#ONTAP System Manager for SVMs

I know this has been requested already quite often but why not once more. 🙂
For service-providers it would be really great to give your customers not only SSH access to their SVM but also a "smol" System Manager GUI where they can easily create their volumes, configure their shares, check their snapmirrors, etc.
Basically a CVS kind-of usability would be awesome.

I know BlueXP is coming and you can add your on-prem clusters already. But afaik the "easy" CVO-GUI is still not available. Also not sure if you can restrict BlueXP users to a certain SVM (so that they won't see any other resources or SVMs).

Bring that question to next week's ONTAP update livestream with Keith. I'm sure he'd be happy to address it!

It doesn't currently support multi-tenancy. RFE 819163 was raised for this a while back. At best you can set up rbac to limit access to readonly for other objects within the cluster to limit what can be modified.

@prisma grove If you log a case we can add it to that RFE.

The "pass-through" feature to get to Systems Manager has pros and cons. I believe that if you configure the connector to use the admin account to connect to the ontap instance, all of the SM commands being run in BlueXP are also run as admin. This means that all audit controls and protections are gone. We must have RBAC enabled here. If I have multiple admins using the same BlueXP instance, we need to control who does what, and know who did what.
And, of course, we need BlueXP on-prem to authenticate to an external authentication source - AD/LDAP and/or Okta.

Huh... that's interesting. But wouldn't that simply mean that all auditing moves to BlueXP? So it's not visible anymore in the local audit-logs but you would see which user did what with the auditing capabilities from BlueXP?

If not this destroy the whole purpose....

If it's in BlueXP, I haven't seen it. There isn't even a setting to send logs to syslog.

@prisma grove SVM level management for BlueXP is something we are discussing. Can you please share which company you are working for, and the number of SVMs per cluster and how many do you have in total? Is each has its own AD connected to it?

I work at a NetApp partner, I think we have almost/over? 2000 nodes under services. We also have our own private cloud were we sell services like NetApp-Replication-as-a-Service, DR-as-a-Service, and other "aaS". (Also Managed Services of course.) Especially for our services were the customer basically gets a SVM to manage on their own it would be helpful to give them some sort of GUI to easily create new volumes, shares, etc. Many know how to use the CLI or automate it themselves but a GUI is always better for customers who only know System Manager of their on-prem systems but don't touch the CLI very often.

I can't really say how many SVMs there are, we have several clusters in our private cloud. But think full-multitenancy. Each customer gets his own SVM and of course should not see any volumes, shares, LIFs, etc of other customers. If a customer would use CIFS services each SVM would be connected to different ADs.

Thank you that’s very helpful. I think that implementing in in BXP will make more sense. Do you want to allow them to do anything on that SVM? Or do you prefer to limit it to specific action ?