Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Storage Resource Monitor (SRM) > What NetApp API permissions are required by Storage Resource Monitor

What NetApp API permissions are required by Storage Resource Monitor

Table of contents
No headers

The following permissions are needed for Storage Resource Monitor to gather data:

7 Mode

  • api-aggr-list-info 
  • api-cifs-share-list-iter-end 
  • api-cifs-share-list-iter-next 
  • api-cifs-share-list-iter-start 
  • api-diagnosis-status-get 
  • api-disk-list-info 
  • api-fcp-adapter-list-info 
  • api-iscsi-node-get-name
  • api-license-list-info
  • api-license-v2-list-info - only for versions 8.x
  • api-lun-list-info 
  • api-lun-map-list-info 
  • api-lun-get-occupied-size
  • api-nfs-exportfs-list-rules 
  • api-nfs-exportfs-list-rules-2 
  • api-options-list-info 
  • api-perf-object-get-instances 
  • api-quota-report 
  • api-quota-report-iter-end 
  • api-quota-report-iter-next 
  • api-quota-report-iter-start 
  • api-snapshot-list-info 
  • api-system-get-info 
  • api-system-get-version 
  • api-vfiler-get-status 
  • api-vfiler-list-info 
  • api-volume-list-info 
  • login-http-admin 
  • api-perf-object-get-instances-iter-end 
  • api-perf-object-get-instances-iter-next 
  • api-perf-object-get-instances-iter-start
  • security-api-vfiler


Login to NetApp CLI and follow these steps to create a read-only user with sufficient privileges for monitoring the device in SRM:

 

 

  1. useradmin group add <group/>
    • Group will be created successfully.
  2. useradmin user add <username> -g <group>
    </group></username>
    • The user will be created successfully.
  3. Create a role with required access.
    • Note: When mistyping a capability name or a specific api that is not supported by that version of OnTap, an error will be displayed when trying to create the role. For example, if your version of OnTap does not support "api-cifs-share-list", "api-nfs-exportfs-list-rules-v2", or "api-diagnosis-status-get" then you will receive an error message stating " Invalid capabilities: api-cifs-share-list,api-nfs-exportfs-list-rules-v2,api-diagnosis-status-get Could not add role [roletest]. Error: Invalid capability" To resolve this error, remove the invalid capabilities "api-cifs-share-list", "api-nfs-exportfs-list-rules-v2" and "api-diagnosis-status-get" and rerun the command to create the role.
    • Note: To add a required api to the role, use the command "useradmin role modify <rolename>-a api-diagnosis-status-get Role <rolename>modified" </rolename></rolename>
    • For Versions 7.3.x:
      useradmin role add [roletest] -a api-aggr-list-info,api-cifs-share-list-iter-end,api-cifs-share-list-iter-next,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-occupied-size,api-nfs-exportfs-list-rules,api-options-list-info,api-perf-object-get-instances,api-quota-report,api-quota-report-iter-end,api-quota-report-iter-next,api-quota-report-iter-start,api-snapshot-list-info,api-system-get-info,api-system-get-version,api-vfiler-get-status,api-vfiler-list-info,api-volume-list-info,login-http-admin,api-perf-object-get-instances-iter-end,api-perf-object-get-instances-iter-next,api-perf-object-get-instances-iter-start,security-api-vfiler
    • For versions 8.x or above:
      useradmin role add [rolename] -a api-aggr-list-info,api-cifs-share-list-iter-end,api-cifs-share-list-iter-next,api-cifs-share-list-iter-start,api-diagnosis-status-get,api-disk-list-info,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-license-v2-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-occupied-size,api-nfs-exportfs-list-rules,api-nfs-exportfs-list-rules-2,api-options-list-info,api-perf-object-get-instances,api-quota-report,api-quota-report-iter-end,api-quota-report-iter-next,api-quota-report-iter-start,api-snapshot-list-info,api-system-get-info,api-system-get-version,api-vfiler-list-info,api-vfiler-get-status,api-volume-list-info,login-http-admin,api-perf-object-get-instances-iter-end,api-perf-object-get-instances-iter-next,api-perf-object-get-instances-iter-start,security-api-vfiler
  4. Modify an existing role.
    • The "group name" will be assigned with the "role name" using the command "useradmin group modify".

    For example: 

    lan-netappv82> useradmin group add srmgroup
    Group <srmgroup> added.
    lan-netappv82> Tue Dec 9 22:37:52 GMT [lan-netappv82:useradmin.added.deleted:info]: The group 'srmgroup' has been added.</srmgroup>

    lan-netappv82> useradmin user add srmuser -g srmgroup
    New password:
    Retype new password:
    User <srmuser> added.
    lan-netappv82> Tue Dec 9 22:38:27 GMT [lan-netappv82:useradmin.added.deleted:info]: The user 'srmuser' has been added.</srmuser>

    lan-netappv82> useradmin role add srmrole -a api-aggr-list-info,api-cifs-share-list-iter-end,api-cifs-share-list-iter-next,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-license-v2-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-occupied-size,api-nfs-exportfs-list-rules,api-options-list-info,api-perf-object-get-instances,api-quota-report,api-quota-report-iter-end,api-quota-report-iter-next,api-quota-report-iter-start,api-system-get-info,api-system-get-version,api-vfiler-list-info,api-volume-list-info,login-http-admin,api-perf-object-get-instances-iter-end,api-perf-object-get-instances-iter-next,api-perf-object-get-instances-iter-start,security-api-vfiler
    Role <srmrole> added.
    lan-netappv82> Tue Dec 9 22:39:21 GMT [lan-netappv82:useradmin.added.deleted:info]: The role 'srmrole' has been added.</srmrole>

    lan-netappv82> useradmin group modify srmgroup -r srmrole
    Group <srmgroup> modified.
    lan-netappv82> Tue Dec 9 22:39:51 GMT [lan-netappv82:useradmin.added.deleted:info]: The group 'srmgroup' has been modified.</srmgroup>

    lan-netappv82> useradmin group list srmgroup
    Name: srmgroup
    Info:
    Rid: 131073
    Roles: srmrole
    Allowed Capabilities: api-aggr-list-info,api-cifs-share-list-iter-end,api-cifs-share-list-iter-next,api-cifs-share-list-iter-start,api-disk-list-info,api-fcp-adapter-list-info,api-iscsi-node-get-name,api-license-list-info,api-license-v2-list-info,api-lun-list-info,api-lun-map-list-info,api-lun-get-occupied-size,api-nfs-exportfs-list-rules,api-options-list-info,api-perf-object-get-instances,api-quota-report,api-quota-report-iter-end,api-quota-report-iter-next,api-quota-report-iter-start,api-system-get-info,api-system-get-version,api-vfiler-list-info,api-volume-list-info,login-http-admin,api-perf-object-get-instances-iter-end,api-perf-object-get-instances-iter-next,api-perf-object-get-instances-iter-start,security-api-vfiler

  5. Viewing roles associated to a group.
    • To view roles associated to a group, use the command "useradmin group list [group name]".
Last modified
13:22, 13 Nov 2015

Tags

Classifications

Public