5 Replies Latest reply: May 14, 2013 9:19 PM by adaikkap RSS

OnCommand Core 5.1   - Local user rights for DFM

SEANTRACY Novice
Currently Being Moderated

I am looking for advice on what to set up for rights on an a local account that DFM will log into the filers and run basic functions.   I am working with a customer who wants the minimal rights for DFM. They are using SnapDrive for windows.  Currently they are using  a regular  user account with  full root capabilities.

 

Thanks

  • Re: OnCommand Core 5.1   - Local user rights for DFM
    adaikkap NetApp Employee Grand Marshal
    Currently Being Moderated

    Sean,

             We dont have certified user with required capabilities enabled to do the ontap side work. What I have seen in my experience is that, many users create local users on the filer that belongs to admin group like dfmuser( essentially with root capabilites) to login to ontap via dfm.

     

    Regards

    adai

    • Re: OnCommand Core 5.1   - Local user rights for DFM
      SEANTRACY Novice
      Currently Being Moderated

      Thank you for responding.  I was thinking the same thing.   Use a local account on the filers that has admin rights that dfm server can talk to. The customer is not keen on having the local dfm account have admin rights but it seems to be best practices as a number of things may not work well if it has less rights? You agree?

       

      Thanks

      Sean

      • Re: OnCommand Core 5.1   - Local user rights for DFM
        adaikkap NetApp Employee Grand Marshal
        Currently Being Moderated

        Hi Sean,

             You are correct.And I agree. If you go with limited capabilities, you will encounter problems with performance advisor, or protection manager functionality. Also OCUM uses ssh for some cases where there is lack of API or SNMP.

         

        BTW if you wish you can start creating a role with all read-capabilities and based on trial and error keep adding them untill you don't get any error. But the next version of ONTAP may change some of these and you will have to redo this exercise again just incase there are ONTAP changes.

         

        Regards

        adai

    • Re: OnCommand Core 5.1   - Local user rights for DFM
      SEANTRACY Novice
      Currently Being Moderated

      Hi, I do have another question.   The customer I am working with wants to know if the local accounts on the filers need to have cli login capabilities.    It seems in needs ssh and cli to work.   They are asking would the api capabilities not work for log in?

      My question is the minimal rights a local account needs for dfm to come in?

      I have looked through a few docs and they don’t mention what the filer account has to be set to in order to function.

      Thanks

      • Re: OnCommand Core 5.1   - Local user rights for DFM
        adaikkap NetApp Employee Grand Marshal
        Currently Being Moderated

        Hi Sean,

             As I said earlier, whenever there is a deficiency in the api, we use the cli to collect some monitoring data. In order to do that we need ssh capability to login to the controller and cli capability to execute this command.

         

        Long time back during DOT 7G a colleague and I worked on this for a large NetApp customer. At that time we created a KB1011412. 

        Though we titled it as ReadOnly strictly speaking its not readonly as it has system-cli capabilities.

         

        Regards

        adai

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points