#Adding SVM to ONTAP Tools for vSphere?

I have added a SVMs management interface and a vsadmin user as authentication to OTV and it is added OK, yet it is shown as Unknown, with an Unknown type and status unknown...
And I am unable to use it for provisioning...
In the manual it is written a bit cryptic, as it you have to add it from the cluster IP and with a "SVM-scoped" user...
Has anyone tried this and got it working?
We'd rather not expose the cluster manegement unless we have to... SVM management IP ought to be enough? ### update... the manual states that the vsadmin role in your SVM does not have enough rights to be able to provision a datastore... but of cause it's not speficied which or how to add the required rights to the role of the user... nice... bet that's "easy" to find on the support site 😉

Hmm created a new user using the VSC_ONTAP_User_Privileges.zip file which you can download from the appliance (way too difficult if you ask me)... but managed to create a user with the "correct" rights, but when I try to provision a new datastore, I get the error that "Dedupe settings not applied on testlun (root cause: Insufficient privileges: user 'svm01' does not have write access to this resource (errno=13003))" isn't that just great? 😉

Yeah, in basically every version this file is missing some privileges needed for the user. It's a pity that Netapp keeps on forgetting updating it.
I mean for this very reason they made it like this so you always get a role with the correct privileges by downloading direct from the appliance which needs it... 🤷‍♂️

Using the vserver instead of the cluster does reduce functionality.

I know the vserver reduces functionality, but apparently it complains about a simple dedupe setting... and even after I have used the .json file provided to create the user, it just doesn't work... seems like someone forgot to test this software? 🙂 I will create yet another support case since I cannot find anything about this on the support site...

Just as the command to the role.

I've had issues with the roles in the past. But I found a way to get them working. Make sure when creating the role on the CLI, paste all the READ-ONLY rules first. I'd had issues in the past were a read-only on a subset under a command tree seemed to be converting the entire tree to read-only for the role, and the order the RBAC tool was creating had some read-only entries towards the end.

I don't think we're talking about the RBAC tool here. It was great but last updated sometime in 2020 for VSC 9.7. I think this is about the privileges file you can directly download from your OTV appliance and then import in ONTAP while creating a new user.
https://docs.netapp.com/us-en/ontap-tools-vmware-vsphere/configure/task_configure_user_role_and_privileges.html

You don't copy paste any commands here to manually create the correct role because all the privileges for the role are already included in the file.

Agreed, but I find the order they are applied is not ideal. so I manually extract the commands and create the role myself via the CLI, as the order the commands are created matters.

That's just my experience from deploying OTV in the field for many customers. The JSON has the same issues in my experience. CLI is the only way I've been able to get the roles working reliably, and by switching up the command order.

If only there was some NetApp staff in where we could escalate this ongoing issue 😉

Don't know... VSC needs so many permissions for what it is supposed to do that you can just give it admin privileges right away. I mean, sure, you could strip off a few commands here and there, but if it can do volume create/delete and snapshot create/delete it's basically as open as it gets... IMHO it's better to just secure the management network (with firewall rules, VLAN separation etc.) so that only the host where VSC is installed can access the SVM management LIF

Well as this is running on a hosted setup, we cannot just give each customer cluster admin rights 😂 It makes me wonder if NetApp even want their storage systems to be used as a hosted setup... there are just so many hurdles that you stumble into.... and every time it's like your are the first person who is doing it like this...

I'm nont suggesting to use the cluster-wide admin though... just use the vsadmin user. Then they can still wreak havoc in their ownn SVM but cannot disturb others

But that's just the thing... even with vsadmin, you do not have enough rights 😂 You need to download the .json file from the OTV SVM and use that to create a new user... sadly as mentioned before, this is also FUBAR and has to be tinkered with, in order for it to work...

Ah I misunderstood you then, I thought you edited the role of the SVM admin user to something restricted