NetApp OnTap 9.X Command Template
-
Create a new role for File Access Manager for the CIFS vserver. For example, fam_netapp_role.
Replace (v_server) with CIFS vserver from cluster.
Replace (cluster) with cluster name.
security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (v_server)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (v_server)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (v_server) -access all
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (v_server) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (v_server) -access readonly
-
Create a new role for file access manager for the cluster (use cluster name for -vserver switch).
security login role create -role fam_netapp_role -cmddirname "vserver cifs share access-control" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs share" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-group show-members" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver cifs users-and-groups local-user" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-connect" -vserver (cluster)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy engine-disconnect" -vserver (cluster)
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show-engine" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-group" -vserver (cluster) -access all
security login role create -role fam_netapp_role -cmddirname "vserver services name-service unix-user" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume qtree" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "volume" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy policy scope" -vserver (cluster) -access readonly
security login role create -role fam_netapp_role -cmddirname "vserver fpolicy show" -vserver (cluster) -access readonly
-
Assign the newly created role to the domain user created for fam (Upper and lower case are important.)
security login create -vserver (cluster) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
security login create -vserver (v_server) -username domain\domainAccountFam -application ontapi -authmethod domain -role fam_netapp_role
-
Domain user must be a member of the “Backup Operators” group on the VServer. Execute the below command for the Vserver you intend to on-board.
vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Backup Operators" -member-names domain\domainAccountFam
-
Domain user to be a member of the “Power Users” group on the Vserver. Execute the below command for the Vserver you intend to on-board
vserver cifs users-and-groups local-group add-members -vserver (v_server) -group-name "BUILTIN\Power Users" -member-names domain\domainAccountFam
-
If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):
security login domain-tunnel create -vserver (v_server)
-
CIFS Access:
User account should have Share Read permission to all shares.
Requires a user with Share Read permission to all shares
Should be able to enumerate CIFS Share-Level Permissions
Should be able to enumerate local Users and Groups
-
Domain user must be an administrator (local administrator) on the server running the Activity Monitor service.
-
Execute the commands to configure a fpolicy for CIFS server.
fpolicy policy event create -event-name fam_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent
IP for the SailPoint Activity Mornitor server should be used in place of x.x.x.x.
fpolicy policy external-engine create -vserver (v_server) -engine-name fam_cifs_engine -primary-servers x.x.x.x -port 12000 -extern-engine-type asynchronous -ssl-option no-auth
fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events fam_cifs_events -engine fam_cifs_engine -is-mandatory false
fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *
fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1