From this link:
VSC,
VASA Provider, SRA 9.7: Configuring User Roles and Privileges
The documentation tells us to download the ‘ONTAP
Privileges’ file from:
https://{virtual_appliance_IP}:9083/vsc/config/VSC_ONTAP_User_Privileges.zip
This zip contains a file called VSC_user_roles.json.
You upload the JSON file via the ONTAP 9.7+ System Manager -
Cluster > Settings > Users and Roles > Add
User
- selecting ‘Virtualization products’ and choose ‘Product
Capability’ which gives the choice -
- VSC 9.7
- VSC and VASA Provider 9.7
- VSC and SRA 9.7
- VSC, VASA Provider and SRA 9.7
- Discovery: Allows discovery of all connected storage controllers.
- Create Storage: Allows creation of volumes and LUNs.
- Modify Storage: Allows resizing and deduplicating of storage.
- Destroy Storage: Allows destruction of volumes and LUNs.
- NAS/SAN Role: Allows discovery of all connected storage controllers, only on VMware SRM environment.
The above allows for a number of different roles (NAS/SAN Role only appears when SRA 9.7 is selected.)
Image: Add User > Virtualization Products > VSC_user_roles.json + Product Capability
Image: ONTAP 9.7 > Virtualization Products > Privileges
ONTAP Privileges
There’s too many different roles to document in this blog, so I’ll document just the one I’m particularly interested in, which is this one:
Virtualization Products:
Product = VSC, VASA Provider and SRA
Product Capability = VSC and VASA Provider 9.7
Privileges = Discovery + Create + Modify + Destroy
I’m not interested in SRA 9.7 product capability for this scenario. I want all the privileges, and later on I will attempt to modify the privileges to disable VMware Admins from creating/destroying flexvols (they need to be able to create/destroy LUNs), with an eye to giving them enough permission to do everything they need to do in order to manage VMs on VVOLs, just leave it to a storage admin to provision the flexvols for the VVOL datastores.
Note 1: “If VASA Provider is required for a particular storage controller, then the storage system must be added to VSC at the cluster level.” - source
Note 2: All the users are added with application = ontapi
These are the access and cmddirname specified by the role UnifiedVirtualApplianceVSC&VP9.7_Discovery_Create_Modify_Destroy:
ACCESS : CMDDIRNAME
---------+-----------
none : DEFAULT
readonly : cluster identity modify
readonly : cluster identity show
readonly : cluster modify
readonly : cluster peer show
readonly : cluster show
all : job
readonly : job show-completed
all : lun comment
all : lun create
all : lun delete
readonly : lun geometry
all : lun igroup add
readonly : lun igroup create
readonly : lun igroup modify
all : lun igroup set
readonly : lun igroup show
all : lun mapping create
all : lun mapping delete
all : lun mapping show
all : lun modify
all : lun move
all : lun offline
all : lun online
all : lun resize
all : lun show
readonly : network fcp adapter modify
readonly : network fcp adapter show
readonly : network interface create
readonly : network interface delete
all : network interface migrate
readonly : network interface modify
readonly : network interface show
readonly : network port delete
readonly : network port modify
readonly : network port show
all : qos policy-group create
all : qos policy-group modify
all : qos policy-group show
readonly : security login create
readonly : security login delete
readonly : security login modify
readonly : security login role create
readonly : security login role delete
readonly : security login role modify
readonly : security login role show
readonly : security login role show-ontapi
all : security login role show-user-capability
readonly : security login show
all : set
readonly : snapmirror create
readonly : snapmirror list-destinations
readonly : snapmirror show
all : snapmirror update-ls-set
readonly : storage aggregate create
readonly : storage aggregate modify
readonly : storage aggregate show
readonly : storage disk show
all : storage failover modify
all : storage failover show
readonly : system health alert modify
readonly : system health alert show
readonly : system health status show
readonly : system license delete
readonly : system license show
all : system node autosupport invoke
readonly : system node modify
all : system node run
readonly : system node show
readonly : version
all : volume autosize
all : volume clone create
all : volume clone show
all : volume create
all : volume destroy
all : volume efficiency modify
all : volume efficiency off
all : volume efficiency on
all : volume efficiency show
all : volume efficiency start
all : volume efficiency stat
all : volume efficiency stop
all : volume file show-disk-usage
all : volume modify
all : volume offline
readonly : volume qtree create
readonly : volume qtree show
readonly : volume quota modify
readonly : volume quota report
readonly : volume quota show
all : volume restrict
all : volume show
all : volume size
all : volume snapshot create
all : volume snapshot delete
all : volume snapshot modify
all : volume snapshot show
all : volume unmount
readonly : vserver create
readonly : vserver export-policy create
readonly : vserver export-policy delete
all : vserver export-policy rule create
all : vserver export-policy rule delete
all : vserver export-policy rule modify
all : vserver export-policy rule setindex
all : vserver export-policy rule show
readonly : vserver export-policy show
readonly : vserver fcp create
readonly : vserver fcp delete
readonly : vserver fcp initiator show
readonly : vserver fcp interface show
readonly : vserver fcp modify
readonly : vserver fcp show
readonly : vserver iscsi connection show
readonly : vserver iscsi create
readonly : vserver iscsi delete
all : vserver iscsi interface accesslist add
readonly : vserver iscsi interface modify
readonly : vserver iscsi interface show
readonly : vserver iscsi modify
readonly : vserver iscsi session show
readonly : vserver iscsi show
readonly : vserver modify
readonly : vserver nfs create
readonly : vserver nfs delete
readonly : vserver nfs modify
readonly : vserver nfs show
all : vserver nfs status
all : vserver services name-service unix-group
all : vserver services name-service unix-user
readonly : vserver show
