Cluster-Mode vServer Management: How to set up Management Roles
Applies to
Clustered Data ONTAP 8.1
Description
In Data ONTAP 8.1 Cluster-Mode, the ability to have users manage only specific vservers has been added.
For example, if a storage system admin wants to allow users to log in and only be able to view or manage objects for a specific vserver, they could do this through the concept of vServer management LIFs and RBAC.
Terminology
Access Levels
Access levels specify what level of access a user can have. The access levels include readonly, all and none.
Command Directories
Command directories will be the subset of commands that a cluster-admin will allow access to for a user. These commands can be specified at a very granular level but must contain the full command directory structure.
Some specified commands might not be supported for vserver management. If this is the case, the following output will be seen:
::> security login role create -role test -cmddirname "job" -access readonly -vserver vsRBAC
Warning: "test" role has no access to the following commands (they are unsupported for Vserver administrators):
job schedule show-jobs
::> security login role create -role test -cmddirname "statistics show" -access readonly -vserver vsRBAC
Error: command failed: invalid operation
Vsadmin
The vsadmin user is locked by default and needs to be unlocked to be usable.
By default, the following roles are allowed to the vsadmin:
::> security login role show -vserver vsRBAC -role vsadmin
Role Command/ Access
Vserver Name Directory Query Level
------- ------------- -------------------------------- -------------------
vsRBAC vsadmin DEFAULT none
vsRBAC vsadmin dashboard health vserver readonly
vsRBAC vsadmin job all
vsRBAC vsadmin job schedule none
vsRBAC vsadmin lun all
vsRBAC vsadmin network connections readonly
vsRBAC vsadmin network connections active show-clients none
vsRBAC vsadmin network connections active show-protocols none
vsRBAC vsadmin network connections active show-services none
vsRBAC vsadmin network interface readonly
vsRBAC vsadmin network interface failover-groups none
vsRBAC vsadmin network routing-groups readonly
vsRBAC vsadmin security login password all
vsRBAC vsadmin security login publickey all
vsRBAC vsadmin security login role show-ontapi all
vsRBAC vsadmin set all
vsRBAC vsadmin version all
vsRBAC vsadmin volume all
vsRBAC vsadmin volume copy none
vsRBAC vsadmin volume efficiency none
vsRBAC vsadmin volume move none
vsRBAC vsadmin vserver readonly
vsRBAC vsadmin vserver cifs all
vsRBAC vsadmin vserver export-policy all
vsRBAC vsadmin vserver fcp all
vsRBAC vsadmin vserver iscsi all
vsRBAC vsadmin vserver locks all
vsRBAC vsadmin vserver name-mapping all
vsRBAC vsadmin vserver nfs all
vsRBAC vsadmin vserver services all
vsRBAC vsadmin vserver services kerberos-realm none
vsRBAC vsadmin vserver services ldap client readonly
vsRBAC vsadmin vserver services web none
33 entries were displayed.