NetApp OnTap 9.X Command Template

  1. Create a new role for File Access Manager for the CIFS vserver. For example, fam_netapp_role.

    Replace (v_server) with CIFS vserver from cluster.

    Replace (cluster) with cluster name.

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (v_server)
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (v_server)
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (v_server) -access all
    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "volume" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (v_server) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (v_server) -access readonly
  2. Create a new role for file access manager for the cluster (use cluster name for -vserver switch).

    security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (cluster)
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (cluster)
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (cluster) -access all
    security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "volume" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (cluster) -access readonly
    security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (cluster) -access readonly
  3. Assign the newly created role to the domain user created for fam (Upper and lower case are important.)

    security login create -vserver (cluster) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
    security login create -vserver (v_server) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
  4. Domain user must be a member of the “Backup Operators” group on the VServer. Execute the below command for the Vserver you intend to on-board.

    vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Backup Operators" -member-names domain\domainAccountFam
  5. Domain user to be a member of the “Power Users” group on the Vserver. Execute the below command for the Vserver you intend to on-board

    vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Power Users" -member-names domain\domainAccountFam
  6. If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):

    security login domain-tunnel create -vserver (v_server)
  7. CIFS Access:

    User account should have Share Read permission to all shares.

    Requires a user with Share Read permission to all shares

    Should be able to enumerate CIFS Share-Level Permissions

    Should be able to enumerate local Users and Groups

  8. Domain user must be an administrator (local administrator) on the server running the Activity Monitor service.

  9. Execute the commands to configure a fpolicy for CIFS server.

    fpolicy policy event create -event-name fam_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent

    IP for the SailPoint Activity Mornitor server should be used in place of x.x.x.x.

    fpolicy policy external-engine create -vserver (v_server) -engine-name fam_cifs_engine -primary-servers x.x.x.x  -port 12000 -extern-engine-type asynchronous -ssl-option no-auth
    fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events fam_cifs_events -engine fam_cifs_engine -is-mandatory false
  10. fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *
  11. fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1