Thanks for the suggestions.  After a bit of RBAC research and consulting with folks with more experience, we begrudgingly  gave VSC the access it needs to the cluster and all SVMs on said cluster, including the SVMs that are not hosting storage for our VMware environment.  

It looks like the only way to restrict VSC access to particular group of SVMs is to slap an admin interface (lif) on the SVMs and add the SVMs directly to VSC.   Of course adding SVMs directly to VSC comes with some well documented limitations.   We ultimately decided the risk of our VMware admins provisioning storage to a non-VMware related SVM via VSC is pretty low so we added the cluster to VSC directly to allow for full VSC functionality. 


On Fri, May 4, 2018 at 11:30 AM, tmac <tmacmd@gmail.com> wrote:
You *might* be able to design your own role and assign that role to a user that is not admin and then use the cluster admin LIF.
I am not entirely sure what details are needed for the role to work entirely. There might be something in the VSC docs about the roles needed to work properly.

just a suggestion to look at.

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam

I Blog at TMACsRack

443-228-TMAC (Google Voice)
214-279-3926 (eFAX)

FlexPod Design BadgeNCIE SAN BadgeNCSIE BadgeNCSE Badge NAHSE Badge NetApp Certified Support Engineer - ONTAP Specialist SME Badge NCDA Badge NCIE Data Protection Badge FlexPod Impl & Admin Badge


On Fri, May 4, 2018 at 11:50 AM Chris Hague <Chris_Hague@ajg.com> wrote:
You can create a LIF inside your SVM with the mgmt firewall policy.

It will still be able to provision storage from any aggregate though. I don't believe you can lock that down.


-----Original Message-----
From: toasters-bounces@teaparty.net <toasters-bounces@teaparty.net> On Behalf Of Philbert Rupkins
Sent: 04 May 2018 16:04
To: toasters@teaparty.net
Subject: Restrict VSC to a Subset of SVM's

Hello Toasters,

Our ontap clusters contain a number of SVM's. For purposes of this post I'll classify our SVM's into two broad categories:

*  SVM's that host storage resources for our ESXi clusters
*  SVM's that do NOT host storage resources for our ESXi clusters

We initially direct connected VSC to the SVM's hosting VMware resources. As documented by NetApp, this resulted in VSC provisioning volumes (NFS datastores) then mounting them via indirect paths (our SVMs have multiple lifs). We dont want datastores mounted via indirect paths, nor do we want to deal with the other limitations associated with direct connecting VSC to SVM's.

Now, AFAIK, the only option we're left with is connecting VSC to the cluster management LIF. The catch is we only want to allow VSC privileges to manage the SVM's hosting VMware resources. VSC should not have privileges to the non-Vmware related SVMs.

Is there a way to connect VSC to the cluster management LIF while only allowing VSC the ability to provision storage to and manage a subset of SVM's on the cluster?

We're currently running VSC 6.2.1 and ONTAP 9.2P2.

-Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters