Skip to main content
NetApp Knowledge Base site will be down for 3 hours between Oct 26, 23:59 PST and Oct 27, 02:59 PST, for system maintenance and infrastructure update.
NetApp Stage KB

Cluster-Mode vServer Management: How to set up Management Roles

Views:
Visibility:
Public
Votes:
0
Category:
clustered-data-ontap-8
Specialty:
NAS
Last Updated:

 

Applies to

Clustered Data ONTAP 8.1 

Description

In Data ONTAP 8.1 Cluster-Mode, the ability to have users manage only specific vservers has been added.

For example, if a storage system admin wants to allow users to log in and only be able to view or manage objects for a specific vserver, they could do this through the concept of vServer management LIFs and RBAC.

Terminology

Access Levels
Access levels specify what level of access a user can have. The access levels include readonly, all and none.

Command Directories
Command directories will be the subset of commands that a cluster-admin will allow access to for a user. These commands can be specified at a very granular level but must contain the full command directory structure.

Some specified commands might not be supported for vserver management. If this is the case, the following output will be seen:

::> security login role create -role test -cmddirname "job" -access readonly -vserver vsRBAC

Warning: "test" role has no access to the following commands (they are unsupported for Vserver administrators):
job schedule show-jobs

::> security login role create -role test -cmddirname "statistics show" -access readonly -vserver vsRBAC

Error: command failed: invalid operation

Vsadmin
The vsadmin user is locked by default and needs to be unlocked to be usable.

By default, the following roles are allowed to the vsadmin:

::> security login role show -vserver vsRBAC -role vsadmin
             Role           Command/                                   Access
Vserver      Name           Directory                                  Query Level
-------   -------------  --------------------------------             -------------------
vsRBAC     vsadmin            DEFAULT                                     none
vsRBAC     vsadmin            dashboard health vserver                    readonly
vsRBAC     vsadmin             job                                        all
vsRBAC     vsadmin             job schedule                               none
vsRBAC     vsadmin             lun                                        all
vsRBAC     vsadmin             network connections                        readonly
vsRBAC     vsadmin             network connections active show-clients    none
vsRBAC     vsadmin             network connections active show-protocols  none
vsRBAC     vsadmin             network connections active show-services   none
vsRBAC     vsadmin             network interface                          readonly
vsRBAC     vsadmin             network interface failover-groups          none
vsRBAC     vsadmin             network routing-groups                     readonly
vsRBAC     vsadmin             security login password                    all
vsRBAC     vsadmin             security login publickey                   all
vsRBAC     vsadmin             security login role show-ontapi            all
vsRBAC     vsadmin             set                                        all
vsRBAC     vsadmin             version                                    all
vsRBAC     vsadmin             volume                                     all
vsRBAC     vsadmin             volume copy                                none
vsRBAC     vsadmin             volume efficiency                          none
vsRBAC     vsadmin             volume move                                none
vsRBAC     vsadmin             vserver                                    readonly
vsRBAC     vsadmin             vserver cifs                               all
vsRBAC     vsadmin             vserver export-policy                      all
vsRBAC     vsadmin             vserver fcp                                all
vsRBAC     vsadmin             vserver iscsi                              all
vsRBAC     vsadmin             vserver locks                              all
vsRBAC     vsadmin             vserver name-mapping                       all
vsRBAC     vsadmin             vserver nfs                                all
vsRBAC     vsadmin             vserver services                           all
vsRBAC     vsadmin             vserver services kerberos-realm            none
vsRBAC     vsadmin             vserver services ldap client               readonly
vsRBAC     vsadmin             vserver services web                       none
33 entries were displayed.

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.