Submit a ticketCall us

WebinarDatabase Roundtable – Expert Database Professionals Feel Your Pain

In this video broadcast, Head Geek™ Tom LaRock is joined by Karen Lopez, Tim Chapman, and David Klee. They’ve known each other for many years, so this discussion was like four friends getting together to talk data and databases. They discussed diagnostic data collection, common performance root causes, reactive tuning versus proactive, and more. Join us for an engaging discussion on these topics! Plus, Tom LaRock will be available to answer your questions live.

Register now.

Home > Success Center > Storage Resource Monitor (SRM) > SRM - Knowledgebase Articles > What NetApp Cluster Mode permissions are required by Storage Resource Monitor

What NetApp Cluster Mode permissions are required by Storage Resource Monitor

Last updated: July 16, 2018

The following permissions are needed for Storage Resource Monitor to gather data from NetApp Cluster mode storage devices. NetApp Cluster mode permissions are related to the CLI commands, which produces the same result and are set based on these. Each user used for monitoring has to be assigned in a role with all required Capabilities.

These API capabilities are required for Cluster Mode. Because permissions are set to the CLI commands, which displays the particular data, the tables below also show command names. These are used to assign permission to the specific API.

API Name

Related CLI command

aggr-get-iter

storage aggregate show

cifs-server-get-iter

vserver cifs show

cifs-share-get-iter

vserver cifs share show

cluster-identity-get

cluster identity show

diagnosis-status-get

system health status show

fcp-initiator-get-iter

vserver fcp initiator show

fcp-interface-get-iter

vserver fcp interface show

igroup-get-iter

lun igroup show

iscsi-initiator-get-iter

vserver iscsi initiator show

iscsi-service-get-iter

vserver iscsi show

lun-get-iter

lun show

lun-map-get-iter

lun mapped show

net-interface-get-iter

network interface show

nfs-exportfs-list-rules-2

vserver export-policy show

perf-object-get-instances

statistics show

quota-report-iter

volume quota report

storage-disk-get-iter

storage disk show

system-get-vendor-info

system node autosupport show

system-get-version

version

volume-get-iter

volume show

vserver-get-iter

vserver show

license-list-info

system license show

license-v2-list-info

system license show

Log in to the NetApp CLI and use the following steps to create a read-only user with sufficient privileges for monitoring the device in SRM.

Required steps summary

  1. Create a new role and assign the specific command privileges under the readonly access level.
  2. Create a monitoring user and assign it to the readonly role.

Detailed steps

  1. Create a new role and assign the specific command privileges under the readonly access level:

    security login role create -role testrole -cmddirname "security login role show-ontapi" -access readonly

    You can verify, if particular role has a permission assigned with invoking security login role show -role testrole

    To assign all permissions listed above, you can copy and paste following text:

    security login role create -role testrole -cmddirname "storage aggregate show" -access readonly

    security login role create -role testrole -cmddirname "vserver cifs show" -access readonly

    security login role create -role testrole -cmddirname "vserver cifs share show" -access readonly

    security login role create -role testrole -cmddirname "cluster identity show" -access readonly

    security login role create -role testrole -cmddirname "system health status show" -access readonly

    security login role create -role testrole -cmddirname "vserver fcp initiator show" -access readonly

    security login role create -role testrole -cmddirname "vserver fcp interface show" -access readonly

    security login role create -role testrole -cmddirname "lun igroup show" -access readonly

    security login role create -role testrole -cmddirname "vserver iscsi initiator show" -access readonly

    security login role create -role testrole -cmddirname "vserver iscsi show" -access readonly

    security login role create -role testrole -cmddirname "lun show" -access readonly

    security login role create -role testrole -cmddirname "lun mapped show" -access readonly

    security login role create -role testrole -cmddirname "network interface show" -access readonly

    security login role create -role testrole -cmddirname "vserver export-policy show" -access readonly

    security login role create -role testrole -cmddirname "statistics show" -access readonly

    security login role create -role testrole -cmddirname "volume quota report" -access readonly

    security login role create -role testrole -cmddirname "storage disk show" -access readonly

    security login role create -role testrole -cmddirname "system node autosupport show" -access readonly

    security login role create -role testrole -cmddirname "version" -access readonly

    security login role create -role testrole -cmddirname "volume show" -access readonly

    security login role create -role testrole -cmddirname "vserver show" -access readonly

    security login role create -role testrole -cmddirname "system license show" -access readonly

     

    These commands might produce warnings that they will affect other permissions. These warnings can be ignored.

  2. Create the monitoring user from the role:

    security login create -role readonly -username test -application ontapi -authmethod password.

Example

lab-netapp814-clus::> security login create -role readonly -username test -application ontapi -authmethod password

Please enter a password for user 'test':

Please enter it again:

Changing the permissions would require assigning the user to the role again.

CLI commands for Hardware Health polling

NetApp HWH is supported for NetApp Cluster-Mode ONTAP version 9.3 and higher.

The following permissions are needed for hardware health monitoring.

API Name Related CLI command
system-node-get-iter system node show
environment-sensors-get-iter system node environment
 fcp-adapter-get-iter network fcp adapter show
net-port-get-iter network port show
service-processor-get-iter system service-processor
storage-shelf-acp-module-get-iter      storage shelf acp module
 storage-shelf-info-get-iter     storage shelf show
ha-interconnect-config-details-get-iter system ha interconnect config show

To assign all permissions for HWH polling for a role named "labuser", you can copy and paste following text:

security login role create -role labuser -cmddirname "system node environment sensors show" -access readonly

security login role create -role labuser -cmddirname "network fcp adapter show" -access readonly

security login role create -role labuser -cmddirname "network port show" -access readonly

security login role create -role labuser -cmddirname "system service-processor show" -access readonly

security login role create -role labuser -cmddirname "storage shelf acp module show" -access readonly

security login role create -role labuser -cmddirname "storage shelf show" -access readonly

security login role create -role labuser -cmddirname "system node show" -access readonly

security login role create -role labuser -cmddirname "system ha interconnect config show" -access readonly

If these permissions are not assigned, the Hardware Health monitoring page will only show disk information, as shown below.

srm-netapps-hwh-no-permissions.PNG

 

 

Last modified

Tags

Classifications

Public