Is it possible to configure a user for ActiveIQ Unified Manager for Cluster Mode without using the Admin role?
Applies to
- ActiveIQ Unified Manager (AIQ UM)
- OnCommand Unified Manager (OCUM)
- ONTAP 9
Answer
Per the Adding Clusters section in the AIQ UM documentation, the follow account information is required:
- ONTAP administrator user name and password
This account must have the admin role with Application access set to ontapi, ssh, and http.
To clarify, the 'admin' account is not required, but the user that is specified does require the admin role for the specified applications.
If you tried to assign a read-only role to a user for monitoring, it would break the functionality of AIQ UM to execute anything on the cluster.
Examples are:
- Data Protection
- EMS Subscriptions
- Registering UM with the cluster
Because limiting the scope of the Ontap account used in AIQ UM is known to break functionality between AIQ UM and the cluster, configuring a user with a role other than admin is not supported by NetApp Technical Support at this time.
If the functionality is not required, a custom read only user may be used after the cluster has been added to AIQ UM. Because AIQ UM registers itself in multiple places during the cluster add process, it is not possible to bypass this requirement until after the cluster has been added and the initial polling has been completed.
See KB ActiveIQ Unified Manager read-only account privileges for clustered Data ONTAP for more information on creating the read only user.
Additional Information
A Request For Enhancement (RFE) has been submitted to NetApp Engineering to provide an option to limit the required roles and privileges needed for AIQ UM to monitor the cluster. This request is tracked via Bug 1016366.