Randy –

 

The situation is a follows.

 

ONTAP capabilities are at the command level or the API level, and not the subcommands.  Subcommand support would be needed for a read-only CLI role.  However APIs are divided out by verb and object, so a read-only API role is obtainable and is implemented with filerview-readonly.

 

For example there is a volume-create API and a volume-list-info API.  The read-only role would allow volume-list-info and not volume-create;  however, ‘volume create’ and ‘volume status’ are the same command, so it is not possible to create a read-only CLI role.

 

Regards,

 

   - Rick -

 

From: Randy Rue [mailto:rrue@fhcrc.org]
Sent: Monday, January 23, 2012 16:15
To: toasters@teaparty.net
Subject: RE: read only role?

 

http://communities.netapp.com/message/5448?tstart=0

 

I believe the guests group has no abilities.

 

I've created a group (ro_group), mapped it to a role (ro_role) which has the filerview-readonly ability. Also mapped it "upward" to an AD group which contains my RO user.

 

The link above describes my situation exactly. Yes, there's a RO role for the filerview but no standard RO role for CLI use and no easily identifiable list of capabilities that might make up such a role. That was as of 2008, however.

 

I'll keep looking. Or if I build a list I'll post it here.

 

Randy

 

 

From: Chris Muellner [mailto:chris@northlandusa.com]
Sent: Monday, January 23, 2012 2:24 PM
To: Bill Holland; Randy Rue
Cc: toasters@teaparty.net
Subject: RE: read only role?

 

There is a guests group. You can also create Windows security groups and assign them to a local group on the controllers.

 

http://now.netapp.com/NOW/knowledge/docs/ontap/rel801/html/ontap/sysadmin/GUID-B7CE0D44-D3BC-4BA2-BAB8-0E05F6E9B5BF.html

 

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Bill Holland
Sent: Monday, January 23, 2012 4:12 PM
To: Randy Rue
Cc: toasters@teaparty.net
Subject: Re: read only role?

 

I believe there is a builtin read only role.

On Mon, Jan 23, 2012 at 4:54 PM, Randy Rue <rrue@fhcrc.org> wrote:

Hello All,

 

Looking to add a read-only role for techs in our department who are investigating some things but don't need (or want) to risk breaking stuff.

 

Is there a "standard" list of capabilities that can be added to a role that will give the ability to see stuff but not break stuff?

 

Thanks in advance,

 

Randy Rue


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters