(Yes, I know ONTAPI is deprecated.)
We have provisioning scripts here that setup user/department volumes. These connect via ONTAPI with an AD account that has a custom role. Most everything works - except that we explicitly do a vol efficiency enable ... with the sis-enable ONTAPI command.
#Custom role problem with ONTAPI after 9.14 upgrade
spice rivet
This is logged as:
Error: Insufficient privileges: user DOMAIN\s_arccvserver does not have write access to this resource
however:
Role Command/ Access
Vserver Name Directory Query Level
---------- ------------- --------- ----------------------------------- --------
arcc arccauto DEFAULT none
volume create all
volume efficiency all
volume modify all
volume qtree create all
volume qtree delete all
volume qtree rename all
volume qtree show all
volume show all
vserver cifs share all
10 entries were displayed.```As far as I know this worked fine before upgrading to ONTAP 9.14.1P4. Do we need to be more explicit about the command in this role?
and yes the service account has this role.
Vserver: arcc
Second
User/Group Authentication Acct Authentication
Name Application Method Role Name Locked Method
-------------- ----------- ------------- ---------------- ------ --------------
DOMAIN\s_arccvserver
http domain arccauto - none
DOMAIN\s_arccvserver
ontapi domain arccauto - none
2 entries were displayed.```As in, might need:
(security login role show-ontapi)
ONTAPI Name: sis-enable
CLI Command: volume efficiency on
cluster::> role show-ontapi -ontapi sis-set-config
(security login role show-ontapi)
ONTAPI Name: sis-set-config
CLI Command: volume efficiency modify
Oh, hmm. Wonder how this worked to begin with.
Error: command failed: A Vserver admin cannot use command directory "volume efficiency" with access level "all". Use a different access level