custom role for qtree admin | NetApp | Page 1

solar sluice Aug 22, 2024, 9:44 PM

#

I would like to create a role that only allows the ability to create a qtree (read/write).

I have script automation that will run powershell to create a qtree. I want to lock it down to just be able to create qtrees on volumes on specific SVMs.

Does anyone know what the min permissions are required for this?

feral fern Aug 23, 2024, 2:00 AM

#

You would create a role. Default none. Then add to it

security login role create -cmd “vserver qtree create” -query “-vserver xxx”

You will need to verify the command, but I think it’s correct.

The limited admin would then have the ability to ssh in and run

vserver qtree create -vserver xxx <rest of command >

#

Since you said powershell though, you may need to find the api role instead

solar sluice Aug 23, 2024, 6:19 PM

#

I was able to create the role. The problem I am running into is when I try to login/Connect-NcCluster it's failing. I gave the user account http/ontapi access. I can't find anything in the logs that explain why it failed.

feral fern Aug 23, 2024, 6:30 PM

#

You may need to verify

security login rest-role show -user xxx

If you’re trying to do an api call and it is hitting the rest api, needs to have permission

solar sluice Aug 23, 2024, 6:33 PM

#

ah, I don't see the role there "-user is not valid". If I create the role should the access be all and restrict with -api? and if so, what's the path for the api?

#

fyi, I think powershell uses ontapi, would this apply if not using rest?

#custom role for qtree admin