#Latest 9.16.1 ONTAP features

Hello, I'm a new learner on NetApp and currently exploring System Manager (GUI). I've reviewed the related ONTAP documentation but still have a few questions that I’d like to confirm with an expert, rather than rely on my own assumptions.

1. Can I conclude that the creation of a SnapLock volume (either Enterprise or Compliance mode) is different from enabling snapshot locking on a regular volume?
2. When creating a SnapLock volume, it seems that Autonomous Ransomware Protection (ARP) are not supported on this type of volume—is that correct?
3. When using SnapMirror SVM-DR to replicate an entire SVM to a destination cluster, all volumes within the SVM need to be non-SnapLock volumes right? For SnapLock volumes, we only replicate them individually, volume by volume, instead of as part of the whole SVM?
4. I understand we can create a SVM admin, which is limited to storage operations and cannot access cluster-level operations. But is this only possible via CLI? Can we create a custom role where an admin user is restricted to only storage operations in System Manager (GUI) as well? I tested creation of custom role on System Manager, but it didn’t seem to work.

Appreciate the help from community!

Hello there,

1. Snapshot locking is enabled on non-SnapLock volumes, though it still uses some SnapLock features like the compliance clock. Snapshot locking is when you want only the Snapshots on RW volumes to be protected, rather than the files themselves.

2. ARP does not support SnapLock volumes today.

3. SVMDR does not support SnapLock volumes today. Single-volume asynchronous SnapMirror is the supported replication type for SnapLock volumes. Also note the dest volume must be the same SnapLock type as the source when replicating type-RW SnapLock volumes.

4. There is a default data SVM role "vsadmin" and a user of the same name which can be used for individual data SVM-scoped administration. By default this account is locked so you would need to unlock it. Just from poking around myself, I don't see where this can be done from the GUI. The GUI seems to show only the admin SVM users and roles.

Regarding question 4: You have to navigate to "Storage" --> "Storage VMs" --> choose your SVM --> "Settings" --> scroll down until you see "Security"
There you have "Users and roles" to configure SVM users and roles

Hi,
Thanks for the clarification on 1,2,3 and 4.

1. Understood, especially the involvement of the compliance clock. So SnapLock volumes focus on the files themselves being in a WORM state after they are manually or automatically committed. But what about snapshots in a SnapLock volume without enable the Snapshot locking feature? For example, if we have a policy that creates hourly snapshots with a maximum of 3 copies, are those snapshots also in a WORM storage, or these snapshots are independently?

2. In summary, we need to create replication for each SnapLock volume individually. Let's say we have 50 volumes, we'll need to do it 50 times. Using the GUI would be a hassle, so maybe I can try using the CLI instead.

3. Yes, there is "vsadmin" and is locked by default. I believe this SVM-administration only workable on CLI, which mean I can't login this "vsadmin" from System Manager, because cluster administration is not allowed.
   Then I just try to work on cluster administration, but it seems like we are not able to create an admin user with only SVM privileged on GUI.
   https://docs.netapp.com/us-en/ontap/authentication/predefined-roles-cluster-administrators-concept.html

***Currently, I'm playing around GUI, so try to explore fully on the dashboard b4 learning commands on CLI.

Yes, I saw that, and able to access from CLI with restricted privileged, just wonder can we make it on GUI as well

No, officially you need a user which is located in the admin SVM to login into System Manager.

And, configuring a role which would only be able to manage a certain SVM via System Manager is not possible or very difficult to configure. You would need to create a custom role with commands and API paths which include certain vol-UUIDs, SVM-UUIDs, etc. So that the user would get errors when trying to modify objects from other SVMs.

But I'm very positive this is not only not supported but you would constantly run into issues because System Manager in the background would try to access some things which the role does not allow.

It's an known feature-request which many customers requested but has not yet been implemented.

Regarding question 3: Check out snapmirror protect which allows you to create Snapmirror relationships for many volumes via 1x CMD.
https://docs.netapp.com/us-en/ontap-cli/snapmirror-protect.html

Okay, that clears up point 4 for me.

Thanks for your reference, I’m aware of the commands to create multiple volumes, just comparing the limitations between GUI and CLI operations.

"But what about snapshots in a SnapLock volume without enable the Snapshot locking feature? For example, if we have a policy that creates hourly snapshots with a maximum of 3 copies, are those snapshots also in a WORM storage, or these snapshots are independently?"

These Snapshots are normal Snapshots, there is no additional protection for the Snapshots themselves.

There is one exception which is SnapLock for SnapVault (aka "CyberVault"). This is a method to back up regular (non-snaplock) volume Snapshots to a SnapLock destination volume and WORM-lock those destination Snapshots.

This is a different solution since the source, RW volume is a regular non-SnapLock volume, but it is a method to WORM-lock Snapshots for backup archival and it's the basis of our ransomware recovery guarantee program.