What are the required capabilities for SnapDrive in ONTAP 7-Mode?
Applies to
- SnapDrive for Windows (SDW)
- SnapDrive for Unix (SDU)
- Data ONTAP 7.x and earlier
- Data ONTAP 8.0 to 8.2.x 7-MODE
Answer
In certain environments, it is not deemed acceptable to add the SnapDrive service account to the local administrators group on the storage controllers.
Complete the following steps to create a storage controller group with the appropriate capabilities for a SnapDrive service account:
-
Create a new role (such as 'sdrole') with the appropriate capabilities on the storage controller:
useradmin role add sdrole -a login-http-admin,api-lun-*,api-snapshot-*,api-iscsi-*,api-volume-*,api-snapmirror-*,
api-snapvault-*,api-ems-*,api-igroup-*,api-qtree-*,api-fcp-adapter-*,api-license-*,api-system-*,api-aggr-*,api-file-* - Create a new local storage controller group (such as 'sdadmin'):
useradmin group add sdadmin - Assign the new role to the newly created group:
useradmin group modify sdadmin -r sdrole -
With SDW with RPC usage:
-
create the SnapDrive Service Account (such as 'snapdrive') in an Active Directory Domain.
-
then add the 'snapdrive' AD user to the 'sdadmin' group:
useradmin domainuser add <DOMAIN>\snapdrive -g sdadmin -
add the 'snapdrive' user to the Windows host local Administrators group (Note: the SDU daemon runs with root already).
-
install or modify SnapDrive to use the 'snapdrive' service account with its services.
-
-
With SDU or SDW with http(s) usage:
-
add the local 'snapdrive' user to ONTAP:
useradmin user add snapdrive -g sdadmin
-
-
Test SnapDrive (example, create/delete snapshot, connect and disconnect snapshot, create/delete a LUN, resize a LUN).
If there are other NetApp applications running on the server (such as SnapManager for Exchange/SQL), test those applications as well.
Additional Information
For Data ONTAP 8 C-Mode and ONTAP 9 see "How to limit the privileges for SnapDrive with a role for an SVM account"