Bill's solution below is excellent and it solves the problem from an authentication point of view.
 
Unfortunately the access control value is only 256 bytes long;  therefore limiting the number of hosts.  One possible way to mitigate this problem is use IP address masking.  This only helps if all the hosts are on one subnet.
 
Please follow bug # 67318 for access control issues, and bug # 192592 for read-only FilerView issues.
 
   - Rick -
-----Original Message-----
From: Bill Holland [mailto:hollandwl@gmail.com]
Sent: Friday, December 07, 2007 8:48 AM
To: Willeke, Jochen
Cc: toasters@mathworks.com
Subject: Re: httpd.access -- number of entries

You can do it via security roles.
 
Here's how I did it to allow read only access for our Windows users to our FilerView:
 

1. Created the the local Windows group named FilerView-ReadOnly

2. Created the security role FilerView-ReadOnly from the console of the filers

useradmin role add FilerView-ReadOnly -c "Read-only access to FilerView" -a login-http-admin,api-iscsi-service-status,cli-priv,cli-version,api-volume-list-info,api-aggr-list-info,api-aggr-options-list-info,api-aggr-get-filer-info,api-volume-size,api-volume-options-list-info,api-quota-status,api-volume-get-language,api-volume-get-filer-info,cli-uptime,cli-sysconfig,cli-netstat,cli-df,api-system-cli,api-options-get,cli-date,cli-timezone,api-volume-get-root-name,cli-sysstat,api-disk-list-info,api-snapshot-get-reserve,api-snapshot-get-schedule,api-disk-sanown-list-info,api-system-get-info,cli-storage,cli-snapmirror,cli-stty,cli-cifs,cli-httpstat,api-lun-list-info,cli-lun,cli-iscsi,api-iscsi-node-get-name,api-iscsi-target-alias-get-alias,api-iscsi-interface-list-info,cli-vif,cli-ndmpd

3. Assigned the role to the group FilerView-ReadOnly

useradmin group modify FilerView-ReadOnly -r FilerView-ReadOnly

The abilities assigned were determined by the brute force method... started with only logon-http-admin and reviewed the console error messages as I attempted to access each object in FilerView and then added the appropriate abilities. There are a couple that still stay the user doesn't have the ability to go into advanced priv mode, but that is ok as I don't want the ReadOnly group to be able to do that - too risky. On those particular screens, they are able to retrieve the information they would be looking for.

When the user accesses FilerView the put in their Windows username (domain\username) and Windows password.



 
On 12/7/07, Willeke, Jochen <Jochen.Willeke@wincor-nixdorf.com > wrote:
Hi Toaster,

we currently have a problem with API access to the filers. We use
options httpd.access and httpd.admin.access for enabling hosts for
filer's API-control.

We now use the API for several issues e.g. the save of our databases.
Sadly we found out that there is a limit for these options as it is for
trusted.hosts. You can only add a fixed number of entries to these
options.

I know that we are able to activate a whole subnet for accessing, but
this is some how a security problem in my opinion. Has anyone a good
idea how to deal with that situation?? Or has anybody knowledge if this
restriction will be gone in future ontap releases??

Best regards and a nice weekend to the list

Jochen