 since some of the commands changed between 8.2.x and 8.3 -

 

for detailed informations check RBAC guide for VSC6: https://library.netapp.com/ecm/ecm_download_file/ECMP12405921

 

best AJ

-------------
works only with cDOT 8.3 - only tested with VSC6 direct SVM connected
-------------
Instructions
-------------
1. use "replace" of your editor to change [VSERVER] to the name of your vserver
2. you can copy/paste the command to CLI 
--- Important ---
- start with GLOBAL section, then ALL "-access all" - after that copy the "-access readonly" otherwise you have wrong permissions!
- then create the login at the end
-------------------


GLOBAL: 
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "DEFAULT" -access none

discovery for SVM:

security login role create -vserver [VSERVER] -role smvi_role -cmddirname "security login role show-user-capability" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "set" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency stat" -access all

security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun geometry" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota report" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp initiator show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp interface show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access readonly


clone for SVM:
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface lif-weights show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface dns-lb-stats show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "set" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file clone" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file reservation" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-filehandle" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access all

security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun geometry" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota report" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access readonly


create storage for SVM:

security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun comment" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup add" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup set" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun move" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun online" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror abort" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror break" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror check" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror get-volume-status" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror initialize" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror list-destinations" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy add-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy remove-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror quiesce" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror release" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror restore" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resume" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resync" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror update" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume autosize" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume clone create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency on" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency start" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency stop" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume restrict" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume unmount" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule setindex" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi interface accesslist add" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs status" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver services name-service unix-group" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver services name-service unix-user" -access all

security login role create -vserver [VSERVER] -role smvi_role -cmddirname "job show-completed" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp initiator show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi connection show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi interface show" -access readonly
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi session show" -access readonly


modify storage for SVM
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun resize" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency off" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume size" -access all


destroy storage for SVM
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun offline" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume destroy" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume offline" -access all


backup and restore for SVM
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "job history show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup add" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun online" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun serial" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "security login role show-ontapi" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror abort" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror break" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror check" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror get-volume-status" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror initialize" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror list-destinations" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy add-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy remove-rule" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror quiesce" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror release" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror restore" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resume" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resync" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror update" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume clone create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume destroy" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file clone" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file reservation" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-filehandle" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume mount" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume offline" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot delete" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot rename" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot restore-file" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume unmount" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy create" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp nodename" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp status" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi nodename" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi status" -access all
security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver peer show" -access all



CREATE USER
security login create -vserver [VSERVER] -username smvi_user -role smvi_role -application ontapi -authmethod password 


AJ, FYI, the attached  ontapPrivs.xml.txt ‏463 KB file at the top of the post contains all the privileges needed for Direct SVM access on VSC6.0.     


-David

 

thanks david,

 

i didn't got that - i think it would be great having a direct link to the latest xml file on the support-download page and a notice that the latest xml is ONLY avail on community sites - i downloaded RBAC tool and thought it would contain the latest for sure - it's annoying jumping around websites just to get all stuff together just for using a great tool like RBAC -

it's a pain in the a... having spent hours to get all cmds togehter and now seeing everything is already there... also there was no reply on my first post - yeah could have read the user guide - that's what i missed - but a direct link and notice on the download page for the tool would also make sense.

 

thanks at all

AJ

Hi,

 

are ther plans to create roles for OPM 2.0 and OCUM 6.3 for cDOT 8.2.x and 8.3

 

We are interested creating rules for just readonly or users with minimal necessary rights.

 

Best wishes,

Markus.

Just a comment:

VSC 6: If you choose "All", it's still missing the whole "Policy Based Management" capabilities for cDOT. Maybe someone could add them?

VASA: There's only version 1 available, and it's unusable (no capabilities?). Version 2 is completely missing.

 

Anyway: Love the tool, keep up the good work!

 

One quirk: Similar to Scott's comment, I'd already appreciate, if the boxes wouldn't all revert, when you connect to a new controller.

If they'd just stay the way they are, it would be easier to set up multiple controllers...

 

My 2c

 

Sebastian

Tried using this with cDOT 8.2.2 but it failed.  Everything in the RBACUserCreator.log is either DEBUG or INFO except for the 4 entries I've included below.  Any tips on what to look for to get this working?  We're wanting to use this specifically for VSC 5.0 with vSPHERE 5.5.

 

Thanks.

 

2015-09-21 17:35:25,378 WARN  [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Modify Storage']/read-only/command not found

 

2015-09-21 17:35:25,378 WARN  [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Destroy Storage']/read-only/command not found

 

2015-09-21 17:35:25,393 WARN  [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Backup-Recovery']/read-only/command not found

 

2015-09-21 17:35:25,503 ERROR [ZapiUtils.createCModeLoginRole]: API FAILED: invalid operation

Sorry but I can't use because to log on the system only admin/root is allowed.

In the context where I would operate admin credentials are secret and there are another account, with same permissions of admin, that is a windows domain user. So I log on the system manager using i.e. domain\user. After all we're speaking about RBAC and it could be normal to avoid the use of admin.

The same with this tool seems not permitted and a white exclamation mark in red circle appears.

It seems to be logged but and I can browse the SVMs but no action can be performed.

 

Is there some enhancement planned?

gmilazzoitag, In order to create a new RBAC user, the user used to login to the RUC tool has to have at least all the privileges listed in the ontapPrivs.xml file for the selected product and version.    There isn't any way to easily guarantee the RUC tool user will have all those privileges so I simply require the user to login as admin/root.     This tool is meant to be used by the storage admin to create RBAC users for OFFTAP products, so requiring admin/root privileges is acceptable.     No enhancement is planned.

 

 

Hi dbkelly.

Maybe I've explained not well. 

The user I must use is perfectly equivalente to "admin". It has been created to avoid to share the admin password.

With that I can do everything on cluster and nodes. I understand that this tool has been created to be used by storage admins group and people but there are environment where the admin object must be impersonate to other real users. It's simply a name issue

 

Support for VSC 6.1 has been added.     Please note, you must download the latest ontapPrivs.xml.txt file (renaming it to *.xml) from the first post, and replace the one installed by the tool.   

Hello dbkelly.

I did use the tool for our "special" case 7-mode with VSC 6.1 and sv-smvi 3.0.3 . I did discovered that specially for sv-smvi there are seven capabilities missing:

api-volume-list-info
api-snapvault-primary-relationship-status-list-iter-start
api-snapvault-primary-relationship-status-list-iter-next
api-snapvault-primary-relationship-status-list-iter-end
api-snapvault-secondary-initiate-incremental-transfer
api-snapvault-secondary-get-relationship-status
api-snapvault-secondary-snapshot-schedule-list-info

Could be it will be a good thing to add this to the config, as a separated SV-SMVI Role.

I'm not sure but I think it affect also the Verion 6.0.

@dbkelly Works great to creat an user for cDOT v8.3.1P1 + VSC v6.1

 

Thank you!

Hi,

 

In working with the SRA for SRM roles, I found that on 8.3.1P2 clusters "lun mapped show" errors as an invalid command.  I changed it to "lun mapping show" and it worked.

Just an FYI.......

 

When using the RBAC User Creator tool, be sure to use a password for the new user that adheres to the password complexity policy as set in ONTAP.  Based on our experience, the RBAC tool will not notify you of an error in the user creation process if the password is weak.  When my storage admin was running the tool, he was using a very simple password for the new user (this was just for testing purposes).  Even though the tool would report successfull user creation, he was unable to find the created user when he connected to the storage system via SSH.  When trying to create the user manually (with that same simple password) via command line, ONTAP would return an error regarding the password strength.  It was a simple problem, but not very apparent when solely relying on the information returned by the RBAC tool.

 

Thanks,

 

Steve

 

 

Hi,

One of our customer need to provide public cloud service as IaaS environment and they are considering to use VSC with NFS only environment. And it is made for multi-tenants environment. I want to know about role of cdot for only Discovery and Backup privilege under NFS only environment. We can find Backup role from RBAC User creator but it maybe contain for iSCSI environment like Volume Create/Clone/Delete. We want to remove unnecessary privileges from it. Does anyone know about role set for only NFS datastore?

 

*Backup role

     <role id="backup-recovery" label="Backup-Recovery"

          description="This role allows for the backup and restore of datastores and virtual machines">

           <all-access>

              <command>job history show</command>

              <!-- <command>lun create</command> -->

              <command>lun delete</command>

              <command>lun igroup add</command>

              <command>lun igroup create</command>

              <command>lun igroup delete</command>

              <!-- <command>lun igroup modify</command> -->

              <command>lun igroup show</command>

              <!-- <command>lun modify</command> -->

              <command>lun online</command>

              <command>lun serial</command>

              <command>lun show</command>

              <command>network interface</command>

              <command>security login role show-ontapi</command>

              <command>version</command>

              <command>volume clone create</command>

              <!-- <command>volume clone show</command> -->

              <command>volume create</command>

              <command>volume destroy</command>

              <command>volume file</command>

              <!-- <command>volume file clone create</command>  -->

              <!-- <command>volume file show-disk-usage</command>  -->

              <!-- <command>volume modify</command> -->

              <command>volume mount</command>

              <command>volume offline</command>

              <!-- <command>volume qtree create</command> -->

              <command>volume qtree show</command>

              <command>volume show</command>

              <command>volume snapshot create</command>

              <command>volume snapshot delete</command>

              <!-- <command>volume snapshot modify</command> -->

              <command>volume snapshot rename</command>

              <command>volume snapshot restore-file</command>

              <command>volume snapshot show</command>

              <command>volume unmount</command>

              <command>vserver</command>

              <!-- <command>vserver export-policy create</command> -->

              <!-- <command>vserver export-policy delete</command> -->

              <command>vserver export-policy show</command>

              <command>vserver fcp nodename</command>

              <command>vserver fcp status</command>

              <command>vserver iscsi nodename</command>

              <command>vserver iscsi status</command>

              <ontap-dependent value="8.2+">

                <command>snapmirror</command>

                <command>vserver peer show</command>

              </ontap-dependent>

                                      <ontap-dependent value="8.2.2+">

                                        <command>event generate-autosupport-log</command>

              </ontap-dependent>

              <ontap-dependent value="8.2.99-">

                <command>lun igroup new</command>

                <command>lun initiatorListMap show</command>

                <command>lun map</command>

                <command>lun mapped show</command>

                <command>lun new</command>

                <command>lun unmap</command>

                <command>volume clone new</command>

                <command>volume new</command>

                <command>volume qtree new</command>

                <command>volume snapshot new</command>

                <command>vserver export-policy new</command>

              </ontap-dependent>

              <ontap-dependent value="8.3+">

                <command>lun create</command>

                <command>lun mapping create</command>

                <command>lun mapping delete</command>

                <command>lun mapping show</command>

                <command>lun mapping show-initiator</command>

                <command>volume qtree create</command>

                <command>vserver export-policy create</command>

              </ontap-dependent>

            </all-access>

          </role>

Hi,

 

I just downloaded the latest version (I think - v2.7), and it doesnt have support for VSC 6.2 in it, is this something that is available somewhere else?

 

Thanks!

I just downloaded the tool today and tried to lauch it per the instructions.  The status bar goes about half way and stops.  In the log, I see the following:

 

2016-12-01 15:48:10,195 DEBUG [UserCreator.processLoginRequest]: Storage System : 172.16.2.35
2016-12-01 15:48:10,195 DEBUG [UserCreator.processLoginRequest]: Storage Username : root
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage Password : *HIDDEN*
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage Port : 443
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage useSSL : True
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : 172.16.2.35
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443
2016-12-01 15:48:10,228 DEBUG [ZapiUtils.getNaServer]:
2016-12-01 15:48:10,228 DEBUG [ZapiUtils.getNaServer]:
2016-12-01 15:48:10,244 DEBUG [ZapiUtils.getSystemVersion]: <system-get-version/>

2016-12-01 15:48:10,280 ERROR [ZapiUtils.getSystemVersion]: Failed invoking API

 

We are running 8.2.3P4 7-Mode.  I'm not sure what to try at this point.

 

Thank you,

 

Bill

 

Hi, When can we expect support for SRA 4.0 and Ontap 9.x?

 

Thanks

Hi,

 

since the XML file is outdated, when can we expect an updated version? 

 

Thanks,

Tino

Hi all,

 

I am looking for a RBAC User Creator version which supports SnapDrive for Windows Version 7.1.x and ONTAP 9.x.

 

In first instance a description about the miminum capabilities needed for SnapDrive 7.1.x and ONTAP 9 would help as well Unfortunately in the official documentation it is only advised to use the vsadmin. .To use the vsadmin user or role is not granular enough for my customers security requirements.

 

 

Thank you in advance for any help and hint.

 

Raphael

I have disabled versions of TLS lower than 1.2 on the cDOT clusters and now cannot connect with RBAC.  Is there a way to fix this without re-enabling insecure versions?

Forums