Physical Filer 7-Mode Permissions

Perform the following steps to configure required permission for all File Access Manager tasks:

1. Create a dedicated domain user for the filer (for example, SIQ_<filername>). This user will be used in the application configuration, and must also be the user running the Activity Monitor service.
2. This user must be a member of the Backup Operators and Power Users groups on the NetApp and an administrator on the server running the Activity Monitor service.

3. Run the following commands in the NetApp physical filer to grant the File Access Manager user permissions to access the Ontapi web API.
   Replace <DOMAIN> with the domain name and siq_<filername> with the correct user name:

   useradmin role add siq_netapp_role -a login-http-admin,api-nfs-exportfs-list-rules,api-cifs-share-list-iter-start,api-cifs-share-list-iter-next,api-cifs-share-list-iter-end,api-cifs-share-acl-list-iter-start,api-cifs-share-acl-list-iter-next,api-cifs-share-acl-list-iter-end,api-qtree-list,api-useradmin-group-list,api-useradmin-user-list,security-api-vfiler,api-system*,api-useradmin-domainuser-list, api-fpolicy-list-info,api-fpolicy-get-policy-options,api-volume-list-info,api-fpolicy-volume-list-info 

   useradmin group add siq_group -r siq_netapp_role

   useradmin domainuser add <DOMAIN>\siq_<filername> -g siq_group,"Backup Operators","Power Users"

Internal note:

1. https://security.netapp.com/advisory/ntap-20160915-0001/

2. https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/