Skip to main content
NetApp Disaster Recovery

Configure ONTAP permissions for NetApp Disaster Recovery

Contributors netapp-ahibbard
PDFs

When using NetApp Disaster Recovery, ensure you have the correct permissions configured in ONTAP to ensure proper functioning.

Minimum ONTAP permissions

The following ONTAP permissions are required with Disaster Recovery:

API Access level

/api

Read-only

/api/application/applications

Read/write

/api/application/consistency-groups

Read/write

/api/cluster

Read-only

/api/cluster/jobs

Read-only

/api/cluster/peers

Read/create/modify

/api/cluster/schedules

Read/create

/api/network/ip/interfaces

Read-only

/api/network/ipspaces

Read-only

/api/protocols/cifs/services

Read/write

/api/protocols/nfs/export-policies

Read/write

/api/protocols/nfs/services

Read-only

/api/protocols/san/igroups

Read/write

/api/protocols/san/iscsi/sessions

Read-only

/api/protocols/san/lun-maps

Read/write

/api/security/certificates

Read-only

/api/snapmirror/policies

Read/create/modify

/api/snapmirror/relationships

Read/write

/api/storage/aggregates

Read-only

/api/storage/file/clone

Read/create

/api/storage/flexcache/flexcaches

Read/create

/api/storage/luns

Read/write

/api/storage/qtrees

Read/modify

/api/storage/snapshot-policies

Read-only

/api/storage/volumes

Read/write

/api/svm/peers

Read/create/modify

/api/svm/svms

Read-only

Add permissions in ONTAP

Adding permissions in ONTAP requires creating a role with the required permissions and assigning the role to a user. You can perform this task in ONTAP using System Manager or the ONTAP CLI.

System Manager

You must perform this process separately for the source and destination clusters.

Create the role

  1. Log into the ONTAP cluster with the administrator credentials.

  2. Navigate to Cluster > Settings.

  3. Under Security, select Users and roles.

  4. Select + Add to create a new role.

  5. Enter the Role name. Assign the REST API path, Secondary path, and Access level per the table.

  6. After adding all the required permissions, select Add.

Assign the role to a user

  1. Return to the Users and roles section of the section menu.

  2. In Users, select Add.

  3. Enter a User name then select the Role you previously created.

  4. Under User Login Methods, click Add until all required login methods are configured.

  5. Create a Password for the user then confirm the password.

  6. Select Save.

CLI

To create a role and user in ONTAP, you must be authenticated in the CLI for the appropriate ONTAP cluster using administrator credentials. You must perform this process separately for the source and destination clusters.

Create the role with required privileges

  1. Run the command security login rest-role create -role <rolename> -api <api> -access <access> to create a role with the required permissions. You can copy the full set of commands to use in a script that will create the role dr_privileges.

    security login rest-role create -role dr_privileges -api /api -access readonly
security login rest-role create -role dr_privileges -api /api/application/applications -access all
security login rest-role create -role dr_privileges -api /api/application/consistency-groups -access all
security login rest-role create -role dr_privileges -api /api/cluster -access readonly
security login rest-role create -role dr_privileges -api /api/cluster/jobs -access readonly
security login rest-role create -role dr_privileges -api /api/cluster/peers -access read_create_modify
security login rest-role create -role dr_privileges -api /api/cluster/schedules -access read_create
security login rest-role create -role dr_privileges -api /api/network/ip/interfaces -access readonly
security login rest-role create -role dr_privileges -api /api/network/ipspaces -access readonly
security login rest-role create -role dr_privileges -api /api/protocols/cifs/services -access all
security login rest-role create -role dr_privileges -api /api/protocols/nfs/export-policies -access all
security login rest-role create -role dr_privileges -api /api/protocols/nfs/services -access readonly
security login rest-role create -role dr_privileges -api /api/protocols/san/igroups -access all
security login rest-role create -role dr_privileges -api /api/protocols/san/iscsi/sessions -access readonly
security login rest-role create -role dr_privileges -api /api/protocols/san/lun-maps -access all
security login rest-role create -role dr_privileges -api /api/security/certificates -access readonly
security login rest-role create -role dr_privileges -api /api/snapmirror/policies -access read_create_modify
security login rest-role create -role dr_privileges -api /api/snapmirror/relationships -access all
security login rest-role create -role dr_privileges -api /api/storage/aggregates -access readonly
security login rest-role create -role dr_privileges -api /api/storage/file/clone -access read_create
security login rest-role create -role dr_privileges -api /api/storage/flexcache/flexcaches -access read_create
security login rest-role create -role dr_privileges -api /api/storage/luns -access all
security login rest-role create -role dr_privileges -api /api/storage/qtrees -access read_modify
security login rest-role create -role dr_privileges -api /api/storage/snapshot-policies -access readonly
security login rest-role create -role dr_privileges -api /api/storage/volumes -access all
security login rest-role create -role dr_privileges -api /api/svm/peers -access read_create_modify
security login rest-role create -role dr_privileges -api /api/svm/svms -access readonly
Create the user

  1. Run the following command to create the user:

    security login create -vserver <SVM> -user-or-group-name <user-name> -application amqp -authentication-method password -role <role-name>

    When prompted, enter a password for the user.

  2. Run the following commands to add all required authentication methods:

    security login create -vserver <SVM> -user-or-group-name <user-name> -application amqp -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application console -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application http -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application ontapi -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application rsh -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application ssh -authentication-method password -role <role-name>

security login create -vserver <SVM> -user-or-group-name <user-name> -application telnet -authentication-method password -role <role-name>

Configure Disaster Recovery

After creating the ONTAP roles, you need to discover the ONTAP cluster in the Console. When discovering the cluster, you need the IP address of the ONTAP cluster, the name of the user you created, and the password for this step. For Disaster Recovery, you must perform discovery on both the source and destination cluster.