Cluster Mode Permissions
-
Create a new role for File Access Manager.
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share access-control" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs share" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-group show-members" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver cifs users-and-groups local-user" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-connect" -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy engine-disconnect" -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show-engine" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-group" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver services name-service unix-user" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "volume qtree" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "volume" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy scope" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy show" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy" -access readonly -vserver <vserver_name>
security login role create -role siq_netapp_role_82 -cmddirname "vserver fpolicy policy external-engine" -access readonly -vserver <vserver_name>
<vserver_name> = The Vserver name configured in NetApp settings.
If the File Access Manager Application is configured to use Vserver Tunneling, run these commands at the cluster level without the -vserver parameter. However, if the File Access Manager Application is configured to use the Vserver directly, run these commands at the Vserver level without the -vserver parameter, or at the cluster level with the -vserver parameter.
-
Create a new user for File Access Manager, and assign to the newly created role:
security login create -vserver <vserver_name> -username <domain\user_name> -application ontapi -authmethod domain -role siq_netapp_role_82
Domain and user_name must be configured with the same case as configured in the Application configuration.
The username must be in the same case as defined in Active Directory. This is a known NetApp issue.
- Add the new user to the “Backup Operators” security group on each virtual CIFS server.
- Add the new user to the “Power Users” security group on each virtual CIFS server.
-
If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver):
security login domain-tunnel create –vserver [vserver_name]
If the domain-tunnel cannot be configured, authentication to the NetApp Web API will fail with the Active Directory user configured in the Application configuration.
It is possible to define an alternative local NetApp user to use instead of the user defined in the application configuration. Section Configuring a Local NetApp User for the Ontapi API for detailed instructions.