Skip to content

NetApp Connector Overview

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in NetApp and do the following:

  • Analyze the structure of your stored data.
  • Monitor user activity in the resources.
  • Classify the data being stored.
  • Verify user permissions on the resources, and compare them against requirements.
  • Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
  • Identity collector – collect IAM users, groups, and roles and the connections between them.

Refer to the File Access Manager documentation for a full description.

Supported Versions

  • ONTAP 7.3 7-mode and above
  • ONTAP Cluster mode 8.2 and above, including all 9.x versions.

Note

Earlier versions of ONTAP may be affected by the following:

  • Confirmed NetApp bug id 800390: Panic during SCSI compare and write. This issue is resolved in the following ONTAP version and all later releases:
  • 7-mode 7.3 and above
  • 8.2.1P1
  • 8.2.1P2
  • 8.2.2RC1
  • 8.2.2RC2

Activity Monitor

  • SailPoint is a NetApp security alliance partner.

  • To monitor activities on a NetApp filer, File Access Manager Connector for NetApp uses the NetApp FPolicy mechanism and registers as an FPolicy server.

Permissions Collector

CIFS Shares

  • File Access Manager connects to CIFS shares using backup semantics (‘seBackup’ privilege).

  • During the Permissions Collection process, local groups and users are retrieved using the NetApp Ontapi Web API.

NFS Exports

  • File Access Manager connects using standard NFSv3 access to analyze UNIX-style folder permissions.

  • A NIS Identity Collector is used to resolve UIDs/GIDs permissions discovered during the Permissions Collection process.

  • The NIS Identity Collector is the only selectable option and is required.

  • Volume information is retrieved using the NetApp Ontapi web API.

NetApp Architecture and File Access Manager

7-mode ONTAPI NetApp

  • A 7-mode ONTAPI NetApp can work in one of two architectures: a single physical file server or multiple virtual filers hosted on the same physical machine (by using the Multistore feature).

  • The virtual architecture filers enable hosting multiple virtual file servers on a single physical machine, with all the benefits included in a virtualized environment.

  • In a physical architecture, there will be a single CIFS server configured on the NetApp. The physical filer will be represented by 2 Applications in File Access Manager: one for CIFS and another for NFS, each with its own set of Activity Monitor / Permissions Collector / Data Classification services.

  • For both CIFS/NFS, the File Access Manager connector will communicate directly with the CIFS server or the filer IP configured on the physical filer for registering with the FPolicy and calling the Web Ontapi API.

  • In a virtual architecture, each virtual file server is called Vfiler, and there is a CIFS server configured on every Vfiler. The name of the CIFS server does not have to match the name of the Vfiler.

  • On a Vfiler architecture, Vfiler0 is the default Vfiler. It represents the physical filer.

  • Each Vfiler is represented in File Access Manager by two Applications, one for CIFS, and another for NFS, each with its own set of Activity Monitor / Permissions Collector / Data Classification services.

  • In a virtual architecture, the FPolicy communication as well as the permissions collection and data classification go directly to the CIFS server configured on the Vfiler or the IP address configured for NFS.

  • The Ontapi API calls go to the management IP (the Vfiler 0 IP), with a destination of the Vfiler name – this mechanism is called Vfiler tunneling.

  • The FPolicy communication between the Activity Monitor service and the NetApp is based on the RPC protocol, and both the Activity Monitor must be installed on a server in the same Active Directory domain as the filer/Vfiler CIFS server.

  • File Access Manager can be configured to run multiple Activity Monitor services for a single NetApp application. Each Activity Monitor service implements an FPolicy server. For highly loaded environments, it is possible to install multiple Activity Monitors on different servers, which act together as a single logical Activity Monitor in File Access Manager. This architecture is aimed at increasing the number of concurrent events that the NetApp machine can handle by distributing the events between multiple FPolicy servers.

Warning

This architecture is not recommended unless instructed by File Access Manager professional services.

NetApp Cluster Mode (cDot) on version 8.2

  • On an 8.2 and above cluster mode NetApp, the architecture is the same as in a 7-mode virtual environment hosting multiple Vfilers.

  • Each virtual server on a clustered NetApp is called Vserver, and there will be a single CIFS server configured on each Vserver.

  • Each Vserver is represented in File Access Manager by two Applications, one for CIFS, and another for NFS, each with its own set of Activity Monitor/Permissions Collector/Data Classification services.

  • In a virtual architecture, the FPolicy communication, permission collection, and data classification all go directly to the CIFS server configured on the Vserver or to the IP address configured for NFS. The ONTAPI API call options are:

    • Using the cluster management IP, with the Vserver name as the destination (a mechanism called Vserver tunneling).

    • Using the Vserver management IP directly.

  • The FPolicy communication between the Activity Monitor service and the NetApp is based on XML over TCP, where the Activity Monitor acts as the server, and each of the cluster nodes acts as the client. A dedicated unique port must be configured for each Application if multiple Activity Monitor services are on the same server.

  • File Access Manager can be configured to run multiple Activity Monitor services for a single NetApp application. Each Activity Monitor service implements an FPolicy server. For highly loaded environments, it is possible to install multiple Activity Monitors on different servers, which will act together as a single logical Activity Monitor in File Access Manager. This architecture is aimed at increasing the number of concurrent events that the NetApp machine can handle by distributing the events between multiple FPolicy servers.

Warning

This architecture is not recommended unless instructed by File Access Manager professional services.

NetApp Installation Flow Overview

To install the NetApp connector:

  1. Configure all the prerequisites.

  2. Add a new NetApp application in the Business Website.

  3. Install the relevant services:

    • Activity Monitor: This is the activity collection engine, used by all connectors that support activity monitoring.

    • Permissions Collector: If you are using EC2 login, the collector should be installed on the EC2 instance.

    • Data Classification Collector

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.