Workload Security - Merge the permissions for ONTAP ARP and ONTAP Access Denied #2574
Open
1 task done
Assignees
Comments
|
In the above commands is the part missing for the User Blocking security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access allAll of the commands: # the traditional "csrole"
security login role create -role csrole -cmddirname DEFAULT -access readonly
security login role create -role csrole -cmddirname "vserver fpolicy" -access all
security login role create -role csrole -cmddirname "volume snapshot" -access all -query "-snapshot cloudsecure_*"
security login role create -role csrole -cmddirname "event catalog" -access all
security login role create -role csrole -cmddirname "event filter" -access all
security login role create -role csrole -cmddirname "event notification destination" -access all
security login role create -role csrole -cmddirname "event notification" -access all
security login role create -role csrole -cmddirname "security certificate" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole
security login create -user-or-group-name csuser -application ssh -authmethod password -role csrole
# the user blocking permissions
security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all
# for rest role "csrestrole"
security login rest-role create -role csrestrole -api /api/storage/volumes -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/security/anti-ransomware -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <cluster-name> (needed for access denied feature)
security login create -user-or-group-name csuser -application http -authmethod password -role csrestrole |
|
Hi Harald! I'm looking into merging these permissions on the https://docs.netapp.com/us-en/cloudinsights/task_add_collector_svm.html page. Keeping in mind that I don't understand this as fully as you do, are you requesting that we consolidate all of the permissions in the "A Note About Permissions" section into the concisse block you suggest above, or is there a need to still have some of ther permissions on that page separated out? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
According to the documentation there are two roles created for getting events from ONTAP for ARP and Access Denied. If you are configuring permissions for ONTAP ARP first with the
arwroleand then create for ONTAP Access Denied the rolecsrestroleyou will get an error during the setup (via ONTAP CLI) and the Datacollector will not start and show an error (Reason: Object is missing required member 'records')There is an internal case (contact me directly for more details) which describes this problem in more detail.
It makes more sense to create ONE role for REST API and merge the permissions (in the example below it is the
csrestrolethearwroleis not being created). The whole setup of the permissions is shown below:Public issues must not contain sensitive information
The text was updated successfully, but these errors were encountered: