Minimum Permission User for Joining Clustered ONTAP Clusters to OnCommand Performance Manager 1.0

Following on from the previous blog post where we created a minimum permission user account for joining clusters to OCUM 6.1, this unofficial blog post outlines how to do the same for OPM 1.0. As before, the role was built starting with a read-only account, then looking at the command-history.log and seeing what commands were error-ing regards lack of access, then adding in just the required permissions.

Note: The role will need to be reviewed for later releases of OnCommand Performance Manager and Clustered Data ONTAP (tested with 8.2.1.)

Creating the OCPM Role

The commands below create a role called ocpm:

security login role create -role ocpm -cmddirname DEFAULT -access readonly
security login role create -role ocpm -cmddirname "cluster application-record" -access all
security login role create -role ocpm -cmddirname "volume modify" -access all
security login role create -role ocpm -cmddirname "storage disk show" -access all

Note: The role is constructed resolving ONTAP errors as seen in the command-history.log. Insufficient privileges errors were seen for “cluster-application-record-create”, “volume-modify-iter”, and “storage-shelf-list-info”. Adding “volume modify all” also effects "volume create" and "volume show". Adding “storage disk show all” also affects "storage disk modify".

Creating the OCPM User

The command below creates a user called ocpm:

security login create -username ocpm -application ontapi -role ocpm -authmethod password

Additional Information

In CDOT 8.2.1, OPM needs to be able to enable QoS counters on volumes. A volume that does not have a QoS policy will get added to the hidden _Performance_Monitor_volumes QoS Policy Group - which the user described above has the ability to do.


CLUSTERNAME::> vol show -fields qos-policy-group -type RW
vserver       volume qos-policy-group
------------- ------ ----------------
VSERVER1      testvol