NetApp OnTap 9.X Command Template

Create a new role for File Access Manager for the CIFS vserver. For example, fam_netapp_role.

Replace (v_server) with CIFS vserver from cluster.

Replace (cluster) with cluster name.

security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (v_server)

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (v_server)

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (v_server) -access all

security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "volume" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (v_server) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (v_server) -access readonly

Create a new role for file access manager for the cluster (use cluster name for -vserver switch).

security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (cluster)

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (cluster)

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (cluster) -access all

security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "volume" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (cluster) -access readonly

security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (cluster) -access readonly

Assign the newly created role to the domain user created for fam (Upper and lower case are important.)

security login create -vserver (cluster) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role

security login create -vserver (v_server) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role

Domain user must be a member of the “Backup Operators” group on the VServer. Execute the below command for the Vserver you intend to on-board.

vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Backup Operators" -member-names domain\domainAccountFam

Domain user to be a member of the “Power Users” group on the Vserver. Execute the below command for the Vserver you intend to on-board

vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Power Users" -member-names domain\domainAccountFam

If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):
```
security login domain-tunnel create -vserver (v_server)
```
CIFS Access:

User account should have Share Read permission to all shares.

Requires a user with Share Read permission to all shares

Should be able to enumerate CIFS Share-Level Permissions

Should be able to enumerate local Users and Groups
Domain user must be an administrator (local administrator) on the server running the Activity Monitor service.

Execute the commands to configure a fpolicy for CIFS server.

fpolicy policy event create -event-name fam_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent

IP for the SailPoint Activity Mornitor server should be used in place of x.x.x.x.

fpolicy policy external-engine create -vserver (v_server) -engine-name fam_cifs_engine -primary-servers x.x.x.x  -port 12000 -extern-engine-type asynchronous -ssl-option no-auth

fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events fam_cifs_events -engine fam_cifs_engine -is-mandatory false

fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *

fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1


	You are here: