Thursday, 3 October 2013

List of NetApp Useradmin Role Capabilities


If you’re ever in the need to find a complete list of the useradmin role capabilities, this blog post might prove helpful!

Essentially, in Data ONTAP 7-Mode, adding a specific user with a specific permission is a case of:

useradmin role add NEW_ROLE_NAME -a LIST_OF_CAPABILITIES
useradmin group add NEW_GROUP_NAME -r NEW_ROLE_NAME
useradmin user add NEW_USER  -g NEW_GROUP_NAME

Note 1: Capabilities are separated by a comma “,”
Note 2: Use useradmin domainuser add for Active Directory domains.
Note 3: Use useradmin help role/group/user for the full syntax.

Q: What is the full list of options for the “LIST OF CAPABILITIES”?

There are five categories of capabilities:
login-*
cli-*
api-*
security-*
compliance-*

1) The login-* category includes:
login_telnet
login-console
login-rsh
login-ssh
login_snmp
login-ndmp
login-sp
login-http-admin

2) The cli-* category includes:
Basically everything you can run from the Data ONTAP CLI!
For example:
cli-help   {includes just help}
cli-snapmirror*   {includes all Snapmirror commands}
See Appendix A below for more examples!

3) The api-* type includes:
All of the ONTAP API calls!
Note: These commands require login-httpadmin
For example:
api-system-*
See Appendix B for a thorough listing!

4) The security-* type includes:
security-passwd-change-others
security-priv-advanced
security-api-vfiler
security-load-lclgroups
security-complete-user-control

5) The compliance-* category:
Provides compliance capabilities to users in the "Compliance Administrators" group when issuing snaplock commands - currently, the only privilege associated in this category is:
compliance-privileged-delete

*Source the “Data ONTAP 8.1 Commands: Manual Page Reference For 7-Mode, Volume 1”.

Appendix A: More Examples of cli-* capabilities
Note: Here I’ve just run a “?” from the Data ONTAP 8.1.X “FAS>” prompt and turned the output into capabilities for 25 popular commands to illustrate!
cli-aggr*
cli-cf*
cli-cifs*
cli-clone*
cli-date*
cli-df*
cli-exportfs*
cli-fcadmin*
cli-fcp*
cli-halt*
cli-ifconfig*
cli-ifgrp*
cli-igroup*
cli-iscsi*
cli-lun*
cli-nfs*
cli-qtree*
cli-rdfile*
cli-reboot*
cli-sis*
cli-snapmirror*
cli-snapvault*
cli-sysconfig*
cli-sysstat*
cli-vol*

Appendix B: api-* capabilities
The following is the complete list of all 592 APIs taken from the latest version of the “DataONTAP PowerShell Tool kit” (which is currently downloadable from https://communities.netapp.com/docs/DOC-22259) and - after installing it - the location:
C:\Program Files (x86)\NetApp\Data ONTAP PowerShell Toolkit\DataONTAP\webhelp\apis.html
I’ve added ‘api-‘ to the front. If required, please add * at the end to wildcard, or other options:
api-aggr-add
api-aggr-check-spare-low
api-aggr-create
api-aggr-destroy
api-aggr-get-filer-info
api-aggr-get-root-name
api-aggr-list-info
api-aggr-mediascrub-list-info
api-aggr-mirror
api-aggr-modify-raid-type
api-aggr-offline
api-aggr-online
api-aggr-options-list-info
api-aggr-rename
api-aggr-restrict
api-aggr-scrub-list-info
api-aggr-scrub-resume
api-aggr-scrub-start
api-aggr-scrub-stop
api-aggr-scrub-suspend
api-aggr-set-option
api-aggr-space-list-info
api-aggr-split
api-aggr-verify-list-info
api-aggr-verify-resume
api-aggr-verify-start
api-aggr-verify-stop
api-aggr-verify-suspend
api-cf-force-takeover
api-cf-get-partner
api-cf-giveback
api-cf-service-disable
api-cf-service-enable
api-cf-status
api-cf-takeover
api-cg-commit
api-cg-delete
api-cg-start
api-cifs-branchcache-hash-stat
api-cifs-branchcache-set-key
api-cifs-homedir-path-get-for-user
api-cifs-homedir-paths-get
api-cifs-homedir-paths-set
api-cifs-list-config
api-cifs-nbalias-names-get
api-cifs-nbalias-names-set
api-cifs-session-list-iter-end
api-cifs-session-list-iter-next
api-cifs-session-list-iter-start
api-cifs-setup
api-cifs-setup-create-group-file
api-cifs-setup-create-passwd-file
api-cifs-setup-ou-list-iter-end
api-cifs-setup-ou-list-iter-next
api-cifs-setup-ou-list-iter-start
api-cifs-setup-site-list-iter-end
api-cifs-setup-site-list-iter-next
api-cifs-setup-site-list-iter-start
api-cifs-setup-verify-name
api-cifs-setup-verify-passwd-and-group
api-cifs-share-ace-delete
api-cifs-share-ace-set
api-cifs-share-acl-list-iter-end
api-cifs-share-acl-list-iter-next
api-cifs-share-acl-list-iter-start
api-cifs-share-add
api-cifs-share-change
api-cifs-share-delete
api-cifs-share-list-iter-end
api-cifs-share-list-iter-next
api-cifs-share-list-iter-start
api-cifs-start
api-cifs-status
api-cifs-stop
api-cifs-top-iter-end
api-cifs-top-iter-next
api-cifs-top-iter-start
api-clock-get-clock
api-clock-get-timezone
api-clock-set-clock
api-clock-set-timezone
api-clone-clear
api-clone-list-status
api-clone-start
api-clone-stop
api-copyoffload-copy-abort
api-copyoffload-copy-start
api-copyoffload-copy-status
api-copyoffload-modify
api-copyoffload-show
api-disk-fail
api-disk-list-info
api-disk-remove
api-disk-replace-start
api-disk-replace-stop
api-disk-sanown-assign
api-disk-sanown-filer-list-info
api-disk-sanown-list-info
api-disk-sanown-reassign
api-disk-sanown-remove-ownership
api-disk-unfail
api-disk-update-disk-fw
api-disk-zero-spares
api-ems-autosupport-log
api-fc-config-adapter-disable
api-fc-config-adapter-enable
api-fc-config-list-iter-end
api-fc-config-list-iter-next
api-fc-config-list-iter-start
api-fc-config-set-adapter-fc-type
api-fcp-adapter-clear-partner
api-fcp-adapter-config-down
api-fcp-adapter-config-media-type
api-fcp-adapter-config-up
api-fcp-adapter-initiators-list-info
api-fcp-adapter-list-info
api-fcp-adapter-reset-stats
api-fcp-adapter-set-partner
api-fcp-adapter-set-speed
api-fcp-adapter-stats-list-info
api-fcp-get-cfmode
api-fcp-node-get-name
api-fcp-node-set-name
api-fcp-ping
api-fcp-ping-info
api-fcp-port-name-list-info
api-fcp-port-name-set
api-fcp-port-name-swap
api-fcp-service-start
api-fcp-service-status
api-fcp-service-stop
api-fcp-set-cfmode
api-fcp-wwpnalias-get-alias-info
api-fcp-wwpnalias-remove
api-fcp-wwpnalias-set
api-feature-status-list-info
api-file-create-directory
api-file-create-symlink
api-file-delete-directory
api-file-delete-file
api-file-get-file-info
api-file-get-fingerprint
api-file-list-directory-iter-end
api-file-list-directory-iter-next
api-file-list-directory-iter-start
api-file-read-file
api-file-read-symlink
api-file-rename-directory
api-file-set-snaplock-retention-time
api-file-snaplock-retention-time-list-info
api-file-truncate-file
api-file-write-file
api-flash-device-list-info
api-flash-get-thresholds
api-fpolicy-create-policy
api-fpolicy-destroy-policy
api-fpolicy-disable
api-fpolicy-disable-policy
api-fpolicy-enable
api-fpolicy-enable-policy
api-fpolicy-extensions
api-fpolicy-extensions-list-info
api-fpolicy-get-policy-options
api-fpolicy-get-secondary-servers-info
api-fpolicy-list-info
api-fpolicy-operations-list-set
api-fpolicy-server-list-info
api-fpolicy-server-stop
api-fpolicy-set-policy-options
api-fpolicy-set-secondary-servers
api-fpolicy-status
api-fpolicy-volume-list-info
api-fpolicy-volume-list-set
api-igroup-add
api-igroup-bind-portset
api-igroup-create
api-igroup-destroy
api-igroup-list-info
api-igroup-lookup-lun
api-igroup-remove
api-igroup-rename
api-igroup-set-attribute
api-igroup-unbind-portset
api-iscsi-auth-generate-chap-password
api-iscsi-connection-list-info
api-iscsi-initiator-add-auth
api-iscsi-initiator-auth-list-info
api-iscsi-initiator-delete-auth
api-iscsi-initiator-get-auth
api-iscsi-initiator-get-default-auth
api-iscsi-initiator-list-info
api-iscsi-initiator-modify-chap-params
api-iscsi-initiator-set-default-auth
api-iscsi-interface-disable
api-iscsi-interface-enable
api-iscsi-interface-list-info
api-iscsi-isns-config
api-iscsi-isns-get-info
api-iscsi-isns-start
api-iscsi-isns-stop
api-iscsi-isns-update
api-iscsi-node-get-name
api-iscsi-node-set-name
api-iscsi-portal-list-info
api-iscsi-reset-stats
api-iscsi-service-start
api-iscsi-service-status
api-iscsi-service-stop
api-iscsi-session-list-info
api-iscsi-stats-list-info
api-iscsi-target-alias-clear-alias
api-iscsi-target-alias-get-alias
api-iscsi-target-alias-set-alias
api-iscsi-tpgroup-alua-set
api-iscsi-tpgroup-create
api-iscsi-tpgroup-destroy
api-iscsi-tpgroup-interface-add
api-iscsi-tpgroup-interface-delete
api-iscsi-tpgroup-list-info
api-license-add
api-license-delete
api-license-list-info
api-license-v2-add
api-lock-status-iter-end
api-lock-status-iter-next
api-lock-status-iter-start
api-lun-clear-persistent-reservation-info
api-lun-clone-list-info
api-lun-clone-split-start
api-lun-clone-split-status-list-info
api-lun-clone-split-stop
api-lun-config-check-cfmode-info
api-lun-config-check-info
api-lun-config-check-single-image-info
api-lun-create-by-size
api-lun-create-clone
api-lun-create-from-file
api-lun-create-from-snapshot
api-lun-destroy
api-lun-get-attribute
api-lun-get-comment
api-lun-get-geometry
api-lun-get-inquiry-info
api-lun-get-maxsize
api-lun-get-minsize
api-lun-get-occupied-size
api-lun-get-persistent-reservation-info
api-lun-get-select-attribute
api-lun-get-serial-number
api-lun-get-space-reservation-info
api-lun-get-target-device-id
api-lun-has-scsi-reservations
api-lun-initiator-list-map-info
api-lun-initiator-logged-in
api-lun-list-info
api-lun-map
api-lun-map-list-info
api-lun-move
api-lun-offline
api-lun-online
api-lun-port-has-scsi-reservations
api-lun-reset-stats
api-lun-resize
api-lun-restore-status
api-lun-set-attribute
api-lun-set-comment
api-lun-set-device-id
api-lun-set-select-attribute
api-lun-set-serial-number
api-lun-set-share
api-lun-set-space-reservation-info
api-lun-snap-usage-list-info
api-lun-stats-list-info
api-lun-unmap
api-lun-unset-device-id
api-nameservice-map-gid-to-group-name
api-nameservice-map-group-name-to-gid
api-nameservice-map-sid-to-uid
api-nameservice-map-uid-to-user-name
api-nameservice-map-unix-to-windows
api-nameservice-map-user-name-to-uid
api-nameservice-map-windows-to-unix
api-net-config-get-active
api-net-config-get-persistent
api-net-config-set-persistent
api-net-dcb-list-info
api-net-dcb-priority-list-info
api-net-ifconfig-get
api-net-ifconfig-set
api-net-ipspace-assign
api-net-ipspace-create
api-net-ipspace-destroy
api-net-ipspace-list
api-net-ping
api-net-ping-info
api-net-resolve
api-net-route-add
api-net-route-delete
api-net-vlan-create
api-net-vlan-delete
api-nfs-disable
api-nfs-enable
api-nfs-exportfs-append-rules-2
api-nfs-exportfs-check-permission
api-nfs-exportfs-delete-rules
api-nfs-exportfs-fence-disable
api-nfs-exportfs-fence-enable
api-nfs-exportfs-flush-cache
api-nfs-exportfs-list-rules-2
api-nfs-exportfs-load-exports
api-nfs-exportfs-modify-rule-2
api-nfs-exportfs-storage-path
api-nfs-get-supported-sec-flavors
api-nfs-monitor-add
api-nfs-monitor-list
api-nfs-monitor-reclaim
api-nfs-monitor-remove
api-nfs-monitor-remove-locks
api-nfs-stats-get-client-stats
api-nfs-stats-top-clients-list-iter-end
api-nfs-stats-top-clients-list-iter-next
api-nfs-stats-top-clients-list-iter-start
api-nfs-stats-zero-stats
api-nfs-status
api-options-get
api-options-list-info
api-options-set
api-perf-object-counter-list-info
api-perf-object-get-instances
api-perf-object-get-instances-iter-end
api-perf-object-get-instances-iter-next
api-perf-object-get-instances-iter-start
api-perf-object-instance-list-info-iter-end
api-perf-object-instance-list-info-iter-next
api-perf-object-instance-list-info-iter-start
api-perf-object-list-info
api-portset-add
api-portset-create
api-portset-destroy
api-portset-list-info
api-portset-remove
api-priority-disable
api-priority-enable
api-priority-list-info
api-priority-list-info-default
api-priority-list-info-volume
api-priority-set
api-priority-set-default
api-priority-set-volume
api-qtree-create
api-qtree-delete
api-qtree-list
api-qtree-list-iter-end
api-qtree-list-iter-next
api-qtree-list-iter-start
api-qtree-rename
api-quota-add-entry
api-quota-delete-entry
api-quota-get-entry
api-quota-list-entries-iter-end
api-quota-list-entries-iter-next
api-quota-list-entries-iter-start
api-quota-off
api-quota-on
api-quota-report-iter-end
api-quota-report-iter-next
api-quota-report-iter-start
api-quota-resize
api-quota-set-entry
api-quota-status
api-radius-reset-stats
api-radius-server-add
api-radius-server-remove
api-radius-service-start
api-radius-service-status
api-radius-service-stop
api-radius-show-info
api-radius-stats-list-info
api-reallocate-delete-schedule
api-reallocate-list-info
api-reallocate-measure
api-reallocate-off
api-reallocate-on
api-reallocate-quiesce
api-reallocate-restart
api-reallocate-set-schedule
api-reallocate-start
api-reallocate-stop
api-rsh-get-stats
api-rsh-kill
api-sis-disable
api-sis-enable
api-sis-set-config
api-sis-start
api-sis-status
api-sis-stop
api-snaplock-get-compliance-clock
api-snaplock-get-log-volume
api-snaplock-get-options
api-snaplock-get-system-compliance-clock
api-snaplock-get-volume-compliance-clock
api-snaplock-log-archive
api-snaplock-log-status-list-info
api-snaplock-privileged-delete-file
api-snaplock-set-log-volume
api-snaplock-set-options
api-snaplock-set-system-compliance-clock
api-snapmirror-abort
api-snapmirror-break
api-snapmirror-delete-connection
api-snapmirror-delete-schedule
api-snapmirror-delete-sync-schedule
api-snapmirror-get-status
api-snapmirror-get-volume-status
api-snapmirror-initialize
api-snapmirror-list-connections
api-snapmirror-list-destinations
api-snapmirror-list-schedule
api-snapmirror-list-sync-schedule
api-snapmirror-off
api-snapmirror-on
api-snapmirror-quiesce
api-snapmirror-release
api-snapmirror-resume
api-snapmirror-resync
api-snapmirror-set-connection
api-snapmirror-set-schedule
api-snapmirror-set-sync-schedule
api-snapmirror-throttle
api-snapmirror-update
api-snapshot-autodelete-list-info
api-snapshot-autodelete-set-option
api-snapshot-create
api-snapshot-delete
api-snapshot-delta-info
api-snapshot-get-reserve
api-snapshot-get-schedule
api-snapshot-list-info
api-snapshot-multicreate
api-snapshot-multicreate-validate
api-snapshot-reclaimable-info
api-snapshot-rename
api-snapshot-restore-file
api-snapshot-restore-file-info
api-snapshot-restore-volume
api-snapshot-set-reserve
api-snapshot-set-schedule
api-snapshot-volume-info
api-snapvault-add-softlock
api-snapvault-get-all-softlocked-snapshots
api-snapvault-get-softlocks
api-snapvault-primary-abort-snapshot-create
api-snapvault-primary-abort-transfer
api-snapvault-primary-delete-snapshot-schedule
api-snapvault-primary-destinations-list-info
api-snapvault-primary-get-relationship-status
api-snapvault-primary-initiate-incremental-restore-transfer
api-snapvault-primary-initiate-restore-transfer
api-snapvault-primary-initiate-snapshot-create
api-snapvault-primary-relationship-status-list-iter-end
api-snapvault-primary-relationship-status-list-iter-next
api-snapvault-primary-relationship-status-list-iter-start
api-snapvault-primary-release-relationship
api-snapvault-primary-set-snapshot-schedule
api-snapvault-primary-snapshot-schedule-list-info
api-snapvault-primary-snapshot-schedule-status-list-info
api-snapvault-remove-softlock
api-snapvault-secondary-abort-snapshot-create
api-snapvault-secondary-abort-transfer
api-snapvault-secondary-configuration-list-info
api-snapvault-secondary-create-relationship
api-snapvault-secondary-delete-relationship
api-snapvault-secondary-delete-snapshot-schedule
api-snapvault-secondary-destinations-list-info
api-snapvault-secondary-get-configuration
api-snapvault-secondary-get-relationship-status
api-snapvault-secondary-initiate-incremental-transfer
api-snapvault-secondary-initiate-snapshot-create
api-snapvault-secondary-modify-configuration
api-snapvault-secondary-relationship-status-list-iter-end
api-snapvault-secondary-relationship-status-list-iter-next
api-snapvault-secondary-relationship-status-list-iter-start
api-snapvault-secondary-release-relationship
api-snapvault-secondary-resync-relationship
api-snapvault-secondary-set-snapshot-schedule
api-snapvault-secondary-snapshot-schedule-list-info
api-snapvault-secondary-snapshot-schedule-status-list-info
api-snmp-community-add
api-snmp-community-delete
api-snmp-community-delete-all
api-snmp-disable
api-snmp-enable
api-snmp-get
api-snmp-get-next
api-snmp-status
api-snmp-trap-disable
api-snmp-trap-enable
api-snmp-traphost-add
api-snmp-traphost-delete
api-storage-adapter-enable-adapter
api-storage-adapter-get-adapter-info
api-storage-adapter-get-adapter-list
api-storage-shelf-environment-list-info
api-storage-shelf-list-info
api-storage-shelf-set-led-state
api-storage-shelf-update-fw
api-system-api-list
api-system-available-replication-transfers
api-system-cli
api-system-get-info
api-system-get-ontapi-version
api-system-get-vendor-info
api-system-get-version
api-useradmin-domainuser-add
api-useradmin-domainuser-delete
api-useradmin-domainuser-list
api-useradmin-group-add
api-useradmin-group-delete
api-useradmin-group-list
api-useradmin-group-modify
api-useradmin-role-add
api-useradmin-role-delete
api-useradmin-role-list
api-useradmin-role-modify
api-useradmin-user-add
api-useradmin-user-delete
api-useradmin-user-list
api-useradmin-user-modify
api-useradmin-user-modify-password
api-vfiler-add-ipaddress
api-vfiler-add-storage
api-vfiler-allow-protocol
api-vfiler-create
api-vfiler-destroy
api-vfiler-disallow-protocol
api-vfiler-dr-activate
api-vfiler-dr-configure
api-vfiler-dr-delete
api-vfiler-dr-get-status
api-vfiler-dr-resync
api-vfiler-get-allowed-protocols
api-vfiler-get-disallowed-protocols
api-vfiler-get-status
api-vfiler-list-info
api-vfiler-migrate-cancel
api-vfiler-migrate-complete
api-vfiler-migrate-start
api-vfiler-migrate-status
api-vfiler-remove-ipaddress
api-vfiler-remove-storage
api-vfiler-setup
api-vfiler-start
api-vfiler-stop
api-volume-autosize-get
api-volume-autosize-set
api-volume-charmap-get
api-volume-charmap-set
api-volume-clone-create
api-volume-clone-split-estimate
api-volume-clone-split-start
api-volume-clone-split-status
api-volume-clone-split-stop
api-volume-container
api-volume-create
api-volume-destroy
api-volume-footprint-list-info-iter-end
api-volume-footprint-list-info-iter-next
api-volume-footprint-list-info-iter-start
api-volume-get-language
api-volume-list-info
api-volume-list-info-iter-end
api-volume-list-info-iter-next
api-volume-list-info-iter-start
api-volume-move-abort
api-volume-move-cutover
api-volume-move-pause
api-volume-move-resume
api-volume-move-start
api-volume-move-status
api-volume-offline
api-volume-online
api-volume-options-list-info
api-volume-rename
api-volume-restrict
api-volume-set-language
api-volume-set-option
api-volume-set-total-files
api-volume-size
api-volume-space-list-info-iter-end
api-volume-space-list-info-iter-next
api-volume-space-list-info-iter-start
api-wafl-sync

7 comments:

  1. Replies
    1. No problem Paul. Thank you for reading :-)

      Delete
  2. What is the syntax for cli capabilities in "useradmin role" command?
    For example if I have command "disk encrypt" and I want to allow that capabilities for a role,

    Shoult the command be similar to this one:
    useradmin role add only_key_mgr -a cli-disk encrypt*

    or should I use "dash"?
    useradmin role add only_key_mgr -a cli-disk-encrypt*

    Where can I check all the list for capabilities and for the syntax for it?
    Thanks.

    ReplyDelete
    Replies
    1. I found TR only for 7G.
      http://www.netapp.com/us/media/tr-3358.pdf

      Delete
    2. I dont think you can do

      cli-disk-etc.etc

      Its either

      cli-disk* or nothing I think. I am looking for something similar myself. I am looking to create a specific account that allows for

      vol offline/delete
      lun offline/delete
      qtree delete

      I cant find a way of doing it.

      Delete
  3. This comment has been removed by the author.

    ReplyDelete