Virtualization Articles and Resources
Virtualization Articles and Resources
Introduction:
The RBAC User Creator forData ONTAP® tool is a C# application that assists you in creating RBAC usernames within Data ONTAP.This application is used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.
The lists of privileges being created are stored in XML (ontapPrivs.xml). This was done for two primary reasons:
1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating
2. Additional privileges and products can be added later without the need to recompile the application.
NOTE: An important feature of version 2.0 is the ability to add products without needing to recomplie the application
You can think of RBAC User Creator being a framework of sorts. All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file.
RBAC User Creator has native support for the following products out of the box
Step 1: Install Tool
Install the tool by selecting "Run as Administrator". Standard Installshield rules apply. If you don't "Run as Administrator", the log file will not be created.
Step 2: Set Up Usernames and Privileges
In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC. In order to guide you along, the non-relevant sections are greyed out.
NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.
For more details, please read the User Guide (attached below)
Step 3: Add Roles for Users
RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP
If you are unsure on what privileges the new user will have, click on the PREVIEW button to preview the list. It will show you the sorted list of all the privileges to be added. If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username. Hopefully, this funcationalit will be added for Clustered Data ONTAP soon.
Step 4: Add Storage Systems
Resources:
All content posted on the NetApp Community is publicly searchable and viewable. Participation in the NetApp Community is voluntary.
In accordance with our Code of Conduct and Community Terms of Use, DO NOT post or attach the following:
Continued non-compliance may result in NetApp Community account restrictions or termination.
sanadmin_do, please email the RUC tool log file and I will take a look. A screenshot is useful as well.
-David
I am one step further. Once I use the RBAC commands entered via the console. For some I get the message: 'command failed: failed to set field "cmddirname" to "name_of_the_command". Example: "vserver servies UNIX usershow" or "lun igroup new" with access "all" or "read only"
Here is another update:
OnCommand Balance 4.2.0.0 for 7-mode
<balance id="balance4200" label="OnCommand Balance 4.2.0.0"> <seven-mode> <roles> <role id="balanceRole" label="Balance Role" description="This role allows for the discovery all the connected storage controllers."> <api>api-aggr-list-info</api> <api>api-cf-status</api> <api>api-cifs-share-list-*</api> <api>api-cifs-status</api> <api>api-clock-get-timezone</api> <api>api-disk-list-info</api> <api>api-fcp-adapter-list-info</api> <api>api-license-list-info</api> <api>api-license-v2-list-info</api> <api>api-lun-get-geometry</api> <api>api-lun-get-serial-number</api> <api>api-lun-list-info</api> <api>api-lun-map-list-info</api> <api>api-lun-stats-list-info</api> <api>api-nfs-exportfs-list-*</api> <api>api-nfs-status</api> <api>api-perf-object-counter-list-info</api> <api>api-perf-object-get-*</api> <api>api-perf-object-instance-list-info</api> <api>api-perf-object-list-info</api> <api>api-qtree-list</api> <api>api-snapshot-delete</api> <api>api-system-cli</api> <api>api-system-get-info</api> <api>api-system-get-version</api> <api>api-useradmin-group-list</api> <api>api-useradmin-role-list</api> <api>api-useradmin-user-list</api> <api>api-vfiler-list-info</api> <api>api-volume-get-root-name</api> <api>api-volume-list-info-iter-start</api> <api>api-volume-list-info-iter-next</api> <api>api-volume-list-info-iter-end</api> <api>api-volume-size</api> <api>cli-fcp</api> <api>cli-ifconfig</api> <api>cli-options</api> <api>cli-rdfile</api> <api>cli-vfiler</api> <api>login-http-admin</api> <api>security-api-vfiler</api> </role> </roles> </seven-mode> </balance>
Enjoy!
Hello,
Is there any plan to add support for SnapProtect sometimes soon?
Thanks and regards,
Uwe
Thsi is a great tool! Can you please include OnCommand Insight user creation too? Customers sometimes find it frustrating to create all of the capabilities per commandline, controller by controller. This would streamline the installation prep work.
this are the capabilities required (as of OCI version 7.x)
For ONTAP 7mode 8.1 or earlier the following capabilities are required:
login-http-admin,api-system-get-info,api-system-get-*,api-license-list-info,api-fcp-adapterlist-info,cli-fcp,api-cf-status,api-disk-list-info,api-aggr-list-info,api-volume-list-*,api-volumeget-root-name,api-lun-list-info,api-lun-get-*,api-lun-map-list-info,api-qtree-list,api-lunstats-list-info,api-system-cli,cli-rdfile,cli-ifconfig,api-vfiler-list-info,security-api-vfiler,api-nfsstatus,api-nfs-exportfs-list-*,api-cifs-status,api-cifs-share-list-*,api-perf-object-list-info,apiperf-object-counter-list-info,api-perf-object-get-*,api-useradmin-group-list,api-useradminrole-list,api-snapmirror-get-status,api-snapmirror-list-*,api-storage-disk-get-iter,cli-options,api-net-ifconfig-get,api-aggr-space-list-info,cli-df,api-snapshot-reserve-listinfo,api-flash-device-list-info,cli-date,cli-snap,api-iscsi-service-status,api-quota-report,api-iscsi-node-get-name,api-iscsi-tpgroup-list-info,api-iscsi-portal-list-info,api-iscsi-session-list-info,api-iscsi-initiator-auth-list-info,api-perf-object-instance-list-info,api-fcp-servicestatus,api-volume-clone-split-estimate
For ONTAP 7mode 8.2+ the following capabilities are required:
login-http-admin,api-system-get-info,api-system-get-*,api-license-list-info,api-fcp-adapterlist-info,cli-fcp,api-cf-status,api-disk-list-info,api-aggr-list-info,api-volume-list-*,api-volumeget-root-name,api-lun-list-info,api-lun-get-*,api-lun-map-list-info,api-qtree-list,api-lunstats-list-info,api-system-cli,cli-rdfile,cli-ifconfig,api-vfiler-list-info,security-api-vfiler,api-nfsstatus,api-nfs-exportfs-list-*,api-cifs-status,api-cifs-share-list-*,api-perf-object-list-info,apiperf-object-counter-list-info,api-perf-object-get-*,api-useradmin-group-list,api-useradminrole-list,api-snapmirror-get-status,api-snapmirror-list-*,api-storage-disk-get-iter,api-license-v2-list-info,cli-options,api-net-ifconfig-get,api-aggr-space-list-info,cli-df,api-snapshot-reserve-list-info,api-flash-device-list-info,cli-date,cli-snap,api-iscsi-servicestatus,api-quota-report,api-iscsi-node-get-name,api-iscsi-tpgroup-list-info,api-iscsi-portallist-info,api-iscsi-session-list-info,api-iscsi-initiator-auth-list-info,api-perf-object-instancelist-info,api-fcp-service-status, api-volume-clone-split-estimate
For
Clustered Data ONTAP, these are the steps to create a read-only user account:
o
Log into the NetApp storage system by using an SSH client and run the following
command (case sensitive):
o
security login role create –role test –cmddirname DEFAULT –access readonly
o
Security login create –username useraccount –application ontap –authmethod
password –role test-vserver storgename
Hope that can be done to simplify user creation for our management tools.
Best regards
Oliver
hi guys,
great tool but it doesn't work in 8.3P2 in combination with VSC 6.
altough in the changelog is see: Added support for VSC/VP 6.0 (VMware) - i cannot choose VSC6 in the dialog box - i always used VSC5 instead and generated the commands offline and inserted them into CLI -
the bad thing - it seems that some commands for the role doesn't exist in 8.3 anymore - e.g. "vserver services unix-user create" > cmddirname not found 😞
perhaps you can fix this - really love to use RBAC tool.
thanks AJ
hi guys,
since no one answered i created the file by my own for VSC with RBAC settings for direct connected SVM - i attached the commands below so perhaps it helps someone else - was really a mess to get the commands into a file - it's only for 8.3 since some of the commands changed between 8.2.x and 8.3 -
for detailed informations check RBAC guide for VSC6: https://library.netapp.com/ecm/ecm_download_file/ECMP12405921
best AJ
------------- works only with cDOT 8.3 - only tested with VSC6 direct SVM connected ------------- Instructions ------------- 1. use "replace" of your editor to change [VSERVER] to the name of your vserver 2. you can copy/paste the command to CLI --- Important --- - start with GLOBAL section, then ALL "-access all" - after that copy the "-access readonly" otherwise you have wrong permissions! - then create the login at the end ------------------- GLOBAL: security login role create -vserver [VSERVER] -role smvi_role -cmddirname "DEFAULT" -access none discovery for SVM: security login role create -vserver [VSERVER] -role smvi_role -cmddirname "security login role show-user-capability" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "set" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency stat" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun geometry" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota report" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp initiator show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp interface show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access readonly clone for SVM: security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface lif-weights show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface dns-lb-stats show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "set" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file clone" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file reservation" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-filehandle" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun geometry" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota report" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume quota show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs show" -access readonly create storage for SVM: security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun comment" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup add" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup set" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun move" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun online" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror abort" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror break" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror check" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror get-volume-status" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror initialize" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror list-destinations" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy add-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy remove-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror quiesce" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror release" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror restore" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resume" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resync" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror update" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume autosize" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume clone create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency on" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency start" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency stop" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume restrict" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume unmount" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy rule setindex" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi interface accesslist add" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver nfs status" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver services name-service unix-group" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver services name-service unix-user" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "job show-completed" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp initiator show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi connection show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi interface show" -access readonly security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi session show" -access readonly modify storage for SVM security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun resize" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume efficiency off" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume size" -access all destroy storage for SVM security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun offline" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume destroy" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume offline" -access all backup and restore for SVM security login role create -vserver [VSERVER] -role smvi_role -cmddirname "job history show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup add" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun igroup show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun mapping delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun online" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun serial" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "lun show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "network interface" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "security login role show-ontapi" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror abort" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror break" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror check" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror get-volume-status" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror initialize" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror list-destinations" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy add-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy modify-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy remove-rule" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror policy show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror quiesce" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror release" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror restore" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resume" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror resync" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror update" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "snapmirror snapshot-owner show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "version" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume clone create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume destroy" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file clone" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file reservation" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-disk-usage" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume file show-filehandle" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume mount" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume offline" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume qtree show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot delete" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot rename" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot restore-file" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume snapshot show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "volume unmount" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy create" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver export-policy show" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp nodename" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver fcp status" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi nodename" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver iscsi status" -access all security login role create -vserver [VSERVER] -role smvi_role -cmddirname "vserver peer show" -access all CREATE USER security login create -vserver [VSERVER] -username smvi_user -role smvi_role -application ontapi -authmethod password
AJ, FYI, the attached ontapPrivs.xml.txt 463 KB file at the top of the post contains all the privileges needed for Direct SVM access on VSC6.0.
-David
thanks david,
i didn't got that - i think it would be great having a direct link to the latest xml file on the support-download page and a notice that the latest xml is ONLY avail on community sites - i downloaded RBAC tool and thought it would contain the latest for sure - it's annoying jumping around websites just to get all stuff together just for using a great tool like RBAC -
it's a pain in the a... having spent hours to get all cmds togehter and now seeing everything is already there... also there was no reply on my first post - yeah could have read the user guide - that's what i missed - but a direct link and notice on the download page for the tool would also make sense.
thanks at all
AJ
Hi,
are ther plans to create roles for OPM 2.0 and OCUM 6.3 for cDOT 8.2.x and 8.3
We are interested creating rules for just readonly or users with minimal necessary rights.
Best wishes,
Markus.
Just a comment:
VSC 6: If you choose "All", it's still missing the whole "Policy Based Management" capabilities for cDOT. Maybe someone could add them?
VASA: There's only version 1 available, and it's unusable (no capabilities?). Version 2 is completely missing.
Anyway: Love the tool, keep up the good work!
One quirk: Similar to Scott's comment, I'd already appreciate, if the boxes wouldn't all revert, when you connect to a new controller.
If they'd just stay the way they are, it would be easier to set up multiple controllers...
My 2c
Sebastian
Tried using this with cDOT 8.2.2 but it failed. Everything in the RBACUserCreator.log is either DEBUG or INFO except for the 4 entries I've included below. Any tips on what to look for to get this working? We're wanting to use this specifically for VSC 5.0 with vSPHERE 5.5.
Thanks.
2015-09-21 17:35:25,378 WARN [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Modify Storage']/read-only/command not found
2015-09-21 17:35:25,378 WARN [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Destroy Storage']/read-only/command not found
2015-09-21 17:35:25,393 WARN [UserCreator.processSubmitRequest]: /privs/product/vsc[@id='vsc50']/cluster-mode/admin-vserver/role[@label='Backup-Recovery']/read-only/command not found
2015-09-21 17:35:25,503 ERROR [ZapiUtils.createCModeLoginRole]: API FAILED: invalid operation
Sorry but I can't use because to log on the system only admin/root is allowed.
In the context where I would operate admin credentials are secret and there are another account, with same permissions of admin, that is a windows domain user. So I log on the system manager using i.e. domain\user. After all we're speaking about RBAC and it could be normal to avoid the use of admin.
The same with this tool seems not permitted and a white exclamation mark in red circle appears.
It seems to be logged but and I can browse the SVMs but no action can be performed.
Is there some enhancement planned?
gmilazzoitag, In order to create a new RBAC user, the user used to login to the RUC tool has to have at least all the privileges listed in the ontapPrivs.xml file for the selected product and version. There isn't any way to easily guarantee the RUC tool user will have all those privileges so I simply require the user to login as admin/root. This tool is meant to be used by the storage admin to create RBAC users for OFFTAP products, so requiring admin/root privileges is acceptable. No enhancement is planned.
Hi dbkelly.
Maybe I've explained not well.
The user I must use is perfectly equivalente to "admin". It has been created to avoid to share the admin password.
With that I can do everything on cluster and nodes. I understand that this tool has been created to be used by storage admins group and people but there are environment where the admin object must be impersonate to other real users. It's simply a name issue
Support for VSC 6.1 has been added. Please note, you must download the latest ontapPrivs.xml.txt file (renaming it to *.xml) from the first post, and replace the one installed by the tool.
Hello dbkelly.
I did use the tool for our "special" case 7-mode with VSC 6.1 and sv-smvi 3.0.3 . I did discovered that specially for sv-smvi there are seven capabilities missing:
api-volume-list-info api-snapvault-primary-relationship-status-list-iter-start api-snapvault-primary-relationship-status-list-iter-next api-snapvault-primary-relationship-status-list-iter-end api-snapvault-secondary-initiate-incremental-transfer api-snapvault-secondary-get-relationship-status api-snapvault-secondary-snapshot-schedule-list-info
Could be it will be a good thing to add this to the config, as a separated SV-SMVI Role.
I'm not sure but I think it affect also the Verion 6.0.
Hi,
In working with the SRA for SRM roles, I found that on 8.3.1P2 clusters "lun mapped show" errors as an invalid command. I changed it to "lun mapping show" and it worked.
Just an FYI.......
When using the RBAC User Creator tool, be sure to use a password for the new user that adheres to the password complexity policy as set in ONTAP. Based on our experience, the RBAC tool will not notify you of an error in the user creation process if the password is weak. When my storage admin was running the tool, he was using a very simple password for the new user (this was just for testing purposes). Even though the tool would report successfull user creation, he was unable to find the created user when he connected to the storage system via SSH. When trying to create the user manually (with that same simple password) via command line, ONTAP would return an error regarding the password strength. It was a simple problem, but not very apparent when solely relying on the information returned by the RBAC tool.
Thanks,
Steve
Hi,
One of our customer need to provide public cloud service as IaaS environment and they are considering to use VSC with NFS only environment. And it is made for multi-tenants environment. I want to know about role of cdot for only Discovery and Backup privilege under NFS only environment. We can find Backup role from RBAC User creator but it maybe contain for iSCSI environment like Volume Create/Clone/Delete. We want to remove unnecessary privileges from it. Does anyone know about role set for only NFS datastore?
*Backup role
<role id="backup-recovery" label="Backup-Recovery"
description="This role allows for the backup and restore of datastores and virtual machines">
<all-access>
<command>job history show</command>
<!-- <command>lun create</command> -->
<command>lun delete</command>
<command>lun igroup add</command>
<command>lun igroup create</command>
<command>lun igroup delete</command>
<!-- <command>lun igroup modify</command> -->
<command>lun igroup show</command>
<!-- <command>lun modify</command> -->
<command>lun online</command>
<command>lun serial</command>
<command>lun show</command>
<command>network interface</command>
<command>security login role show-ontapi</command>
<command>version</command>
<command>volume clone create</command>
<!-- <command>volume clone show</command> -->
<command>volume create</command>
<command>volume destroy</command>
<command>volume file</command>
<!-- <command>volume file clone create</command> -->
<!-- <command>volume file show-disk-usage</command> -->
<!-- <command>volume modify</command> -->
<command>volume mount</command>
<command>volume offline</command>
<!-- <command>volume qtree create</command> -->
<command>volume qtree show</command>
<command>volume show</command>
<command>volume snapshot create</command>
<command>volume snapshot delete</command>
<!-- <command>volume snapshot modify</command> -->
<command>volume snapshot rename</command>
<command>volume snapshot restore-file</command>
<command>volume snapshot show</command>
<command>volume unmount</command>
<command>vserver</command>
<!-- <command>vserver export-policy create</command> -->
<!-- <command>vserver export-policy delete</command> -->
<command>vserver export-policy show</command>
<command>vserver fcp nodename</command>
<command>vserver fcp status</command>
<command>vserver iscsi nodename</command>
<command>vserver iscsi status</command>
<ontap-dependent value="8.2+">
<command>snapmirror</command>
<command>vserver peer show</command>
</ontap-dependent>
<ontap-dependent value="8.2.2+">
<command>event generate-autosupport-log</command>
</ontap-dependent>
<ontap-dependent value="8.2.99-">
<command>lun igroup new</command>
<command>lun initiatorListMap show</command>
<command>lun map</command>
<command>lun mapped show</command>
<command>lun new</command>
<command>lun unmap</command>
<command>volume clone new</command>
<command>volume new</command>
<command>volume qtree new</command>
<command>volume snapshot new</command>
<command>vserver export-policy new</command>
</ontap-dependent>
<ontap-dependent value="8.3+">
<command>lun create</command>
<command>lun mapping create</command>
<command>lun mapping delete</command>
<command>lun mapping show</command>
<command>lun mapping show-initiator</command>
<command>volume qtree create</command>
<command>vserver export-policy create</command>
</ontap-dependent>
</all-access>
</role>
Hi,
I just downloaded the latest version (I think - v2.7), and it doesnt have support for VSC 6.2 in it, is this something that is available somewhere else?
Thanks!
I just downloaded the tool today and tried to lauch it per the instructions. The status bar goes about half way and stops. In the log, I see the following:
2016-12-01 15:48:10,195 DEBUG [UserCreator.processLoginRequest]: Storage System : 172.16.2.35
2016-12-01 15:48:10,195 DEBUG [UserCreator.processLoginRequest]: Storage Username : root
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage Password : *HIDDEN*
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage Port : 443
2016-12-01 15:48:10,196 DEBUG [UserCreator.processLoginRequest]: Storage useSSL : True
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : 172.16.2.35
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS
2016-12-01 15:48:10,227 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443
2016-12-01 15:48:10,228 DEBUG [ZapiUtils.getNaServer]:
2016-12-01 15:48:10,228 DEBUG [ZapiUtils.getNaServer]:
2016-12-01 15:48:10,244 DEBUG [ZapiUtils.getSystemVersion]: <system-get-version/>
2016-12-01 15:48:10,280 ERROR [ZapiUtils.getSystemVersion]: Failed invoking API
We are running 8.2.3P4 7-Mode. I'm not sure what to try at this point.
Thank you,
Bill
Hi, When can we expect support for SRA 4.0 and Ontap 9.x?
Thanks
Hi,
since the XML file is outdated, when can we expect an updated version?
Thanks,
Tino
SRA 4.0 Support is available using the OntapPrivs.xml file found in the following link:
Hi all,
I am looking for a RBAC User Creator version which supports SnapDrive for Windows Version 7.1.x and ONTAP 9.x.
In first instance a description about the miminum capabilities needed for SnapDrive 7.1.x and ONTAP 9 would help as well Unfortunately in the official documentation it is only advised to use the vsadmin. .To use the vsadmin user or role is not granular enough for my customers security requirements.
Thank you in advance for any help and hint.
Raphael
I have disabled versions of TLS lower than 1.2 on the cDOT clusters and now cannot connect with RBAC. Is there a way to fix this without re-enabling insecure versions?
Hi,
which specific roles are required for VSC 9.6? Is there a new XML file? The current download of the RBAC User Creator Tools contains only the roles for VSC 7 - or has nothing changed?
Many thanks
Michael
Michael, the existing 7.x roles may be used with 9.6.
Please note that the RBAC User Creator tool (Windows executable) and ONTAP privileges file (XML) are posted on the NetApp Support site in the ToolChest for download:
As @jmcrosa said, the existing 7.X roles work properly with the 9.6 release. I am working to update the XML file to add 9.6 as a named release with no other changes.
The full set of privileges are described in this KB article:
https://kb.netapp.com/app/answers/answer_view/a_id/1001058
We are also working to replace this tool with functionality within ONTAP System Manager. It should be supported by the next Virtual Appliance release together with ONTAP 9.7 or later.
---Karl