Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

Cluster-Mode vServer Management: How to set up Management Roles

Views:
139
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

Applies to

Clustered Data ONTAP 8.1 

Description

In Data ONTAP 8.1 Cluster-Mode, the ability to have users manage only specific vservers has been added.

For example, if a storage system admin wants to allow users to log in and only be able to view or manage objects for a specific vserver, they could do this through the concept of vServer management LIFs and RBAC.

Terminology

Access Levels
Access levels specify what level of access a user can have. The access levels include readonly, all and none.

Command Directories
Command directories will be the subset of commands that a cluster-admin will allow access to for a user. These commands can be specified at a very granular level but must contain the full command directory structure.

Some specified commands might not be supported for vserver management. If this is the case, the following output will be seen:

::> security login role create -role test -cmddirname "job" -access readonly -vserver vsRBAC

Warning: "test" role has no access to the following commands (they are unsupported for Vserver administrators):
job schedule show-jobs

::> security login role create -role test -cmddirname "statistics show" -access readonly -vserver vsRBAC

Error: command failed: invalid operation

Vsadmin
The vsadmin user is locked by default and needs to be unlocked to be usable.

By default, the following roles are allowed to the vsadmin:

::> security login role show -vserver vsRBAC -role vsadmin
             Role           Command/                                   Access
Vserver      Name           Directory                                  Query Level
-------   -------------  --------------------------------             -------------------
vsRBAC     vsadmin            DEFAULT                                     none
vsRBAC     vsadmin            dashboard health vserver                    readonly
vsRBAC     vsadmin             job                                        all
vsRBAC     vsadmin             job schedule                               none
vsRBAC     vsadmin             lun                                        all
vsRBAC     vsadmin             network connections                        readonly
vsRBAC     vsadmin             network connections active show-clients    none
vsRBAC     vsadmin             network connections active show-protocols  none
vsRBAC     vsadmin             network connections active show-services   none
vsRBAC     vsadmin             network interface                          readonly
vsRBAC     vsadmin             network interface failover-groups          none
vsRBAC     vsadmin             network routing-groups                     readonly
vsRBAC     vsadmin             security login password                    all
vsRBAC     vsadmin             security login publickey                   all
vsRBAC     vsadmin             security login role show-ontapi            all
vsRBAC     vsadmin             set                                        all
vsRBAC     vsadmin             version                                    all
vsRBAC     vsadmin             volume                                     all
vsRBAC     vsadmin             volume copy                                none
vsRBAC     vsadmin             volume efficiency                          none
vsRBAC     vsadmin             volume move                                none
vsRBAC     vsadmin             vserver                                    readonly
vsRBAC     vsadmin             vserver cifs                               all
vsRBAC     vsadmin             vserver export-policy                      all
vsRBAC     vsadmin             vserver fcp                                all
vsRBAC     vsadmin             vserver iscsi                              all
vsRBAC     vsadmin             vserver locks                              all
vsRBAC     vsadmin             vserver name-mapping                       all
vsRBAC     vsadmin             vserver nfs                                all
vsRBAC     vsadmin             vserver services                           all
vsRBAC     vsadmin             vserver services kerberos-realm            none
vsRBAC     vsadmin             vserver services ldap client               readonly
vsRBAC     vsadmin             vserver services web                       none
33 entries were displayed.

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support