Set role-based access control capabilities and roles
Suggest changes
PDFs
After you enable role-based access control (RBAC) for SnapManager using SnapDrive, you can add RBAC capabilities and users to roles to perform SnapManager operations.
What you'll need
You must create a group in the Data Fabric Manager server and add the group to both primary and secondary storage systems. Run the following commands:
-
dfm group create smsap_grp -
dfm group add smsap_grpprimary_storage_system -
dfm group add smsap_grpsecondary_storage_system
About this task
You can use either the Operations Manager web interface or the Data Fabric Manager server command-line interface (CLI) to modify RBAC capabilities and roles.
The table lists the RBAC capabilities required to perform SnapManager operations:
| SnapManager operations | RBAC capabilities required when data protection is not enabled | RBAC capabilities required when data protection is enabled |
|---|---|---|
Profile create or profile update |
SD.Storage.Read (smsap_grp) |
SD.Storage.Read (SMSAP |
Profile protection |
DFM.Database.Write (smsap_grp) SD.Storage.Read (smsap_grp) SD.Config.Read (smsap_grp) SD.Config.Write (smsap_grp) SD.Config.Delete (smsap_grp) GlobalDataProtection |
None |
Backup create |
SD.Storage.Read (smsap_grp) SD.Snapshot.Write (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Delete (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Write (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Delete (SMSAP |
Backup create (with DBverify) |
SD.Storage.Read (smsap_grp) SD.Snapshot.Write (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Delete (smsap_grp) SD.SnapShot.Clone (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Write (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Delete (SMSAP SD.SnapShot.Clone (SMSAP |
Backup create (with RMAN) |
SD.Storage.Read (smsap_grp) SD.Snapshot.Write (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Delete (smsap_grp) SD.SnapShot.Clone (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Write (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Delete (SMSAP SD.SnapShot.Clone (SMSAP |
Backup restore |
SD.Storage.Read (smsap_grp) SD.Snapshot.Write (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Delete (smsap_grp) SD.SnapShot.Clone (smsap_grp) SD.Snapshot.Restore (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Write (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Delete (SMSAP SD.SnapShot.Clone (SMSAP SD.Snapshot.Restore (SMSAP |
Backup delete |
SD.Snapshot.Delete (smsap_grp) |
SD.Snapshot.Delete (SMSAP |
Backup verify |
SD.Storage.Read (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Clone (smsap_grp)) |
SD.Storage.Read (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Clone (SMSAP |
Backup mount |
SD.Storage.Read (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.Snapshot.Clone (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Read (SMSAP SD.Snapshot.Clone (SMSAP |
Backup unmount |
SD.Snapshot.Clone (smsap_grp) |
SD.Snapshot.Clone (SMSAP |
Clone create |
SD.Storage.Read (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.SnapShot.Clone (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Read (SMSAP SD.SnapShot.Clone (SMSAP |
Clone delete |
SD.Snapshot.Clone (smsap_grp) |
SD.Snapshot.Clone (SMSAP |
Clone split |
SD.Storage.Read (smsap_grp) SD.Snapshot.Read (smsap_grp) SD.SnapShot.Clone (smsap_grp) SD.Snapshot.Delete (smsap_grp) SD.Storage.Write (smsap_grp) |
SD.Storage.Read (SMSAP SD.Snapshot.Read (SMSAP SD.SnapShot.Clone (SMSAP SD.Snapshot.Delete (SMSAP SD.Storage.Write (SMSAP |
For details about defining RBAC capabilities, see the OnCommand Unified Manager Operations Manager Administration Guide.
-
Access the Operations Manager console.
-
From the Setup menu, select Roles.
-
Select an existing role or create a new one.
-
To assign operations to your database storage resources, click Add capabilities.
-
On the Edit Role Settings page, to save your changes to the role, click Update.
Related information