NetApp Prerequisites
Make sure your system fits the descriptions below before starting the installation.
Permission Requirements
Perform the following steps to configure required permission for all Data Access Security tasks:
-
Create a dedicated domain user for the filer (for example, DAS_). This user will be used in the application configuration.
-
This user must be a member of the Backup Operators and Power Users groups on the NetApp SVM/Vserver.
- Additional setup and permissions are required for Activity Monitoring, which utilizes NetApp FPolicy and the NetApp ONTAP API (ONTAPI/ZEDI). These can be seen below.
NetApp CLI Commands for Activity Monitoring
-
Create a new role for Data Access Security for the CIFS Vserver. For example, das_netapp_role. Replace (v_server) with CIFS Vserver name if you intend to use the Vserver’s management interface for API access, or the cluster name if you intend to use the cluster’s management interface for API access.
security login role create -role das_role -cmddirname "vserver fpolicy enable" -vserver (v_server) -access all
security login role create -role das_role -cmddirname "vserver fpolicy disable" -vserver (v_server) -access all
-
Assign the newly created role to the domain user created for Data Access Security (upper and lower case are important).
security login create -vserver (v_server) -username domain\domainAccountDas -application ontapi -authmethod domain -role das_netapp_role
-
If no domain-tunnel is configured, run the following command (this command should be run only once, and not for each vserver).
security login domain-tunnel create -vserver (v_server)
-
Execute the following commands to configure an FPolicy policy for the Vserver. Replace (v_server) with the Vserver name, (va_ip_address) with the IP address of your Activity Monitor VA, and (ssl_option) with one of the following: no-auth, server-auth, mutual-auth (more on these options in the Adding a NetApp Application section below).
fpolicy policy event create -event-name das_cifs_events -protocol cifs -file-operations create,create_dir,delete,delete_dir,read,write,rename,rename_dir,setattr,open -vserver (v_server) -filters first-read,first-write,open-with-delete-intent
fpolicy policy external-engine create -vserver (v_server) -engine-name das_cifs_engine -primary-servers (va_ip_address) -port 12000 -extern-engine-type asynchronous -ssl-option no-auth
fpolicy policy create -vserver (v_server) -policy-name wbx_cifs_policy -events das_cifs_events -engine das_cifs_engine -is-mandatory false
fpolicy policy scope create -vserver (v_server) -policy-name wbx_cifs_policy -volumes-to-include *
fpolicy enable -vserver (v_server) -policy-name wbx_cifs_policy -sequence-number 1
Note
The policy name wbx_cifs_policy is mandatory.
If utilizing the secure communication options, see the document from NetApp for more information on how to set up the FPolicy external-engine component with other ssl-option values.
There will be more settings to configure to support this in the Adding a NetApp Application section under Connection Details SSL Option.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.