You cannot modify the pre-defined roles in Clustered Data
ONTAP. You will get the following error:
Error: command failed: Cannot modify pre-defined roles.
So, to make a readonly role that allows autosupport, we
first display the default readonly role:
NACLU1::>
security login role show -role readonly
Role Command/ Access
Vserver
Name Directory Query Level
-------
-------- --------- ------------------ --------
NACLU1
readonly DEFAULT readonly
NACLU1
readonly security none
NACLU1
readonly security login password all
NACLU1
readonly set all
Then run the following commands to construct the new
role:
security
login role create -role CUSTOM_readonly -cmddirname DEFAULT -access readonly
security
login role create -role CUSTOM_readonly -cmddirname security -access none
security
login role create -role CUSTOM_readonly -cmddirname "security login
password" -access all
security
login role create -role CUSTOM_readonly -cmddirname set -access all
security
login role create -role CUSTOM_readonly -cmddirname "system node
autosupport" -access readonly
security
login role create -role CUSTOM_readonly -cmddirname "system node
autosupport invoke" -access all
Verify the role’s access privileges:
NACLU1::>
security login role show -role CUSTOM_readonly
Command/ Access
Vserver
Directory Query Level
-------
--------- -------------------------- --------
NACLU1 DEFAULT readonly
NACLU1 security none
NACLU1 security login password all
NACLU1 set all
NACLU1 system node autosupport readonly
NACLU1 system node autosupport invoke all
To test the role allows sending of autosupports, create a
user -
security
login create -username rouser -authmethod password -role CUSTOM_readonly
-application ssh
- and login with this account, and run:
system
node autosupport invoke -node * -message TEST -type all
If you then need to modify existing users to have this
new role, it requires:
security
login show -role readonly
security
login modify -username rouser -application * -role CUSTOM_readonly
Note 1: If users
have different roles for different applications (non-standard), remove the
wildcard and specify the particular application (console, http, ontapi, rsh,
service-processor, snmp, ssh, telnet).
Note 2: The
commands above were run on a Clustered Data ONTAP 8.2.1 Simulator.
Comments
Post a Comment