Currently Being Moderated

RBAC User Creator for Data ONTAP

I’ve created a new C# application that will assist you in creating RBAC usernames for Data ONTAP. It is called the RBAC User Creator for Data ONTAP®.   This application can be used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.


This is actually the second release.  The first version was limited to creating Data ONTAP usernames only for VSC. Version 2 supports multiple OFFTAP products.    Before I delve too much into what else is new in version 2.0, let me tell you a little about how the application works.  


The lists of privileges being created are stored in XML (ontapPrivs.xml).   This was done for two primary reasons: 

     1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating

     2. Additional privileges and products can be added later without the need to recompile the application.


Please make note of the last sentence.   Additional products can be added without needing to recompile the application.   This is an important aspect of version 2.0.   You can think of RBAC User Creator being a framework of sorts.  All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file. Out of the box, RBAC User Creator has native support for the following products:

  • Virtual Storage Console for VMware vSphere
  • OnCommand Balance
  • Snap Creator Framework
  • SnapDrive for Windows
  • VASA Provider for VMware vCenter
  • Storage Replication Adapter for VMware Site Recovery Manager
  • Virtual Storage Console for Citrix XenServer   (*NEW*)
  • Virtual Storage Console for RHEV (*NEW*)
  • NetApp Recovery Manager for Citrix Sharefile (*NEW*)
  • OnCommand Unified Manager (DFM) 5.1
  • VMTurbo Operations Manager (*NEW*)



In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC.


Screen Shot 2012-11-18 at 9.20.03 AM.png


In order to guide you along, the non-relevant sections are greyed out.  Simply enter the root or admin username and IP of the storage system you want to create the user on.   Click the LOGIN button, and it will login and determine the controller type.   If the storage system is running Clustered Data ONTAP, the list of Vservers will be displayed.   RBAC User Creator supports creating users on the Cluster-Admin Vserver as well as on Data Vservers. Simply select the Vserver from the pull-down list.


NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.


Remember, RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP.  Simply select your VSC version you're using, and the roles you want the new user to have.   Then, select the product and product version.

RBAC User Creator will merge all the privileges from the selected roles and combine them in a sorted list.   Since there is an ONTAP limit in the number to privileges in a role, RBAC User Creator will create iterated roles names in the form of <rolename>.X.   In the case of Clustered Data ONTAP, it handles both the read-only and all-access privileges.


If you are unsure on what privileges the new user will have, you can click on the PREVIEW button to preview the list.   It will show you the sorted list of all the privileges to be added.


If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username.   Hopefully, I'll be able to add this functionality for Clustered Data ONTAP soon.


After the username is created, simply login into you application and add the storage system using the new username.


If anything goes wrong, post the ONTAPUserCreator.log file here in this thread.


The following articles (TRs, IAG, and KBs) were used to generate the XML.    Please let me know if any are missing. 


SnapDrive for Windows

NetApp TR#3864


VSC for VMware vSphere

NetApp KB#1010575


7-Mode SRA for SRM 4

NetApp KB#1010829

7-Mode SRA for SRM 5

NetApp KB#1013325

Clustered Data ONTAP SRA for SRM 5

NetApp KB#1014549


OnCommand Balance

NetApp KB#3012802



NetApp KB#1013766



Change Log


- Added a true Offline Mode.  A list of commands can be generated without logging in the controller.

- Fixed an issue where a cDOT 'all' privilege could not override a 'read-only' privilege of the same command.  This was mainly seen

  when initially creating a username with say only the 'Discovery' role, then later adding the other roles.

- Fixed several broken privileges for Direct Vservers

- Fixed several "reset" bugs when switching from one controller to another.

- Added code to prevent the cDOT built-in vsadmin* roles from being selected.



- Added support for the PBM role for VSC 5.0

- Added a number of new privileges for VSC 5.0

- Locked usernames are now skipped

- Blocked cDOT built-in role ‘vsadmin’ from being selected.

- Passwords are no longer printed in open text in the log file

- Improved the status messaging when creating multiple usernames

- Add code to prevent the group/role/user from being named the same on 7-mode

- Added EMS logging for cDOT.    Note: the EMS log will only be sent to the first node in the cluster.  If Direct Vservers are used that are running cDOT 8.2 or greater, the EMS log will be sent to the Vserver.

- Fixed an issue where privileges with ONTAP dependencies were not being processed correctly for cDOT.

- Added proper support for DOT 8.2.1

- Improved the error messaging when the connection fails due to port and SSL misconfigurations

- Added limited support for creating Domain users.

- Added a new checkbox to generate a scriptable list of commands that is exported to a file.   This is useful for customers that want to use the benefits of the RUC tool, but do not want to directly use it to generate the ONTAP username.

- Added support for VMTurbo Operations Manager!

- Added support for SRA 2.1

- Added support for VSC for CloudStack 1.0

- Added support for VSC for RHEV 1.0

- Added support for VSC for VMware 5.0

- Added support for VSC for Citrix XenServer 2.0.1

- Added support for MetroCluster Plug-in for vSphere 1.0



- Added support for VSC 4.2.1 and VSC 5.0 Beta

- Added missing privileges for VSC and OnCommand Balance


2.3.4896.22885 (5/28/2013)

- Fixed a error in the XML file for VSC 4.2 Backup-Recovery Role


2.3.4881.28244 (5/13/2013)

- Added support for OnCommand Unified Manager 5.1


2.3.4873.26587 (5/9/2013)

- Added support for VSC 4.2 for VMware vSphere

- Added support for SRC for VMware SRM

- Added support for Snap Creator Framework 4.0

- Added support for VSC for Citrix XenServer

- Added support for NetApp Recovery Manager for Citrix ShareFile

- Removed clear text passwords in the log file

- Fixed the XML syntax error for VSC 4.1P1

- Other miscellaneous bug fixes


2.2.4789.19622 (2/10/2013)

- Added support for VSC 4.1P1

2.1.4707.19047 (11/20/2012)

- Fixed an issue where the controller validation would fail if MultiStore was not licensed.

2.0.0 (11/17/2012)

- Changed the application name to RBAC User Creator for Data ONTAP®

- Added support for multiple products.   Natively, RBAC User Creator supports VSC, SDW, SRA, Balance, VASA, and Snap Creator.   Additional products can be added to the XML.

- Added support for modifying existing DOT username, roles and groups.

- Bug fixes

1.1.4646 (9/20/2012)

- Updated InstallShield to auto-generated the correct package name,

- Fixed a minor issue where privilege 'cluster identity show' was not being loaded


1.1.4645 (9/19/2012)

- Updated ONTAPUserCreator.  Added validation checks when clicking the submit button.   Any missing fields should now be flagged.


1.0.0000 (9/18/2012)

- Initial release







Delete Document

Are you sure you want to delete this document?