There are two methods for configuring Role-Based Access Control (RBAC) within the Rapid Cloning Utility. The first is controller-based where users are configured on the controller with varying permissions allowed for storage based operations. The second is based on vCenter privileges and allows for the creation of roles that can be assigned to various users.
The controller-based RBAC approach blocks VI client users from having access to storage functionality that may only be allowed by the storage administrator. Based on the user that was selected when adding the controller to the Rapid Cloning Utility, certain functionality will be enabled and disabled respectively in the UI. For example, a controller that was added with a user role of “Create Clones” can only access the “Create rapid clones” wizard. Note that controllers that are on the domain do not need to be added with the domain name specified as part of the username. Only the username must be specified. The graphical representation below shows the 4 controller-based roles supplied by RCU:
The steps below show how to create a user and assign the ‘Create Clones’ Role to the user:
>useradmin role add rcuCreateClonesRole1 -a api-aggr-list-info,api-cf-status,api-clone-*,api-ems-autosupport-log,api-fcp-service-status,
>useradmin role add rcuCreateClonesRole2 -a api-iscsi-session-list-info,api-license-list-info,api-lun-list-info,api-lun-map-list-info,
>useradmin role add rcuCreateClonesRole3 -a cli-df,api-snapmirror-get-volume-status,api-quota-report,api-qtree-list,api-system-api-list,
>useradmin group add rcuCreateClones -r rcuCreateCloneRole1,rcuCreateCloneRole2,rcuCreateCloneRole3
>useradmin user add rcuCreateClonesUser -g rcuCreateClones
To create a user and assign the ‘Create Storage’ Role to the user you must first create the ‘Create Clones’ Role as described above. The example below shows how to create a user and assign the ‘Create Storage’ Role:
>useradmin role add rcuCreateStorageRole -a api-volume-create,api-volume-set-option,api-volume-autosize-set,api-sis-enable,api-sis-start,
>useradmin group add rcuCreateStorage -r rcuCreateStorageRole
>useradmin user add rcuCreateStorageUser -g rcuCreateClones,rcuCreateStorage
The example below shows how to create a user and assign the ‘Modify Storage’ Role:
>useradmin role add rcuModifyStorageRole -a api-volume-size,api-sis-disable,api-sis-stop,api-lun-resize
>useradmin group add rcuModifyStorage -r rcuModifyStorageRole
>useradmin user add rcuModifyStorageUser -g rcuCreateClones,rcuCreateStorage,rcuModifyStorage
The example below shows how to create a user and assign the ‘Destroy Storage’ Role:
>useradmin role add rcuDestroyStorageRole -a api-volume-offline,api-volume-destroy,api-lun-offline,api-lun-destroy
>useradmin group add rcuDestroyStorage -r rcuDestroyStorageRole
>useradmin user add rcuDestroyStorageUser -g rcuCreateClones,rcuCreateStorage,rcuModifyStorage,rcuDestroyStorage
The Rapid Cloning Utility 3.0 has added the privileges shown in the screen capture below to the vCenter privilege list:
This privilege allows users to add/remove storage controllers from RCU as well as configure the properties (aggregates, volumes, and interfaces) that can be used when provisioning new storage or cloning virtual machines. The controller configuration screen is found on the storage controllers tab under the home view of the Rapid Cloning Utility. The ‘Configure’ privilege must be given at the vCenter Server level. Assigning this privilege on any other object within the inventory will have no effect. Please note that these privileges must be granted in addition to the privileges required by vCenter. For example, you need to have rights to create a datastore on a host in addition to the NetApp Rapid Cloning Utility=>Datastore=>Provision privilege.
This privilege allows users to access the rapid clones wizard within the Rapid Cloning Utility. The wizard provides the functionality of creating new virtual machine clones on NetApp storage as well as importing those clones into VMware View and Citrix XenDesktop.
The 'Manage' datastores role provides assigned users with the ability to resize datastores, manage deduplication settings for underlying volumes, as well as destroy datastores on NetApp storage controllers.
The 'Provision" privilege gives the user access to the provision datastores wizard within the Rapid Cloning Utility. The wizard allows the creation of NFS and VMFS (FCP/iSCSI) based datastores on NetApp storage controllers.
This privilege gives users access to the re-deploy functionality found on the re-deploy tab within the home view of the Rapid Cloning Utility. Users are presented with baseline virtual machines and allowed to choose which virtual machine children clones can be re-deployed. Please note that in this release, the ‘Re-Deploy clones’ privilege must be given at the vCenter Server level. Assigning this privilege on any other object within the inventory will have no effect.
This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.