Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

The “RBAC User Creator for Data ONTAP” tool automatically

advertisement 
This article describes working RBAC when you are using VSC 4.2. It contains the following
information:
 vCenter Server and Data ONTAP RBAC concepts .......................................................................... 1
 Best practices for working with vCenter Server RBAC ............................................................... 1
 Tips for upgrading roles from a previous release or adding new roles ............................... 2
 Upgrading custom vCenter Server roles to standard, roles provided by VSC 4.2 ............ 3
 Adding a new vCenter Server role ....................................................................................................... 8
 Privileges used in standard, VSC-specific roles ............................................................................ 11
 VSC Administrator: ........................................................................................................................... 11
 VSC Read-only: ................................................................................................................................... 14
 VSC Provision:..................................................................................................................................... 15
 VSC Clone:............................................................................................................................................. 16
 VSC Scan/Migrate: ............................................................................................................................ 17
 VSC Backup: ......................................................................................................................................... 18
 VSC Restore: ........................................................................................................................................ 19
 Working with Data ONTAP RBAC roles ........................................................................................... 20
 (Clustered Data ONTAP) Adding an RBAC role ............................................................................ 21
 (Data ONTAP operating in 7-Mode) Adding an RBAC role ...................................................... 46
vCenter Server and Data ONTAP RBAC concepts
General concepts for working with vCenter Server RBAC and Data ONTAP RBAC in a
VSC environment are provided in the “Virtual Storage System 4.2 for VMware vSphere
Installation and Administration Guide,” which is available for download from the Virtual
Storage Console for VMware vSphere product library (http://libraryclnt.dmz.netapp.com/documentation/productlibrary/index.html?productID=30048) on
the NetApp Support Site.
You should be familiar with the concepts, such as vCenter Server permissions, that are
presented in the VSC install guide before performing the steps supplied in this article for
setting up RBAC.
Best practices for working with vCenter Server RBAC
To simplify using vCenter Server RBAC, VSC 4.2 includes several standard, VSC-specific
roles. These roles use vCenter Server permissions that contain both the VSC-specific
1
privileges and the native vCenter Server privileges that you need to perform standard, VSC
tasks.
If the standard, VSC-specific roles are too fine-grained for the tasks you want a user to
perform, you can combine the roles to expand the tasks for that user. You do this by cloning
these roles and using the cloned roles to create custom roles for your system. Or you can set
up a group for each task and add the user to both groups.
Keep in mind that, if you create custom roles by cloning standard, VSC-specific roles, you
must maintain your custom roles. VSC does not maintain or update these roles over
upgrades.
A list of the standard, VSC-specific roles and the privileges they contain is available in the
section “Privileges used in standard, VSC-specific roles.”
Note: When you use the standard, VSC-specific roles, you must assign the permission to the
root object and propagate it to the child objects. This is because some native vCenter Server
privileges included in these roles can only be validated by the vCenter Server on the root
object in the inventory. For example, permissions containing the Task Create privilege must
be assigned to the root object.
For more information about:


Standard VSC roles for vCenter Servers, see the “Virtual Storage System 4.2 for VMware
vSphere Installation and Administration Guide.”
Creating your own roles, see VMware's vSphere Basic System Administration guide,
Section 18 (Managing Users, Groups, Roles, and Permissions).
Tips for upgrading roles from a previous release or adding
new roles
If you are upgrading to VSC 4.2 from an earlier version of VSC where you were using
custom roles you had created, you can easily upgrade those roles to the standard, VSCspecific roles.
You can also create custom roles for VSC 4.2.
Before you add your own vCenter Server roles, you must make the following decisions:
1. Define the task you want a VSC user to be able to perform.
2. Determine which VSC-specific and native vCenter Server privileges are required to
perform that task.
2
Note: VSC provides a product-level privilege called View. This privilege provides readonly access to the VSC GUI. You must include this privilege as part of each role you
create. Without it, the user cannot access VSC.
3. Determine the object to which you must assign the vCenter Server permission. The
permission contains all the VSC-specific and native vCenter Server privileges required
for the task. If you assign the permission at the wrong level, the VSC task will not
complete successfully.
Tip: You should always assign privileges to the root object. Both VMware and NetApp
recommend this as a best practice. Setting permissions on the root object normally allows
all the child objects to inherit those permissions, unless you place a restriction on a child
object to exclude it. If your company's security policies require more restrictive
permissions, you can restrict those entities that you do not want to have the permission.
4. Make sure that any time you create a role, you include the VSC-specific View privilege.
For detailed information about vCenter Server native privileges, see VMware's vSphere
Security guide. NetApp follows the VMware recommendations for creating and using
permissions.
Upgrading custom vCenter Server roles to standard roles
provided by VSC 4.2
If you are upgrading to VSC 4.2 from a previous release where you had set up custom roles,
you can leverage the vCenter Server RBAC features provided in VSC 4.2.
Basically, you just take your current VSC users, unmap them from your custom roles, and
then map them to the standard roles provided in VSC 4.2. The following steps provide details
on how to do this.
1. Begin by verifying that the new roles exist. Under Administration, click Roles:
3
2. The Roles panel appears and displays the current roles. The new roles are shown at the
bottom of the panel.
4
3. To modify an existing user/group and upgrade them to a new role, return to the main
view in the vSphere client and highlight the top level tree on the left pane.
Note: When you use the standard, VSC-specific roles, you must assign the permission to
the root object and propagate it to the child objects. This is because some native vCenter
Server privileges included in these roles can only be validated by the vCenter Server on
the root object in the inventory. For example, the Task Create privilege must be assigned
to the root object. Setting permissions on the root object normally allows all the child
objects to inherit those permissions, unless you place a restriction on a child object to
exclude it. If your company's security policies require more restrictive permissions, you
can restrict those entities that you do not want to have the permission.
4. Select the Permissions tab. Doing this displays the current roles and the user/group that
each role is assigned to.
5
5. Select Change Access Rule and choose the role you want to change.
This example uses PnC_VSC41, which is associated with the user/group VSC_PnC, as
the role that needs to change.
5. Select OK.
6. Now select the new role that you want.
This example uses the standard, VSC-specific role VSC Clone as the new role.
6
7. Return to the Permissions tab to verify that the change occurred. The user/group
VSC_PnC should now display VSC Clone as the role.
.
7
Adding a new vCenter Server role
VSC 4.2 includes several standard, VSC-specific roles that include all the VSC-specific
privileges and the native vCenter Server privileges that you need to perform standard VSC
tasks. For a list of the privileges included in each role, see the section “Privileges used in
standard VSC-specific roles.” NetApp recommends that you use these roles.
Note: When you use the standard, VSC-specific roles, you must assign the permission to the
root object and propagate it to the child objects. This is because some native vCenter Server
privileges included in these roles can only be validated by the vCenter Server on the root
object in the inventory. For example, the Task Create privilege must be assigned to the root
object. Setting permissions on the root object normally allows all the child objects to inherit
those permissions, unless you place a restriction on a child object to exclude it. If your
company's security policies require more restrictive permissions, you can restrict those
entities that you do not want to have the permission.
If you need to create custom roles for your environment and you have already determined the
task you want to perform, the privileges it requires, and the object you need to assign the
permission to, you can complete the following steps to add a role.
1. To create the roles and assign privileges to them, navigate to the Home screen in the
vSphere client and, under Administration, click Roles.
8
2. Select Add Role.
3. Create a role for each task and assign the required VSC-specific and native vCenter
Server privileges to it.
Remember that you must include the VSC-specific, read-only View privilege. Without
this privilege, the user will not be able to access VSC.
5. Add users and/or groups to the roles you created. In the vCenter Server, highlight the
datacenter level, and then click the Permissions tab.
Note: When you use the standard, VSC-specific roles, you must assign the permission to
the root object and propagate it to the child objects. This is because some native vCenter
Server privileges included in these roles can only be validated by the vCenter Server on
the root object in the inventory. For example, the Task Create privilege must be assigned
9
to the root object. Setting permissions on the root object normally allows all the child
objects to inherit those permissions, unless you place a restriction on a child object to
exclude it. If your company's security policies require more restrictive permissions, you
can restrict those entities that you do not want to have the permission.
6. Right-click and select add permission. When the Assign Permissions dialog box
appears, assign the role to one of the displayed users or groups. You can only assign one
permission to a vCenter Server user or group.
Tip: It is a good practice to set up high-level groups and assign a single user to multiple
groups. Doing that both allows the user to have all the permissions provided by the
different groups and simplifies managing the permissions because you do not need to
repeatedly set up the same permission for each individual user.
7. If you want all the child objects to inherit this permission, check the box: Propagate to
Child Objects.
10
Privileges used in standard, VSC-specific roles
The standard, VSC-specific roles provide all the privileges necessary to perform the task
associated with that role. The sections that follow show the standard, VSC-specific roles
and the privileges associated with each role.
Note: When you use the standard, VSC-specific roles, you must assign the permission to
the root object and propagate it to the child objects. This is because some native vCenter
Server privileges included in these roles can only be validated by the vCenter Server on
the root object in the inventory. For example, the Task Create privilege must be assigned
to the root object. Setting permissions on the root object normally allows all the child
objects to inherit those permissions, unless you place a restriction on a child object to
exclude it. If your company's security policies require more restrictive permissions, you
can restrict those entities that you do not want to have the permission.
All of these roles include the VSC-specific View privilege. Without this privilege, the
user cannot access the VSC GUI.
VSC Administrator role
Folder
Datastore
Privilege
Datastore cluster
(vCenter Server 5.1) dvPort group
Configure a datastore cluster
Modify








(Previous releases of vCenter Server called this
“Distributed virtual port group”.)
(vCenter Server 5.1) Distributed switch
(Previous releases of vCenter Server called this
“Distributed virtual switch”.)
Extension
Global
• Modify
• Port configuration operation
• Port setting operation
• Register extension
• Update extension


11
Allocate space
Browse datastore
Low level file operations
Remove file
Remove datastore
Rename datastore
Move a datastore
Update virtual machine files
Cancel task
Diagnostics





Licenses
Log event
Manage custom attributes
Settings
Set Custom Attributes
Host > Configuration







Advanced settings
Security profile and firewall
Storage partition configuration
Query patch
Change Settings
Storage partition configuration
System resources
Host > Cim
CimInteraction
Host > Local




Create virtual machine
Delete virtual machine
Reconfig virtual machine
Relayout snapshots
NetApp Virtual Storage Console > Optimization 
and Migration


Configure
Initiate Scan
Migrate virtual machines
NetApp Virtual Storage Console > Monitoring
and Host Configuration > Manage


Recommended Settings
Deploy VAAIPlugin
NetApp Virtual Storage Console > Monitoring
and Host Configuration > Configure


Recommended Settings
Deploy VAAIPlugin
NetApp Virtual Storage Console > Provisioning 
and Cloning





Configure
Create Rapid Clones
Datastore
 Manage Datastores
 Provision
Distribute templates
Re-deploy clones
Reclaim space


Backup NOW
Backup Scheduled
NetApp Virtual Storage Console > Backup and
Recover > Backup
12


Delete Backup/Job
Configure
NetApp Virtual Storage Console > Backup and
Recover > Recovery




Mount/UnMount
Recover Datastore
Recover VM
Single-File Recovery
NetApp Virtual Storage Console
Network
Resource
View
Assign network





Assign virtual machine to resource
pool
Apply a DRS vMotion
recommendation
(vCenter Server 4.x) Relocate
Query vMotion
Migrate
Tasks
• Create tasks
• Update tasks
Virtual Machine > Configuration



















Add existing disk
Add new disk
Add or remove device
Advanced
Change CPU count
Change resource
Disk change tracking
Extend virtual disk
Host USB device
Memory
Modify device settings
Raw device
Remove disk
Reload from path
Rename
(vCenter Server 5.0) Set annotation
Settings
Swapfile placement
Upgrade virtual hardware
Virtual Machine > Guest Operations



Guest operation modifications
Guest Operation Program Execution
Guest Operation Queries
Virtual Machine > Interaction
• Answer question
13
•
•
•
•
•
Configure CD media
Configure floppy media
Device connection
Power off
Power on
Virtual Machine > Inventory





Create from existing
Create new
Remove
Register
Unregister
Virtual Machine > (vCenter Server 5.1) Snapshot
Management
(Previous vCenter Server versions called this
“State”.)




Create Snapshot copy
Remove Snapshot copy
Rename Snapshot copy
Revert to Snapshot copy
Virtual Machine > Provisioning









Allow disk access
Allow read-only disk access
Allow virtual machine download
Clone template
Clone virtual machine
Create template from virtual machine
Customize
Deploy template
Read customization specifications
VSC Read-only role
Folder
NetApp Virtual Storage Console
Datastore
Global
Privilege
View
Update virtual machine files
Host > Config
Change Settings
Host > Cim
CimInteraction
Tasks
• Create tasks



14
Diagnostics
Manage custom attributes
Set Custom Attributes
• Update tasks
Virtual Machine > Configuration






Virtual Machine > Interact
• Power off
• Power on
Virtual Machine > Guest Operations



Add existing disk
Add new disk
Add or remove device
Raw device
Remove disk
(vCenter Server 5.0) Set annotation
Guest operation modifications
Guest Operation Program Execution
Guest Operation Queries
VSC Provision role
Folder
Privilege
NetApp Virtual Storage Console > Provisioning  Manage datastores
and Cloning > Datastore
 Provision
Datastore






Datastore cluster
Global
Configure a datastore cluster





Licenses
Log event
Manage custom attributes
Settings
Cancel task
Host > Configuration



Advanced settings
Security profile and firewall
Storage partition configuration
NetApp Virtual Storage Console
Tasks
View
• Create tasks
• Update tasks
15
Allocate space
Browse datastore
Low level file operations
Remove file
Rename datastore
Move a datastore
Virtual Machine > Provisioning




Virtual Machine > Interaction
Power off
Virtual Machine > Inventory


Allow disk access
Allow Read-only disk access
Customize
Read customization specifications
Remove
Unregister
VSC Clone role
Folder
Datastore
Privilege





Allocate space
Browse datastore
Low level file operations
Remove file
Rename datastore
Global




Log event
Manage custom attributes
Settings
Set Custom Attributes
Host > Configuration



Advanced settings
Security profile and firewall
Storage partition configuration
NetApp Virtual Storage Console > Provisioning 
and Cloning > Datastore

Create Rapid Clones
Re-deploy clones
NetApp Virtual Storage Console
Network
Resource
View
Assign network
Tasks
• Create tasks
• Update tasks
Virtual Machine > Configuration






Assign virtual machine to resource pool
16
Add existing disk
Add new disk
Add or remove device
Advanced
Change CPU count
Change resource












Virtual Machine > Interaction
Disk change tracking
Extend virtual disk
Host USB device
Memory
Modify device settings
Raw device
Remove disk
Rename
(vCenter Server 5.0) Set annotation
Settings
Swapfile placement
Upgrade virtual hardware
Power off



Answer question
Power on
Power off
Virtual Machine > Inventory




Create from existing
Create new
Remove
Unregister
Virtual Machine > Provisioning





Clone template
Clone virtual machine
Customize
Deploy template
Read customization specifications
VSC Scan/Migrate role
Folder
Datastore
Privilege
Global





Cancel task
Licenses
Log event
Manage custom attributes
Settings
Host > Configuration

Advanced settings
Allocate space
17


NetApp Virtual Storage Console > Optimization 
and Migration

NetApp Virtual Storage Console
Network
Resource
Security profile and firewall
Storage partition configuration
Initiate Scan
Migrate virtual machines
View
Assign network



Assign virtual machine to resource
pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Virtual Machine > Inventory
Virtual Machine > SnapShot management
Move
 Create a snapshot
 Remove a snapshot
Virtual Machine > Provisioning
Allow virtual machine download
VSC Backup role
Folder
Datastore
Privilege
NetApp Virtual Storage Console > Backup and
Recover > Backup




NetApp Virtual Storage Console
Task
View
• Create tasks
• Update tasks
Browse datastore
Virtual Machine > (vCenter Server 5.1) Snapshot 
Management

(Previous vCenter Server versions called this
“State”.)
18
Backup NOW
Backup Scheduled
Delete Backup/Job
Configure
Create Snapshot
Remove Snapshot
VSC Restore role
Folder
Datastore
Privilege






Allocate space
Browse datastore
Low level file operations
Move datastore
Remove datastore
Rename datastore
Host > Configuration




Advanced settings
Change settings
Storage partition configuration
System resources
Host > Local operations




Create virtual machine
Delete virtual machine
Reconfig virtual machine
Relayout snapshots
NetApp Virtual Storage Console > Backup and
Recovery > Backup

Configure
NetApp Virtual Storage Console > Backup and
Recover > Recovery




Mount/UnMount
Recover Datastore
Recover VM
Single-File Recovery
NetApp Virtual Storage Console
Resource
View




Assign virtual machine to resource
pool
Apply recommendation
Relocate
Query vMotion
Tasks
• Create tasks
• Update tasks
Virtual Machine > Configuration






19
Add existing disk
Add new disk
Advanced
Change resource
Reload from path
Remove disk
Virtual Machine > Interaction



Power off
Power on
Answer question
Virtual Machine > Inventory





Create from existing
Move
Register
Unregister
Remove
Virtual Machine > (vCenter Server 5.1) Snapshot 
Management

(Previous vCenter Server versions called this
“State”.)
Remove Snapshot
Revert to Snapshot
Working with Data ONTAP RBAC roles
To enable VSC to work with storage systems, you need to set up some Data ONTAP RBAC
roles.
NetApp recommends that you use the “RBAC User Creator for Data ONTAP” tool to
configure these roles on storage systems. This tool and detailed screenshots explaining how
to use it are posted on the NetApp Communities Forum at:
https://communities.netapp.com/docs/DOC-19074
If you do not want to use the RBAC User Creator for Data ONTAP tool, you can use one of
the following methods:

OnCommand System Manager, which can be downloaded for either Windows or Linux
platforms.

The CLI (command-line interface), using the security login set of commands.
Because the “RBAC User Creator for Data ONTAP” tool is well-explained on the NetApp
Communities site, this article provides steps using OnCommand System Manager simply to
illustrate that there are multiple ways to set up these roles. The roles used in these steps have
the minimum set of privileges required to work with VSC.
More information about setting up Data ONTAP RBAC roles is in the Data ONTAP ClusterMode Systems Administration Guide.
Special note about Provisioning and Cloning roles
20
When you are working with Provisioning and Cloning, it is important to remember that you
can break the comprehensive, Provisioning and Cloning role into sub-roles based on the tasks
a user needs to perform. The graphic below illustrates the key Provisioning and Cloning
roles. As the circle expands out, each role after the center role has both its privileges and the
privileges associated with the roles under it.
For example, if you wanted a user to have modify storage role privileges as defined below,
you would add that user to the create clones, create storage, and modify storage
roles to ensure that the user had all the required privileges.
(Clustered Data ONTAP) Adding an RBAC role using
System Manager
Configuring RBAC for VSC when working with storage systems running clustered Data ONTAP
requires that you:

Grant privileges to commands and/or command directories. There are two levels of
access for each command/command directory:


all-access
read-only

Assign users directly to roles.

Vary your configuration depending on whether you have VSC connected to the Cluster
Admin IP for the entire cluster or directly to a Vserver within the cluster.
21
To simplify configuring these roles on storage systems, you can use a tool such as the
“RBAC User Creator for Data ONTAP,” which is posted on the NetApp Communities
Forum at:
https://communities.netapp.com/docs/DOC-19074
The “RBAC User Creator for Data ONTAP” tool automatically handles setting up the Data
ONTAP privileges correctly. For example, you should always add the all-access privileges
before you add the read-only privileges. If you first add the read-only privilege and then add
the all-access privilege, Data ONTAP marks the all-access privilege as a duplicate and
ignores it. The “RBAC User Creator for Data ONTAP” automatically adds the privileges in
the correct order.
The steps that follow provide an example of using OnCommand System Manager to create a
Data ONTAP RBAC role.
Note: For consistency, the VSC documentation refers to the roles as using privileges. The
OnCommand System Manager GUI uses the term “attribute” instead of “privilege.” When
setting up Data ONTAP RBAC roles, both these terms mean the same thing.
1. Log in to the cluster with a user account that has the ability to create roles and manage
users.
22
2. Go to Configuration > Security > Roles, and click Add:
3.
In the Add Role dialog box, enter the role name, and then click Add to add the first role
privilege:
23
4. Enter the role privilege command and access level as shown below. You can leave the
query field blank. Click OK.
24
5. Repeat Step 4 for each required command. When you have added all the role privileges,
click Add at the bottom of the Add Role dialog box to add the role. The new role should
now be visible in the main screen:
6. Now create/assign the desired user(s) to the role. Go to Configuration > Security >
Users and then click Add (or Edit if using an existing user):
25
7. In the Add User window, enter a username and password, and then under 'User login
methods' assign the user the 'ontapi' application and the role that you want the user to
have. Click on OK for each role you assign. A user can have multiple roles.
In this example, the user MHC_user gets the MHC role:
26
8. Once the list of roles has been added, click Add at the bottom of the dialog box to
create/modify the user. The user should now appear back on the main screen:
27
Clustered Data ONTAP role privileges
The required privileges for each role are shown below. They are grouped according to the
role and whether they require all-access or read-only access.
When you work with clustered Data ONTAP, you should always add the all-access
privileges first.
The “RBAC User Creator for Data ONTAP” tool adds the privileges in the correct order
automatically.
Clustered Data ONTAP role privileges for Monitoring and Host Configuration - Cluster
Admin

All Access Commands
network interface migrate
security login profiles set
storage failover show
system node run
volume efficiency stat

Read Only Commands
cluster identity show
cluster peer show
28
lun igroup show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
system node show
version
volume efficiency show
volume qtree show
volume show
vserver export-policy rule show
vserver fcp interface show
vserver show
Clustered Data ONTAP role privileges for Monitoring and Host Configuration - Direct
vServer

All Access Commands
security login profiles
set
system node run
volume efficiency stat

Read Only Commands
lun igroup show
lun mapped show
lun show
version
network interface
volume efficiency show
volume qtree show
volume show
vserver export-policy rule show
vserver fcp interface show
vserver
Clustered Data ONTAP role privileges for Provisioning and Cloning - Cluster Admin
Provisioning and Cloning role: Create Clones

All Access Commands
29
network interface migrate
security login profiles
set
storage failover show
system node run
system node show
volume efficiency stat
volume file clone create
volume file reservation
volume file show-disk-usage
vserver export-policy show
vserver nfs show

Read Only Commands
cluster identity show
cluster peer show
lun geometry
lun igroup show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
version
volume efficiency show
volume qtree show
volume quota report
volume show
vserver export-policy rule show
vserver fcp interface show
vserver fcp show
vserver iscsi show
vserver nfs status
vserver show
Provisioning and Cloning role: Create Storage

All Access Commands
lun
lun
lun
lun
lun
comment
create
igroup add
igroup create
igroup set
30
lun igroup show
lun map
lun modify
lun move
lun online
lun unmap
network interface migrate
security login profiles
set
snapmirror update-ls-set
storage failover show
system node autosupport invoke
system node run
system node show
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume restrict
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read Only Commands
cluster identity show
cluster peer show
job show-completed
lun geometry
lun initiatorListMap show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
snapmirror show
31
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
version
volume qtree show
volume quota report
volume show
volume snapshot show
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
vserver nfs status
vserver services unix-group show
vserver services unix-user show
vserver show
Provisioning and Cloning role: Modify Storage

All Access Commands
lun comment
lun create
lun igroup add
lun igroup create
lun igroup set
lun map
lun modify
lun move
lun online
lun resize
lun unmap
network interface migrate
security login profiles
set
snapmirror update-ls-set
storage failover show
system node autosupport invoke
system node run
system node show
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency off
volume efficiency show
volume efficiency start
32
volume efficiency stat
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume restrict
volume size
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read Only Commands
cluster identity show
cluster peer show
job show-completed
lun geometry
lun igroup show
lun initiatorListMap show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
snapmirror show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
version
volume qtree show
volume quota report
volume show
volume snapshot show
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
33
vserver
vserver
vserver
vserver
nfs status
services unix-group show
services unix-user show
show
Provisioning and Cloning role: Destroy Storage

All Access Commands
lun comment
lun create
lun delete
lun igroup add
lun igroup create
lun igroup set
lun map
lun modify
lun move
lun online
lun offline
lun resize
lun unmap
network interface migrate
security login profiles
set
snapmirror update-ls-set
storage failover show
system node autosupport invoke
system node run
system node show
volume autosize
volume clone create
volume create
volume destroy
volume efficiency on
volume efficiency off
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume offline
volume restrict
volume size
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
34
vserver
vserver
vserver
vserver

nfs status
services unix-group adduser
services unix-group create
services unix-user create
Read Only Commands
cluster identity show
cluster peer show
job show-completed
lun geometry
lun igroup show
lun initiatorListMap show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
snapmirror show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
version
volume qtree show
volume quota report
volume show
volume snapshot show
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
vserver nfs status
vserver services unix-group show
vserver services unix-user show
vserver show
Clustered Data ONTAP role privileges for Provisioning and Cloning - Direct Connect
vServer
Provisioning and Cloning role: Create Clones

All-Access Commands
network interface
security login profiles
set
35
system node run
volume efficiency stat
volume file clone create
volume file reservation
volume file show-disk-usage
vserver export-policy show
vserver nfs show

Read-Only Commands
lun geometry
lun igroup show
lun mapped show
lun show
version
volume efficiency show
volume qtree show
volume quota report
volume quota show
volume show
vserver
vserver export-policy rule show
vserver fcp interface show
vserver fcp show
vserver iscsi show
vserver nfs status
Provisioning and Cloning role: Create Storage

All-Access Commands
lun comment
lun create
lun igroup add
lun igroup create
lun igroup set
lun igroup show
lun map
lun modify
lun move
lun online
lun unmap
network interface
security login profiles
set
*snapmirror
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency show
volume efficiency start
volume efficiency stat
36
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume restrict
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read-Only Commands
job show-completed
lun geometry
lun initiatorListMap show
lun mapped show
lun show
snapmirror show
version
volume qtree show
volume quota report
volume quota show
volume show
volume snapshot show
vserver
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
vserver services unix-group show
vserver services unix-user show
Provisioning and Cloning role: Modify Storage

All-Access Commands
lun
lun
lun
lun
lun
comment
create
igroup add
igroup create
igroup set
37
lun igroup show
lun map
lun modify
lun move
lun online
lun resize
lun unmap
network interface
security login profiles
set
system node run
*snapmirror
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency off
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume restrict
volume size
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read-Only Commands
job show-completed
lun geometry
lun initiatorListMap show
lun mapped show
lun show
snapmirror show
version
volume qtree show
volume quota report
volume quota show
volume show
volume snapshot show
vserver
38
vserver
vserver
vserver
vserver
vserver
vserver
vserver
vserver
vserver
vserver
export-policy rule show
fcp initiator show
fcp interface show
fcp show
iscsi connection show
iscsi interface show
iscsi session show
iscsi show
services unix-group show
services unix-user show
Provisioning and Cloning role: Destroy Storage

All-Access Commands
lun comment
lun create
lun delete
lun igroup add
lun igroup create
lun igroup set
lun igroup show
lun map
lun modify
lun move
lun online
lun offline
lun resize
lun unmap
network interface
security login profiles
set
system node run
*snapmirror
volume autosize
volume clone create
volume create
volume destroy
volume efficiency on
volume efficiency off
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume offline
volume restrict
volume size
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
39
vserver
vserver
vserver
vserver
vserver
vserver
vserver
vserver

export-policy rule setindex
export-policy show
iscsi interface accesslist add
nfs show
nfs status
services unix-group adduser
services unix-group create
services unix-user create
Read-Only Commands
job show-completed
lun geometry
lun igroup show
lun initiatorListMap show
lun mapped show
lun show
snapmirror show
version
volume qtree show
volume quota report
volume quota show
volume show
volume snapshot show
vserver
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
vserver services unix-group show
vserver services unix-user show
Clustered Data ONTAP role privileges for Optimization and Migration

All-Access Commands
lun comment
lun create
lun igroup add
lun igroup create
lun igroup set
lun map
lun modify
lun move
lun online
lun unmap
network interface migrate
security login profiles
set
storage failover show
system node autosupport invoke
40
system node run
system node show
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file clone create
volume file show-disk-usage
volume modify
volume restrict
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read-Only Commands
cluster identity show
cluster peer show
lun geometry
lun igroup show
lun initiatorListMap show
lun mapped show
lun show
network fcp adapter show
network interface show
network port show
security login role show
security login show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
version
volume qtree show
volume quota report
volume show
volume snapshot show
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
41
vserver
vserver
vserver
vserver
vserver
vserver
iscsi session show
iscsi show
nfs status
services unix-group show
services unix-user show
show
Clustered Data ONTAP role privileges for Optimization and Migration - Direct Connect
vServer

All-Access Commands
lun comment
lun create
lun igroup add
lun igroup create
lun igroup set
lun map
lun modify
lun move
lun online
lun unmap
security login profiles
set
volume autosize
volume clone create
volume create
volume efficiency on
volume efficiency show
volume efficiency start
volume efficiency stat
volume efficiency stop
volume file clone create
volume file reservation
volume file show-disk-usage
volume modify
volume restrict
volume snapshot create
volume snapshot delete
volume unmount
vserver export-policy rule create
vserver export-policy rule setindex
vserver export-policy show
vserver iscsi interface accesslist add
vserver nfs show
vserver nfs status
vserver services unix-group adduser
vserver services unix-group create
vserver services unix-user create

Read-Only Commands
42
job show-completed
lun geometry
lun igroup show
lun initiatorListMap show
lun mapped show
lun show
snapmirror show
version
volume qtree show
volume quota report
volume show
volume snapshot show
vserver export-policy rule show
vserver fcp initiator show
vserver fcp interface show
vserver fcp show
vserver iscsi connection show
vserver iscsi interface show
vserver iscsi session show
vserver iscsi show
vserver nfs status
vserver services unix-group show
vserver services unix-user show
vserver
Clustered Data ONTAP role privileges for Backup and Recovery - Cluster Admin

All-Access Commands
cluster identity show
job history show
lun delete
lun igroup add
lun igroup create
lun igroup delete
lun igroup new
lun igroup show
lun initiatorListMap show
lun map
lun mapped show
lun new
lun online
lun serial
lun show
lun unmap
network interface migrate
network interface new
network interface show
security login profiles
security login role show-ontapi
set
snapmirror (SN.0)
snapmirror get-volume-status
43
snapmirror new
snapmirror show
snapmirror update
snapmirror update-ls-set
storage failover show
system license show
system node run
system node show
version
volume clone create
volume clone new
volume destroy
volume efficiency stat
volume file clone create
volume file show-disk-usage
volume mount
volume new
volume offline
volume qtree new
volume qtree show
volume show
volume snapshot create
volume snapshot delete
volume snapshot new
volume snapshot rename
volume snapshot restore-file
volume snapshot show
volume unmount
vserver create
vserver export-policy new
vserver export-policy show
vserver fcp nodename
vserver fcp status
vserver iscsi nodename
vserver iscsi status
vserver modify
vserver new
vserver peer show
vserver show

Read-Only Commands
cluster peer show
network fcp adapter show
network interface show
network port show
security login role show
security login show
storage aggregate show
storage disk show
system health alert show
system health status show
system license show
volume efficiency show
volume qtree show
volume show
44
vserver export-policy rule show
vserver fcp interface show
Clustered Data ONTAP role privileges for Backup and Recovery - Direct Connect vsServer

All-Access Commands
job history show
lun delete
lun igroup add
lun igroup create
lun igroup delete
lun igroup new
lun igroup show
lun initiatorListMap show
lun map
lun mapped show
lun new
lun online
lun serial
lun show
lun unmap
network interface
security login profiles
security login role show-ontapi
set
snapmirror get-volume-status
snapmirror new
snapmirror show
snapmirror update
version
volume clone create
volume clone new
volume destroy
volume efficiency stat
volume file clone create
volume file show-disk-usage
volume mount
volume new
volume offline
volume qtree new
volume qtree show
volume show
volume snapshot create
volume snapshot delete
volume snapshot new
volume snapshot rename
volume snapshot restore-file
volume snapshot show
volume unmount
vserver export-policy new
vserver export-policy show
vserver fcp nodename
45
vserver
vserver
vserver
vserver
vserver

fcp status
iscsi nodename
iscsi status
peer show
Read-Only Commands
volume efficiency show
vserver export-policy rule show
vserver fcp interface show
(Data ONTAP operating in 7-Mode) Adding an RBAC role
using System Manager
Configuring RBAC for VSC when storage systems are running Data ONTAP operating in 7Mode requires three major steps:
1. Configure the roles using the useradmin set of commands.
2. Assign permissions for API (application programming interface) functions to these roles.
3. Add the users and/or groups to the roles.
You perform these steps on all the storage systems that host VMFS or NFS datastores.
To simplify configuring these roles on storage systems, you can use a tool such as the
“RBAC User Creator for Data ONTAP,” which is posted on the NetApp Communities
Forum at:
https://communities.netapp.com/docs/DOC-19074
The “RBAC User Creator for Data ONTAP” tool automatically handles setting up the Data
ONTAP privileges correctly.
If you want to manually configure RBAC, the steps that follow provide an example of how to
create a Data ONTAP RBAC role.
1. Enter the following command on the storage system.
You must enter this command as a single line. Use commas to separate the list of Data
ONTAP privileges following the -a option. Do not use spaces to separate the list of
privileges.
useradmin role add role_name -a capability_list
46
role_name: The name you assign to the role so you can identify that role.
capability_list: The comma-separated list of Data ONTAP privileges.
These
privileges are listed later in this article.
2. Create a user group with the role you set up by entering the following command:
useradmin group add group_name -r role_name
group_name: The name of the group you are creating.
role_name: The name of the role you created in the previous
step.
3. Create a user in the group by entering the following command:
useradmin user add user_name [-p password] -g group_name
user_name: The name of the user you are creating.
password: The password for this user. If you do not
specify a password, the system
prompts you for one.
group_name: The name of the group you created in the previous step.
4. Verify that the user was created correctly by entering the following command:
useradmin user list user_name
The user and group information is displayed.
Privileges available with Data ONTAP operating in 7-Mode
You can specify Data ONTAP 7-Mode privileges in one of these two ways:


Categories
Individual privileges
Specifying individual privileges limits what the account can do on the storage system.
If you specify the privileges by categories, the account can perform more tasks. Here are the
minimum privileges needed for any VSC operation:
login-*,api-*
If you are using Backup and Recovery or Provisioning and Cloning, you should include the
following privileges to provide the user with access to the storage system:
login-*,api-*,cli-*
If you want to specify individual privileges, the roles for each VSC capability are listed
below.
47
Data ONTAP operating in 7-Mode privileges for Monitoring and Host Configuration:
api-aggr-list-info
api-cf-get-partner
api-cf-status
(Data ONTAP 8.0.1 and later) api-copyoffload-show
api-disk-list-info
api-ems-autosupport-log
api-fcp-adapter-list-info
api-fcp-get-cfmode
api-fcp-service-status
(Data ONTAP 8.2 and later) api-feature-status-list-info
api-iscsi-service-status
(Data ONTAP 7.3.4 through Data ONTAP 8.1.2) api-license-list-info or
(Data ONTAP 8.2 and later) api-(Data ONTAP 8.2 and later) license-v2list-info
api-lun-get-vdisk-attributes
api-lun-list-info
api-lun-map-list-info
api-nfs-exportfs-list-rules
api-nfs-exportfs-list-rules-2
api-qtree-list
api-snapmirror-get-volume-status
api-snapshot-list-info
api-snmp-get
api-snmp-get-next
api-system-get-info
api-system-get-ontapi-version
api-system-get-version
api-useradmin-user-list
api-vfiler-list-info
api-volume-autosize-get
api-volume-list-info-iter-end
api-volume-list-info-iter-next
api-volume-list-info-iter-start
api-volume-options-list-info
login-http-admin
Data ONTAP operating in 7-Mode privileges for Provisioning and Cloning
Provisioning and Cloning Data ONTAP role: create clones
This role allows the VSC user to create clones of virtual machines. In addition to the
minimum set of Data ONTAP operating in 7-Mode privileges for VSC that were documented
above, you need the following privileges. Please note, these privileges cannot fit into a
single Data ONTAP role. They must be broken into two roles:
48
(Data ONTAP 8.0.1 and later) api-cloneapi-fcp-adapter-initiators-list-info
api-fcp-port-name-list-info
api-file-create-directory
api-file-delete-directory
api-file-delete-file
api-file-get-file-info
api-file-read-file
api-file-write-file
api-igroup-list-info
api-iscsi-adapter-initiators-list-info
api-iscsi-adapter-list-info
api-iscsi-connection-list-info
api-iscsi-portal-list-info
api-iscsi-session-list-info
api-lun-get-geometry
api-nfs-status
api-quota-report
(Data ONTAP 7.3.4 through Data ONTAP 8.1.2) api-raid-info-listdisk
(Data ONTAP 7.3.4 through Data ONTAP 8.1.2) api-raid-info-listplex
api-system-cli
api-useradmin-domainuser-list
api-useradmin-group-list
cli-cifs
cli-df
cli-ifconfig
cli-mv
cli-ndmpcopy
cli-ndmpd
security-api-vfiler
security-priv-diagnostic
Provisioning and Cloning Data ONTAP role: create storage
This role allows for the creation of volumes and Logical Unit Number (LUNs). In addition to
the previous role's Data ONTAP operating in 7-Mode privileges, you also need the following
privileges. Please note, these cannot fit in a single Data ONTAP role. They must be broken
into two roles:
api-igroup-add
api-igroup-create
api-igroup-set-attribute
api-lun-create-by-size
api-lun-create-from-file
api-lun-initiator-list-map-info
api-lun-map
api-lun-move
api-lun-online
api-lun-set-comment
api-lun-unmap
api-nfs-exportfs-append-rules-2
api-nfs-exportfs-load-exports
api-nfs-exportfs-modify-rule-2
49
api-sis-enable
api-sis-start
api-sis-stop
api-snapmirror-break
api-snapmirror-delete-schedule
api-snapmirror-get-status
api-snapmirror-initialize
api-snapmirror-off
api-snapmirror-on
api-snapmirror-release
api-snapmirror-resync
api-snapmirror-set-schedule
api-snapmirror-update
api-snapshot-create
api-snapshot-set-reserve
api-vfiler-add-storage
api-volume-autosize-set
api-volume-clone-create
api-volume-create
api-volume-restrict
api-volume-set-option
cli-iscsi
cli-lun
cli-qtree
cli-vfiler
Provisioning and Cloning Data ONTAP role: modify storage
This role allows the VSC user to resize and deduplicate storage when working with Data
ONTAP operating in 7-Mode. In addition to the privileges provided by the previous roles,
you also need the following privileges:
api-volume-size
api-sis-disable
api-lun-resize
(Data ONTAP 7.3.4 only) api-file-punch-hole
Provisioning and Cloning Data ONTAP role: destroy storage
This role allows the VSC user to destroy volumes and LUNs storage when working with
Data ONTAP operating in 7-Mode. In addition to the privileges provided by the previous
roles, you also need the following privileges:
api-volume-offline
api-volume-destroy
api-lun-offline
api-lun-destroy
Optimization and Migration
No additional APIs are required for Optimization and Recovery.
50
This plugin uses the same set of privileges as the 'Create Storage' role found in the
Provisioning and Cloning section.
Backup and Recovery
Backup and Recovery requires following privileges when working with a storage system
running Data ONTAP operating in 7-Mode. Please note, these privileges cannot fit into a
single Data ONTAP role. They must be broken into two roles:
api-fcp-adapter-initiators-list-info
api-fcp-node-get-name
api-file-create-directory
api-file-delete-file
api-file-list-directory-iter-end
api-file-list-directory-iter-next
api-file-list-directory-iter-start
api-igroup-add
api-igroup-create
api-igroup-destroy
api-igroup-list-info
api-igroup-set-attribute
api-iscsi-initiator-list-info
api-iscsi-node-get-name
api-lun-create-from-snapshot
api-lun-destroy
api-lun-get-serial-number
api-lun-initiator-list-map-info
api-lun-map
api-lun-online
api-lun-restore-status
api-lun-unmap
api-net-ifconfig-get
api-nfs-exportfs-append-rules-2
api-nfs-exportfs-modify-rule-2
api-nfs-exportfs-storage-path
api-snapmirror-get-status
api-snapmirror-list-destinations
api-snapmirror-update
api-snapshot-create
api-snapshot-delete
api-snapshot-rename
api-snapshot-restore-file
api-snapshot-restore-volume
api-system-api-list
api-system-cli
api-vfiler-create
api-volume-clone-create
api-volume-destroy
api-volume-offline
cli-ifconfig
cli-snap
cli-system
security-priv-diagnostic
51
Related documents
jbi12680-sup-0001-AppendixS1-S2
jbi12680-sup-0001-AppendixS1-S2
SPO-007: NetScaler Fundamentals
SPO-007: NetScaler Fundamentals
Event-booking-form-v1-0
Event-booking-form-v1-0
Natural Language Processing and Information Retrieval with
Natural Language Processing and Information Retrieval with
Advanced Practice Provider Core Privileges Optometrist
Advanced Practice Provider Core Privileges Optometrist
DAS-SAN-NAS - earthsystem
DAS-SAN-NAS - earthsystem
Download
advertisement