I appreciate the clarification. I was just reviewing a PDF with a detailed breakdown of the capabilities and coming to the same conclusion (if you can only dial it down as far as the "exportfs" command, for example, there's no way to control whether the user is just looking at NFS exports or actually stopping and starting them.

 

I think my curious user will have to make do with the FilerView GUI for now.

 

From: Ehrhart, Rick [mailto:Rick.Ehrhart@netapp.com]
Sent: Monday, January 23, 2012 4:41 PM
To: Randy Rue; toasters@teaparty.net
Subject: RE: read only role?

 

Randy –

 

The situation is a follows.

 

ONTAP capabilities are at the command level or the API level, and not the subcommands.  Subcommand support would be needed for a read-only CLI role.  However APIs are divided out by verb and object, so a read-only API role is obtainable and is implemented with filerview-readonly.

 

For example there is a volume-create API and a volume-list-info API.  The read-only role would allow volume-list-info and not volume-create;  however, ‘volume create’ and ‘volume status’ are the same command, so it is not possible to create a read-only CLI role.

 

Regards,

 

   - Rick -

 

From: Randy Rue [mailto:rrue@fhcrc.org]
Sent: Monday, January 23, 2012 16:15
To: toasters@teaparty.net
Subject: RE: read only role?

 

http://communities.netapp.com/message/5448?tstart=0

 

I believe the guests group has no abilities.

 

I've created a group (ro_group), mapped it to a role (ro_role) which has the filerview-readonly ability. Also mapped it "upward" to an AD group which contains my RO user.

 

The link above describes my situation exactly. Yes, there's a RO role for the filerview but no standard RO role for CLI use and no easily identifiable list of capabilities that might make up such a role. That was as of 2008, however.

 

I'll keep looking. Or if I build a list I'll post it here.

 

Randy

 

 

From: Chris Muellner [mailto:chris@northlandusa.com]
Sent: Monday, January 23, 2012 2:24 PM
To: Bill Holland; Randy Rue
Cc: toasters@teaparty.net
Subject: RE: read only role?

 

There is a guests group. You can also create Windows security groups and assign them to a local group on the controllers.

 

http://now.netapp.com/NOW/knowledge/docs/ontap/rel801/html/ontap/sysadmin/GUID-B7CE0D44-D3BC-4BA2-BAB8-0E05F6E9B5BF.html

 

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Bill Holland
Sent: Monday, January 23, 2012 4:12 PM
To: Randy Rue
Cc: toasters@teaparty.net
Subject: Re: read only role?

 

I believe there is a builtin read only role.

On Mon, Jan 23, 2012 at 4:54 PM, Randy Rue <rrue@fhcrc.org> wrote:

Hello All,

 

Looking to add a read-only role for techs in our department who are investigating some things but don't need (or want) to risk breaking stuff.

 

Is there a "standard" list of capabilities that can be added to a role that will give the ability to see stuff but not break stuff?

 

Thanks in advance,

 

Randy Rue


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters