Creating a NetApp Data Availability Services administrator custom role Edit on GitHub Request doc changes

Contributors netapp-aherbin netapp-forry

You can optionally create a role that grants NetApp Data Availability Services administrators only those privileges needed for cloud backup and recovery. You can do so if it is not necessary or desirable for the NetApp Data Availability Services administrator to have full cluster privileges.

Before you begin

You must have cluster admin privileges to create custom roles.

About this task

When NetApp Data Availability Services is registered with an ONTAP secondary (target) cluster, the NetApp Data Availability Services user must enter authentication information to allow the app to perform required operations on the cluster. The app user can authenticate as the cluster administrator with full cluster privileges. Alternatively, a custom role can be created for the app user, granting only those privileges required for cloud backup and recovery.

Permission to perform the following operations on the peered clusters is required:

commands apps

cluster identity
cluster peer
job
job schedule
snapmirror
volume
volume snapshot
vserver
vserver peer

http
ontapi
service processor
ssh

Custom roles must be created on the ONTAP secondary cluster and on any primary (source) cluster peered to it. The roles must also be created on peered clusters whenever a new target is added.

The commands for role creation are cluster-wide and should only be entered once per cluster.

Steps
  1. Log in to the secondary cluster containing the target Snapmirror destination.

  2. Find the name of the admin SVM:

    vserver show -fields type
    The admin SVM is shown in the display as Type admin. This is the value you use for admin_vserver in subsequent commands.
    Example
    Vserver Type
    vs1 data
    vs2 data
    cl2 admin

  3. Create roles for the secondary cluster:

    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "cluster identity" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "cluster peer" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "job" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "job schedule" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "snapmirror" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "volume" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "vserver" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "vserver peer" -access readonly

  4. Verify the role has the proper settings:

    security login role show ndas_secondary

  5. Create a login for the corresponding role:

    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application console -authentication-method password -role ndas_secondary
    Enter and confirm your password when prompted.

  6. Create logins for other required applications:

    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application http -authentication-method password -role ndas_secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ontapi -authentication-method password -role ndas_ secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application service-processor -authentication-method password -role ndas_ secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ssh -authentication-method password -role ndas_ secondary

  7. Verify the login using ssh from a different system.

    After receiving the message "This is your first recorded login", the login can be used for the NetApp Data Availability Services app.

  8. Log in to the primary cluster containing the source Snapmirror destination.

  9. Find the name of the admin SVM:

    vserver show -fields type

  10. Create roles for the primary cluster:

    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "cluster identity" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "job" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "job schedule" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "snapmirror" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "volume" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "volume snapshot" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "vserver" -access readonly

  11. Verify that the new role has the proper settings:

    security login role show ndas_primary

  12. Create a login for the corresponding role:

    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application console -authentication-method password -role ndas_primary
    Enter and confirm your password when prompted.

  13. Create logins for other required applications:

    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application http -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ontapi -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application service-processor -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ssh -authentication-method password -role ndas_primary

  14. Verify the login using ssh from a different system.

    After receiving the message "This is your first recorded login", the login can be used for the NetApp Data Availability Services app.

A NetApp Data Availability Services administrator can now use the new logins to authenticate with ONTAP clusters when registering new targets.

For more information, see Defining custom roles