Is it possible to configure a user for ActiveIQ Unified Manager for Cluster Mode without using the Admin role?
Applies to
- ActiveIQ Unified Manager (AIQUM) 9.6+
- OnCommand Unified Manager (OCUM)9.5 and below
- ONTAP 9
Answer
- Per the Adding Clusters section in AIQUM documentation, AIQUM needs an ONTAP user account with
admin
role on Application access set toontapi, console, ssh
andhttp
- Trying to assign a read-only role to a user for monitoring would break the functionality of AIQUM to execute anything on the cluster.
- Examples are:
- Data Protection
- EMS Subscriptions
- Registering UM with the cluster
- Performance polling
- Because limiting the scope of the Ontap account used in AIQUM is known to break functionality between AIQUM and the cluster, configuring a user with a role other than admin is not supported by NetApp Technical Support at this time
- However, till AIQUM 9.11, a custom read-only user may be used after the cluster addition and initial acquisition to AIQUM in case of above mentioned functionalities (for eg: performance data collection/EMS subscription) are not needed
- As AIQUM registers itself in multiple places during the cluster add process, it is not possible to bypass this requirement until after the cluster has been added and the initial polling has been completed
- From AIQUM 9.12+, its not possible to use the readonly user from the AIQUM GUI due to the mTLS functionality introduction
- Error in the GUI:
user '<user_name>'does not have write access to this resource
server_acq.log:
Unable to add EMS filter rule to cluster <cluster_name>: com.netapp.oci.netapp.client.interfaces.data.EmsManagerException: Insufficient privileges: user '<user_name>' does not have write access to this resource (errno=13003)
- In order to use read-only users on AIQUM 9.12+, use the CLI to modify the user after the cluster addition/initial polling
Additional Information
See also: ActiveIQ Unified Manager read-only account privileges for clustered Data ONTAP