Limit access to SVM volume operations
Suggest changes
PDFs
You can define a role to restrict storage volume administration within an SVM.
A traditional role is first created to initially allow access to all the major volume administration functions except cloning. The role is defined with the following characteristics:
-
Able to perform all CRUD volume operations including get, create, modify, and delete
-
Cannot create a volume clone
You can then optionally update the role as needed. In this workflow, the role is changed in the second step to allow the user to create a volume clone.
Step 1: Create the role
You can issue an API call to create the RBAC role.
This REST API call uses the following method and endpoint.
| HTTP method | Path |
|---|---|
POST |
/api/security/roles |
curl --request POST \
--location "https://$FQDN_IP/api/security/roles" \
--include \
--header "Accept: */*" \
--header "Authorization: Basic $BASIC_AUTH" \
--data @JSONinput{
"name": "role1",
"owner": {
"name": "cluster-1",
"uuid": "852d96be-f17c-11ec-9d19-005056bbad91"
},
"privileges": [
{ "path": "volume create", "access": "all" },
{ "path": "volume delete", "access": "all" }
]
}Step 2: Update the role
You can issue an API call to update the existing role.
This REST API call uses the following method and endpoint.
| HTTP method | Path |
|---|---|
POST |
/api/security/roles |
In addition to the parameters common with all REST API calls, the following parameters are also used in the curl example in this step.
| Parameter | Type | Required | Description |
|---|---|---|---|
$SVM_ID |
Path |
Yes |
This is the UUID of the SVM that contains the role definition. |
$ROLE_NAME |
Path |
Yes |
This is the name of the role within the SVM to be updated. |
curl --request POST \
--location "https://$FQDN_IP/api/security/roles/$SVM_ID/$ROLE_NAME/priveleges" \
--include \
--header "Accept: */*" \
--header "Authorization: Basic $BASIC_AUTH" \
--data @JSONinput{
"path": "volume clone",
"access": "all"
}