Cluster-Mode vServer Management: How to set up Management Roles

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 1,032

Visibility:: Public

Votes:: 0

Category:: clustered-data-ontap-8

Specialty:: nas

Last Updated:

Applies to

Clustered Data ONTAP 8.1

Description

In Data ONTAP 8.1 Cluster-Mode, the ability to have users manage only specific vservers has been added.

For example, if a storage system admin wants to allow users to log in and only be able to view or manage objects for a specific vserver, they could do this through the concept of vServer management LIFs and RBAC.

Terminology

Access Levels
Access levels specify what level of access a user can have. The access levels include readonly, all and none.

Command Directories
Command directories will be the subset of commands that a cluster-admin will allow access to for a user. These commands can be specified at a very granular level but must contain the full command directory structure.

Some specified commands might not be supported for vserver management. If this is the case, the following output will be seen:

::> security login role create -role test -cmddirname "job" -access readonly -vserver vsRBAC

Warning: "test" role has no access to the following commands (they are unsupported for Vserver administrators): job schedule show-jobs ::> security login role create -role test -cmddirname "statistics show" -access readonly -vserver vsRBAC

Error: command failed: invalid operation

Vsadmin
The vsadmin user is locked by default and needs to be unlocked to be usable.

By default, the following roles are allowed to the vsadmin:

::> security login role show -vserver vsRBAC -role vsadmin Role Command/ Access Vserver Name Directory Query Level ------- ------------- -------------------------------- ------------------- vsRBAC vsadmin DEFAULT none vsRBAC vsadmin dashboard health vserver readonly vsRBAC vsadmin job all vsRBAC vsadmin job schedule none vsRBAC vsadmin lun all vsRBAC vsadmin network connections readonly vsRBAC vsadmin network connections active show-clients none vsRBAC vsadmin network connections active show-protocols none vsRBAC vsadmin network connections active show-services none vsRBAC vsadmin network interface readonly vsRBAC vsadmin network interface failover-groups none vsRBAC vsadmin network routing-groups readonly vsRBAC vsadmin security login password all vsRBAC vsadmin security login publickey all vsRBAC vsadmin security login role show-ontapi all vsRBAC vsadmin set all vsRBAC vsadmin version all vsRBAC vsadmin volume all vsRBAC vsadmin volume copy none vsRBAC vsadmin volume efficiency none vsRBAC vsadmin volume move none vsRBAC vsadmin vserver readonly vsRBAC vsadmin vserver cifs all vsRBAC vsadmin vserver export-policy all vsRBAC vsadmin vserver fcp all vsRBAC vsadmin vserver iscsi all vsRBAC vsadmin vserver locks all vsRBAC vsadmin vserver name-mapping all vsRBAC vsadmin vserver nfs all vsRBAC vsadmin vserver services all vsRBAC vsadmin vserver services kerberos-realm none vsRBAC vsadmin vserver services ldap client readonly vsRBAC vsadmin vserver services web none 33 entries were displayed.