#Install & account setup.

I've been working through the docs to try and get snapcenter setup and can't quite workout how you are supposed to setup accounts on vsphere and on the netapp clusters.

Running vsphere 7 update 3, Ontap 9.14p2, and was going to use snapcenter 5 update 3.

Ontap Account:
https://docs.netapp.com/us-en/sc-plugin-vmware-vsphere/scpivs44_minimum_ontap_privileges_required.html#minimum-ontap-privileges-required
Its not clear to me how to actually setup an account with these specific privileges. It looks like you can now use a json file when creating accounts, but I don't see a file linked anywhere on that page or any mention of doing so. What are most people doing for the account on the Netapp clusters permissions/appwise for this purpose?

vCenter Account:
https://docs.netapp.com/us-en/sc-plugin-vmware-vsphere/scpivs44_minimum_vcenter_privileges_required.html
I setup a role with most of the privileges listed, but some aren't listed granted they seem to be the defaults from looking a bit. The SVC specific permissions presumably you can't actually grant until SVC is installed so I have not done that.

When installing the plugin is the vCenter account it is asking for just an admin account that is used during the actual install and not after that? IE i could use my personal account for that purpose, or are you supposed to use the account you setup specifically for snapcenter to use?

Likely overthinking things here, but just a bit hungup and wanted to get this right vs just trying it out.

Still need some guidance on how to setup the Ontap account. If anyone else read this and was wondering about the vCenter account this is what I did.

Use a full admin account during install, things should be in good shape after that.
Create the account you want to use longterm for the Snapcenter plugin, assign priveledges as noted in the docs I linked above. I just gave it the SnapcenterAdmin role and then everything else it needed. Under global permissions assign the roles to the account. Modify the account being used in the Snapcenter main gui on port 8080.

I haven't added a storage system yet, but the plugin was installed and seems to be in order.

Very confused on how to setup the Ontap account. The gui offers uploading a json file from somewhere which I don't really see where to get this file to setup the proper role/user. There are a lot of references to an RBAC user creation tool on the web, but I don't actually see where to get that anywhere.

If someone could comment on how they setup the Ontap users it would be appreciated, even if its just a we used a local admin account on the system for simplicity.

It's pretty much the same commands as you find in: https://kb.netapp.com/onprem/ontap/dm/System_Manager/How_to_create_a_custom_role_and_user_for_ONTAP_System_Manager_in_ONTAP_9.7_and_later, but use the roles documented in the SnapCenter link above. And I would choose a more appropriate name than sysmgr.

The idea is really to manually create a role, and add the ~100+ permissions or so?

I found the rbac tool just via downloads on suppport site. The doc I was reading said it was on the community forums for some reason. I was hoping I could copy/paste the list into that, and it would spit out a json file which I could use. Its not very clear at all as to how that works with this though.

It seems like there are also 5 different access levels which isn't clear what is needed for all the permissions. The few at the bottom note RO but the others don't really say.

Is there a video or a doc of this being setup? I couldn't find anything but "use the account you setup" during all the videos I was checking for information on this.

Is this better? https://docs.netapp.com/us-en/snapcenter/install/create-svm-roles-minimum-privileges.html#ontap-cli-commands-for-creating-svm-roles-and-assigning-permissions

Its useful for sure, but would still like to understand what other users are actually doing. The option to upload the json file seems to be a much cleaner method for this purpose, but I can't find a link to the file for that purpose. It feels like the system was built to make this easy, but then it wasn't actually completed or something like that.

Creating perfectly fitting RBAC roles for these NetApp tools has always been inconsistent since years. NetApp created that RBAC tool you mentioned which was great imo and easy to use. But I think that's deprecated and not really updated anymore.

About that JSON file: You would download the file directly from your installed appliance. The idea is that you get a file which always has the correct privileges for the correct version of the appliance.

But:
This is only available for OTV (ONTAP Tools for VMware): https://docs.netapp.com/us-en/ontap-tools-vmware-vsphere/configure/task_configure_user_role_and_privileges.html

You can't use it for SCV or something else.
I never understood why they took the effort to add an extra option in System Manager and then totally neglect this feature for all the next ONTAP versions.
I remember suggesting to add this at least for SCV, got a "nice idea" back and that's about it. Not sure if that's 1 or 2 years ago.

Another but: Even though NetApp created the RBAC tool and the JSON file those have been missing needed priviledges SO MANY TIMES... The OTV guys would release a new version with some new feature which would require to allow some additional cmds in ONTAP. But noone at NetApp would think about updating the RBAC tool. Or even the JSON file...
So in the past using an RBAC role for these users only lead to issues after updating the appliance. You would notice weird issues and during troubleshooting you would never think about the ONTAP role being the culprit.

To cut things short:
I mostly simply use the admin role for the newly created OTV/SCV user. Or at least only add the SVM which has the datastores with an vsadmin-user.
Use a complicated PW, put it in your PW-safe and forgetaboutit.

They're changing to certificate based authentication anyways. Stealing the SCV-user PW should not possible anymore then, so using admin or an RBAC role would make no real difference. At least as long as the appliance does not get hacked...

Thanks, much appreciated. I really couldn't figure out why this felt so complicated. At that i'll just use an admin account.

I was planning on using certs, but am I reading that it isn't currently supported yet? Looks like certs are currently supported.

For anyone else who wanted to setup cert based logins, this is a good doc. The one thing that isn't apparent when you create the account and set it to cert login is how the cert is matched to the account. Its the CN name on the cert that needs to match the user account you created.

https://kb.netapp.com/data-mgmt/SnapCenter/SC_KBs/How_to_configure_a_self-signed_certificate_for_storage_system_authentication_with_SCV