#REST APIs failing with custom roles in 9.10.1 but works with 9.11.1

Hi Team, I'm working with one of our customers to limit permission to ONTAP user account for managing Ansible playbooks. We create a custom role and user limiting permissions to needed API endpoints and tested it in lab with 9.11.1 and it worked successfully.

cluster2::> security login role show ansible_role
Role Command/ Access
Vserver Name Directory Query Level

cluster2 ansible_role DEFAULT none
cluster modify readonly
cluster show readonly
snapmirror all
vserver create readonly
vserver modify readonly
vserver show readonly
7 entries were displayed.

cluster2::> security login create -user-or-group-name ansible -role ansible_role -application http -authentication-method password

Please enter a password for user 'ansible':
Please enter it again:

cluster2::>

But this not working with ONTAP 9.10.1 for customer. And we tested in lab with 9.10.1 and we had the same issue.

{"error":{"code":"6691623", "message":"User is not authorized."}}

Could you please help why it's not working with 9.10.1?

@thin sierra, Could you please help with this?

Hi Durai! I i'm getting the same error code in 9.12 + 9.11 but only when it's a vserver owned lif and a vserver scoped user. Support recommended trying to remove the data-core service from our vserver management lif's service-policy.

While that didnt fix our issue, it did allow the cluster admin account to now successfully query the vserver mgmt lif. Before removing it, the admin account only got the error message you are getting.

also, might want to check vserver services web access for your ansible user's role.

Hi Matt, thanks for the update. Let me add the "vserver services web access" and check

@visual flint, adding "vserver services web access" didn't resolve the issue. Also, in mycase customer is using cluster scoped user