http://communities.netapp.com/message/5448?tstart=0

I believe the guests group has no abilities.

I've created a group (ro_group), mapped it to a role (ro_role) which has the filerview-readonly ability. Also mapped it "upward" to an AD group which contains my RO user.

The link above describes my situation exactly. Yes, there's a RO role for the filerview but no standard RO role for CLI use and no easily identifiable list of capabilities that might make up such a role. That was as of 2008, however.

I'll keep looking. Or if I build a list I'll post it here.

Randy

From: Chris Muellner [mailto:chris@northlandusa.com] Sent: Monday, January 23, 2012 2:24 PM To: Bill Holland; Randy Rue Cc: toasters@teaparty.net Subject: RE: read only role?

There is a guests group. You can also create Windows security groups and assign them to a local group on the controllers.

http://now.netapp.com/NOW/knowledge/docs/ontap/rel801/html/ontap/sysadmin/ GUID-B7CE0D44-D3BC-4BA2-BAB8-0E05F6E9B5BF.html

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Bill Holland Sent: Monday, January 23, 2012 4:12 PM To: Randy Rue Cc: toasters@teaparty.net Subject: Re: read only role?

I believe there is a builtin read only role.

On Mon, Jan 23, 2012 at 4:54 PM, Randy Rue rrue@fhcrc.org wrote:

Hello All,

Looking to add a read-only role for techs in our department who are investigating some things but don't need (or want) to risk breaking stuff.

Is there a "standard" list of capabilities that can be added to a role that will give the ability to see stuff but not break stuff?

Thanks in advance,

Randy Rue

_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters

I appreciate the clarification. I was just reviewing a PDF with a detailed breakdown of the capabilities and coming to the same conclusion (if you can only dial it down as far as the "exportfs" command, for example, there's no way to control whether the user is just looking at NFS exports or actually stopping and starting them.

I think my curious user will have to make do with the FilerView GUI for now.

From: Ehrhart, Rick [mailto:Rick.Ehrhart@netapp.com] Sent: Monday, January 23, 2012 4:41 PM To: Randy Rue; toasters@teaparty.net Subject: RE: read only role?

Randy -

The situation is a follows.

ONTAP capabilities are at the command level or the API level, and not the subcommands. Subcommand support would be needed for a read-only CLI role. However APIs are divided out by verb and object, so a read-only API role is obtainable and is implemented with filerview-readonly.

For example there is a volume-create API and a volume-list-info API. The read-only role would allow volume-list-info and not volume-create; however, 'volume create' and 'volume status' are the same command, so it is not possible to create a read-only CLI role.

Regards,

- Rick -

From: Randy Rue [mailto:rrue@fhcrc.org] Sent: Monday, January 23, 2012 16:15 To: toasters@teaparty.net Subject: RE: read only role?

http://communities.netapp.com/message/5448?tstart=0

I believe the guests group has no abilities.

I've created a group (ro_group), mapped it to a role (ro_role) which has the filerview-readonly ability. Also mapped it "upward" to an AD group which contains my RO user.

The link above describes my situation exactly. Yes, there's a RO role for the filerview but no standard RO role for CLI use and no easily identifiable list of capabilities that might make up such a role. That was as of 2008, however.

I'll keep looking. Or if I build a list I'll post it here.

Randy

From: Chris Muellner [mailto:chris@northlandusa.com] Sent: Monday, January 23, 2012 2:24 PM To: Bill Holland; Randy Rue Cc: toasters@teaparty.net Subject: RE: read only role?

There is a guests group. You can also create Windows security groups and assign them to a local group on the controllers.

http://now.netapp.com/NOW/knowledge/docs/ontap/rel801/html/ontap/sysadmin/ GUID-B7CE0D44-D3BC-4BA2-BAB8-0E05F6E9B5BF.html

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Bill Holland Sent: Monday, January 23, 2012 4:12 PM To: Randy Rue Cc: toasters@teaparty.net Subject: Re: read only role?

I believe there is a builtin read only role.

On Mon, Jan 23, 2012 at 4:54 PM, Randy Rue rrue@fhcrc.org wrote:

Hello All,

Looking to add a read-only role for techs in our department who are investigating some things but don't need (or want) to risk breaking stuff.

Is there a "standard" list of capabilities that can be added to a role that will give the ability to see stuff but not break stuff?

Thanks in advance,

Randy Rue

_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters

It's been a long time, but I do remember having come across a detailed listing of the various capabilities. I do not remember where I found it, nor can I find a local copy. I do however remember that the cli ablities were pretty much all or nothing. For example cli-volume-*. If someone had the cli-volume capability they could perform any volume function from the command line. The api abilities however were more refined. i.e. api-volume-read, api-volume-write. This gave you the ability to have a finer control over what administrators could do via api interfaces.

If you need something other than the pre-defined roles, then you have to create them, assign the capabilities to them, and assign them to the groups you want to use them.

Wish I could be more helpful than that.

On Mon, Jan 23, 2012 at 7:15 PM, Randy Rue rrue@fhcrc.org wrote:

http://communities.netapp.com/message/5448?tstart=0****

---

I believe the guests group has no abilities.****

---

I've created a group (ro_group), mapped it to a role (ro_role) which has the filerview-readonly ability. Also mapped it "upward" to an AD group which contains my RO user.****

---

The link above describes my situation exactly. Yes, there's a RO role for the filerview but no standard RO role for CLI use and no easily identifiable list of capabilities that might make up such a role. That was as of 2008, however.****

---

I'll keep looking. Or if I build a list I'll post it here.****

---

Randy****

---

---

*From:* Chris Muellner [mailto:chris@northlandusa.com] *Sent:* Monday, January 23, 2012 2:24 PM *To:* Bill Holland; Randy Rue *Cc:* toasters@teaparty.net *Subject:* RE: read only role?****

---

There is a guests group. You can also create Windows security groups and assign them to a local group on the controllers.****

---

http://now.netapp.com/NOW/knowledge/docs/ontap/rel801/html/ontap/sysadmin/GU...

---

---

*From:* toasters-bounces@teaparty.net [ mailto:toasters-bounces@teaparty.net toasters-bounces@teaparty.net] *On Behalf Of *Bill Holland *Sent:* Monday, January 23, 2012 4:12 PM *To:* Randy Rue *Cc:* toasters@teaparty.net *Subject:* Re: read only role?****

---

I believe there is a builtin read only role.****

On Mon, Jan 23, 2012 at 4:54 PM, Randy Rue rrue@fhcrc.org wrote:****

Hello All,****

---

Looking to add a read-only role for techs in our department who are investigating some things but don't need (or want) to risk breaking stuff.

---

---

Is there a "standard" list of capabilities that can be added to a role that will give the ability to see stuff but not break stuff?****

---

Thanks in advance,****

---

Randy Rue****

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters****

---

---

Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters