How to create a user and required Roles on a NetApp SVM for DPX Block level backup

Views:

Summary

If customer is not willing to use user "vsadmin" which is default and recommended, they can follow the steps described to setup users and roles on the NetApp Data SVM using the script below. These commands have been tested and verified on NetApp Clustered Data ONTAP 8.2 and 8.3. Some of these commands may not be functional on earlier or later versions.

Step By Step

Open a SSH session to Netapp CDOT system in question and paste in the following commands:

Create a Role

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "antivirus " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "antivirus on-access " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "antivirus on-demand " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "antivirus remedy " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "antivirus update " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "dashboard health vserver " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "df " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "event generate-autosupport-log " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "job " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "job schedule " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "job schedule cron " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "job schedule interval " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "lun " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network connections " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network connections active show-clients " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network connections active show-protocols" -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network connections active show-services " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network interface " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network interface failover-groups " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "network routing-groups " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security certificate " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security certificate file show " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security login password " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security login publickey " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security login role show-ontapi " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security login role show-user-capability " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "security ssl " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "set " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "snapmirror " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics catalog " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics samples delete " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics samples show " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics show " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics show-periodic " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics start " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "statistics stop " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "timezone " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "version " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "volume " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "volume copy " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "volume efficiency " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "volume move " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver " -access readonly

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver audit " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver cifs " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver data-policy " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver export-policy " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver fcp " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver fpolicy " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver iscsi " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver locks " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver name-mapping " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver nfs " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver security file-directory " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver security trace filter " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver security trace trace-result " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver services " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver services kerberos-realm " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver services ndmp " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver services web " -access none

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver smtape " -access all

security login role create -vserver <vSERVERNAME> -role <ROLENAME> "vserver smtape break " -access all

Create a User Account and Assign a Role to a User

security login create -vserver <vSERVERNAME> -username <USERNAME> -application ssh -authmethod password -role <ROLENAME>

security login create -vserver <vSERVERNAME> -username <USERNAME> -application ontapi -authmethod password -role <ROLENAME>

Delete a User and a Role

security login delete -vserver <vSERVERNAME> -username <USERNAME> -application *

security login role delete -vserver <vSERVERNAME> -role <ROLENAME> -cmddirname *