Mailing List Archive

Hey,

what exactly are the requirements? What do you need them to do, when you say "provision storage"?
Should they just be able to create new shares on already existing volumes or do they need to create new volumes, new LIFs, local user accounts, etc.?

Best,

Alexander Griesser
System-Administrator

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-463-208501-320
Telefax: +43-463-208501-500

E-Mail: ag@anexia.at
Web: http://www.anexia.at

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstra?e 140, 9020 Klagenfurt
Gesch?ftsf?hrer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-----Urspr?ngliche Nachricht-----
Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert Rupkins
Gesendet: Mittwoch, 23. September 2020 00:25
An: Toasters <toasters@teaparty.net>
Betreff: SVM Admin Access

Toasters,

I work with a team of Windows Server admins who are open to
provisioning their own storage but strongly prefer a GUI. I'd like
to provide this ability by granting System Manager access to the specific SVM's that host their resources.

Much to my chagrin, it doesn't appear RBAC allows for System Manager
access to particular SVMs. Instead, privileges must be granted at
the cluster level which of course means those privs are effective for all data SVMs (this is a non-starter).

Per NetApp docs, my only option appears to be SVM level RBAC privs via SSH. Not quite the GUI option they are looking for but, organizationally, we're making a push for more automation and use of Ansible so it's not completely out of the question.

Is there an angle Im not considering that would allow for SVM level
access via System Manager? Has anybody else come up with creative
ways to address this problem?

I'd love to hear from you.

Thanks,
Phil
_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

Might want to take a look at installing OnCommand Worfklow Automation.
I suspect this may allow you to do what you need. Some YouTube videos:
Technical Introduction <https://www.youtube.com/watch?v=PtkcfznnPHk>
OnCommand Workflow Automation Introduction
<https://www.youtube.com/watch?v=v19pDUhDRXg>

Product page:
https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab


--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*

*I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*



On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <AGriesser@anexia-it.com>
wrote:

> Hey,
>
> what exactly are the requirements? What do you need them to do, when you
> say "provision storage"?
> Should they just be able to create new shares on already existing volumes
> or do they need to create new volumes, new LIFs, local user accounts, etc.?
>
> Best,
>
> Alexander Griesser
> System-Administrator
>
> ANEXIA Internetdienstleistungs GmbH
>
> Telefon: +43-463-208501-320
> Telefax: +43-463-208501-500
>
> E-Mail: ag@anexia.at
> Web: http://www.anexia.at
>
> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
> Geschäftsführer: Alexander Windbichler
> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT
> U63216601
>
> -----Ursprüngliche Nachricht-----
> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert
> Rupkins
> Gesendet: Mittwoch, 23. September 2020 00:25
> An: Toasters <toasters@teaparty.net>
> Betreff: SVM Admin Access
>
> Toasters,
>
> I work with a team of Windows Server admins who are open to
> provisioning their own storage but strongly prefer a GUI. I'd like
> to provide this ability by granting System Manager access to the specific
> SVM's that host their resources.
>
> Much to my chagrin, it doesn't appear RBAC allows for System Manager
> access to particular SVMs. Instead, privileges must be granted at
> the cluster level which of course means those privs are effective for all
> data SVMs (this is a non-starter).
>
> Per NetApp docs, my only option appears to be SVM level RBAC privs via
> SSH. Not quite the GUI option they are looking for but, organizationally,
> we're making a push for more automation and use of Ansible so it's not
> completely out of the question.
>
> Is there an angle Im not considering that would allow for SVM level
> access via System Manager? Has anybody else come up with creative
> ways to address this problem?
>
> I'd love to hear from you.
>
> Thanks,
> Phil
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
>

Hello,

Thanks for the responses. I should have included more details, apologies.

Environment:
* ONTAP 9.3 P19 (9.7 by EoY)
* Windows Server 2008/2012/2016
* vSphere 6.0 (6.7 by EoY)
* RHEL7/8 based Linux hosts

The following summarizes the SVM scoped privs we'd like them to have
via System Manager:

* Provision RW Flexvols
* Create Junction Paths
* Provision DR Flexvols
* Provision CIFS Shares
* Configure CIFS share permissions
* Provision NFS exports
* Configure export policies
* Manage local SVM user accounts (multiprotocol access / user mappings)
* Create and manage Snapmirror relationships
* Create and manage snapshot policies

We'd like to stay away from delegating cluster level privs so no need
for them to create SVM's , LIF's, etc - the platform team will
continue to do that.

We do use VSC today. But that doesnt address general use CIFS shares
and NFS exports.

My understanding is WFA is being retired. Is this not true?

Cheers,
Phil

On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
>
> Might want to take a look at installing OnCommand Worfklow Automation.
> I suspect this may allow you to do what you need. Some YouTube videos:
> Technical Introduction
> OnCommand Workflow Automation Introduction
>
> Product page: https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
>
>
> --tmac
>
> Tim McCarthy, Principal Consultant
>
> Proud Member of the #NetAppATeam
>
> I Blog at TMACsRack
>
>
>
>
> On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <AGriesser@anexia-it.com> wrote:
>>
>> Hey,
>>
>> what exactly are the requirements? What do you need them to do, when you say "provision storage"?
>> Should they just be able to create new shares on already existing volumes or do they need to create new volumes, new LIFs, local user accounts, etc.?
>>
>> Best,
>>
>> Alexander Griesser
>> System-Administrator
>>
>> ANEXIA Internetdienstleistungs GmbH
>>
>> Telefon: +43-463-208501-320
>> Telefax: +43-463-208501-500
>>
>> E-Mail: ag@anexia.at
>> Web: http://www.anexia.at
>>
>> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
>> Geschäftsführer: Alexander Windbichler
>> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert Rupkins
>> Gesendet: Mittwoch, 23. September 2020 00:25
>> An: Toasters <toasters@teaparty.net>
>> Betreff: SVM Admin Access
>>
>> Toasters,
>>
>> I work with a team of Windows Server admins who are open to
>> provisioning their own storage but strongly prefer a GUI. I'd like
>> to provide this ability by granting System Manager access to the specific SVM's that host their resources.
>>
>> Much to my chagrin, it doesn't appear RBAC allows for System Manager
>> access to particular SVMs. Instead, privileges must be granted at
>> the cluster level which of course means those privs are effective for all data SVMs (this is a non-starter).
>>
>> Per NetApp docs, my only option appears to be SVM level RBAC privs via SSH. Not quite the GUI option they are looking for but, organizationally, we're making a push for more automation and use of Ansible so it's not completely out of the question.
>>
>> Is there an angle Im not considering that would allow for SVM level
>> access via System Manager? Has anybody else come up with creative
>> ways to address this problem?
>>
>> I'd love to hear from you.
>>
>> Thanks,
>> Phil
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> https://www.teaparty.net/mailman/listinfo/toasters
>>
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> https://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

Phil,

So that level of control/access is at the Cluster level and not at the SVM
level. If you want to do something like this with delegated access, WFA is
definitely one way. Other alternatives is to use automation via Ansible in
conjunction with Ansible Tower. There you can use predefined playbooks to
perform the operations that you want, using naming standard that you want.
And, use Ansible Tower to control who has the rights to execute the
playbooks at certain levels.

Regards,
André M. Clark

On September 23, 2020 at 09:51:14, Rupkins Philbert (
philbertrupkins@gmail.com) wrote:

Hello,

Thanks for the responses. I should have included more details, apologies.

Environment:
* ONTAP 9.3 P19 (9.7 by EoY)
* Windows Server 2008/2012/2016
* vSphere 6.0 (6.7 by EoY)
* RHEL7/8 based Linux hosts

The following summarizes the SVM scoped privs we'd like them to have
via System Manager:

* Provision RW Flexvols
* Create Junction Paths
* Provision DR Flexvols
* Provision CIFS Shares
* Configure CIFS share permissions
* Provision NFS exports
* Configure export policies
* Manage local SVM user accounts (multiprotocol access / user mappings)
* Create and manage Snapmirror relationships
* Create and manage snapshot policies

We'd like to stay away from delegating cluster level privs so no need
for them to create SVM's , LIF's, etc - the platform team will
continue to do that.

We do use VSC today. But that doesnt address general use CIFS shares
and NFS exports.

My understanding is WFA is being retired. Is this not true?

Cheers,
Phil

On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
>
> Might want to take a look at installing OnCommand Worfklow Automation.
> I suspect this may allow you to do what you need. Some YouTube videos:
> Technical Introduction
> OnCommand Workflow Automation Introduction
>
> Product page:
https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
>
>
> --tmac
>
> Tim McCarthy, Principal Consultant
>
> Proud Member of the #NetAppATeam
>
> I Blog at TMACsRack
>
>
>
>
> On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <
AGriesser@anexia-it.com> wrote:
>>
>> Hey,
>>
>> what exactly are the requirements? What do you need them to do, when you
say "provision storage"?
>> Should they just be able to create new shares on already existing
volumes or do they need to create new volumes, new LIFs, local user
accounts, etc.?
>>
>> Best,
>>
>> Alexander Griesser
>> System-Administrator
>>
>> ANEXIA Internetdienstleistungs GmbH
>>
>> Telefon: +43-463-208501-320
>> Telefax: +43-463-208501-500
>>
>> E-Mail: ag@anexia.at
>> Web: http://www.anexia.at
>>
>> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
>> Geschäftsführer: Alexander Windbichler
>> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT
U63216601
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert
Rupkins
>> Gesendet: Mittwoch, 23. September 2020 00:25
>> An: Toasters <toasters@teaparty.net>
>> Betreff: SVM Admin Access
>>
>> Toasters,
>>
>> I work with a team of Windows Server admins who are open to
>> provisioning their own storage but strongly prefer a GUI. I'd like
>> to provide this ability by granting System Manager access to the
specific SVM's that host their resources.
>>
>> Much to my chagrin, it doesn't appear RBAC allows for System Manager
>> access to particular SVMs. Instead, privileges must be granted at
>> the cluster level which of course means those privs are effective for
all data SVMs (this is a non-starter).
>>
>> Per NetApp docs, my only option appears to be SVM level RBAC privs via
SSH. Not quite the GUI option they are looking for but, organizationally,
we're making a push for more automation and use of Ansible so it's not
completely out of the question.
>>
>> Is there an angle Im not considering that would allow for SVM level
>> access via System Manager? Has anybody else come up with creative
>> ways to address this problem?
>>
>> I'd love to hear from you.
>>
>> Thanks,
>> Phil
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> https://www.teaparty.net/mailman/listinfo/toasters
>>
>> _______________________________________________
>> Toasters mailing list
>> Toasters@teaparty.net
>> https://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

Hi André,

Thanks for the note. I explored WFA a while back but was told NetApp
is moving away from that product in favor of Ansible and open
automation via the ONTAP REST API. As such, I chose to spend my time
looking into the available Ansible modules and REST API functionality
in 9.7.

Do you know if NetApp plans to continue to develop/support WFA
long-term? Perhaps my source was mistaken.

Cheers,
Phil

On Wed, Sep 23, 2020 at 10:40 AM André M. Clark <andre.m.clark@gmail.com> wrote:
>
> Phil,
>
> So that level of control/access is at the Cluster level and not at the SVM level. If you want to do something like this with delegated access, WFA is definitely one way. Other alternatives is to use automation via Ansible in conjunction with Ansible Tower. There you can use predefined playbooks to perform the operations that you want, using naming standard that you want. And, use Ansible Tower to control who has the rights to execute the playbooks at certain levels.
>
> Regards,
> André M. Clark
>
> On September 23, 2020 at 09:51:14, Rupkins Philbert (philbertrupkins@gmail.com) wrote:
>
> Hello,
>
> Thanks for the responses. I should have included more details, apologies.
>
> Environment:
> * ONTAP 9.3 P19 (9.7 by EoY)
> * Windows Server 2008/2012/2016
> * vSphere 6.0 (6.7 by EoY)
> * RHEL7/8 based Linux hosts
>
> The following summarizes the SVM scoped privs we'd like them to have
> via System Manager:
>
> * Provision RW Flexvols
> * Create Junction Paths
> * Provision DR Flexvols
> * Provision CIFS Shares
> * Configure CIFS share permissions
> * Provision NFS exports
> * Configure export policies
> * Manage local SVM user accounts (multiprotocol access / user mappings)
> * Create and manage Snapmirror relationships
> * Create and manage snapshot policies
>
> We'd like to stay away from delegating cluster level privs so no need
> for them to create SVM's , LIF's, etc - the platform team will
> continue to do that.
>
> We do use VSC today. But that doesnt address general use CIFS shares
> and NFS exports.
>
> My understanding is WFA is being retired. Is this not true?
>
> Cheers,
> Phil
>
> On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
> >
> > Might want to take a look at installing OnCommand Worfklow Automation.
> > I suspect this may allow you to do what you need. Some YouTube videos:
> > Technical Introduction
> > OnCommand Workflow Automation Introduction
> >
> > Product page: https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
> >
> >
> > --tmac
> >
> > Tim McCarthy, Principal Consultant
> >
> > Proud Member of the #NetAppATeam
> >
> > I Blog at TMACsRack
> >
> >
> >
> >
> > On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <AGriesser@anexia-it.com> wrote:
> >>
> >> Hey,
> >>
> >> what exactly are the requirements? What do you need them to do, when you say "provision storage"?
> >> Should they just be able to create new shares on already existing volumes or do they need to create new volumes, new LIFs, local user accounts, etc.?
> >>
> >> Best,
> >>
> >> Alexander Griesser
> >> System-Administrator
> >>
> >> ANEXIA Internetdienstleistungs GmbH
> >>
> >> Telefon: +43-463-208501-320
> >> Telefax: +43-463-208501-500
> >>
> >> E-Mail: ag@anexia.at
> >> Web: http://www.anexia.at
> >>
> >> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
> >> Geschäftsführer: Alexander Windbichler
> >> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert Rupkins
> >> Gesendet: Mittwoch, 23. September 2020 00:25
> >> An: Toasters <toasters@teaparty.net>
> >> Betreff: SVM Admin Access
> >>
> >> Toasters,
> >>
> >> I work with a team of Windows Server admins who are open to
> >> provisioning their own storage but strongly prefer a GUI. I'd like
> >> to provide this ability by granting System Manager access to the specific SVM's that host their resources.
> >>
> >> Much to my chagrin, it doesn't appear RBAC allows for System Manager
> >> access to particular SVMs. Instead, privileges must be granted at
> >> the cluster level which of course means those privs are effective for all data SVMs (this is a non-starter).
> >>
> >> Per NetApp docs, my only option appears to be SVM level RBAC privs via SSH. Not quite the GUI option they are looking for but, organizationally, we're making a push for more automation and use of Ansible so it's not completely out of the question.
> >>
> >> Is there an angle Im not considering that would allow for SVM level
> >> access via System Manager? Has anybody else come up with creative
> >> ways to address this problem?
> >>
> >> I'd love to hear from you.
> >>
> >> Thanks,
> >> Phil
> >> _______________________________________________
> >> Toasters mailing list
> >> Toasters@teaparty.net
> >> https://www.teaparty.net/mailman/listinfo/toasters
> >>
> >> _______________________________________________
> >> Toasters mailing list
> >> Toasters@teaparty.net
> >> https://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

hmmmm....I will get confirmation. I hope my information is incorrect
as WFA sounds like it will address our particular need.

On Wed, Sep 23, 2020 at 7:40 PM Scott Eno <cse@hey.com> wrote:
>
> “I explored WFA a while back but was told NetApp
> is moving away from that product in favor of Ansible and open
> automation via the ONTAP REST API.”
>
> Wut? This would be ... bad.
>
> On September 23, 2020, Philbert Rupkins <philbertrupkins@gmail.com> wrote:
>
> Hi André,
>
> Thanks for the note. I explored WFA a while back but was told NetApp
> is moving away from that product in favor of Ansible and open
> automation via the ONTAP REST API. As such, I chose to spend my time
> looking into the available Ansible modules and REST API functionality
> in 9.7.
>
> Do you know if NetApp plans to continue to develop/support WFA
> long-term? Perhaps my source was mistaken.
>
> Cheers,
> Phil
>
> On Wed, Sep 23, 2020 at 10:40 AM André M. Clark <andre.m.clark@gmail.com> wrote:
> >
> > Phil,
> >
> > So that level of control/access is at the Cluster level and not at the SVM level. If you want to do something like this with delegated access, WFA is definitely one way. Other alternatives is to use automation via Ansible in conjunction with Ansible Tower. There you can use predefined playbooks to perform the operations that you want, using naming standard that you want. And, use Ansible Tower to control who has the rights to execute the playbooks at certain levels.
> >
> > Regards,
> > André M. Clark
> >
> > On September 23, 2020 at 09:51:14, Rupkins Philbert (philbertrupkins@gmail.com) wrote:
> >
> > Hello,
> >
> > Thanks for the responses. I should have included more details, apologies.
> >
> > Environment:
> > * ONTAP 9.3 P19 (9.7 by EoY)
> > * Windows Server 2008/2012/2016
> > * vSphere 6.0 (6.7 by EoY)
> > * RHEL7/8 based Linux hosts
> >
> > The following summarizes the SVM scoped privs we'd like them to have
> > via System Manager:
> >
> > * Provision RW Flexvols
> > * Create Junction Paths
> > * Provision DR Flexvols
> > * Provision CIFS Shares
> > * Configure CIFS share permissions
> > * Provision NFS exports
> > * Configure export policies
> > * Manage local SVM user accounts (multiprotocol access / user mappings)
> > * Create and manage Snapmirror relationships
> > * Create and manage snapshot policies
> >
> > We'd like to stay away from delegating cluster level privs so no need
> > for them to create SVM's , LIF's, etc - the platform team will
> > continue to do that.
> >
> > We do use VSC today. But that doesnt address general use CIFS shares
> > and NFS exports.
> >
> > My understanding is WFA is being retired. Is this not true?
> >
> > Cheers,
> > Phil
> >
> > On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
> > >
> > > Might want to take a look at installing OnCommand Worfklow Automation.
> > > I suspect this may allow you to do what you need. Some YouTube videos:
> > > Technical Introduction
> > > OnCommand Workflow Automation Introduction
> > >
> > > Product page: https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
> > >
> > >
> > > --tmac
> > >
> > > Tim McCarthy, Principal Consultant
> > >
> > > Proud Member of the #NetAppATeam
> > >
> > > I Blog at TMACsRack
> > >
> > >
> > >
> > >
> > > On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <AGriesser@anexia-it.com> wrote:
> > >>
> > >> Hey,
> > >>
> > >> what exactly are the requirements? What do you need them to do, when you say "provision storage"?
> > >> Should they just be able to create new shares on already existing volumes or do they need to create new volumes, new LIFs, local user accounts, etc.?
> > >>
> > >> Best,
> > >>
> > >> Alexander Griesser
> > >> System-Administrator
> > >>
> > >> ANEXIA Internetdienstleistungs GmbH
> > >>
> > >> Telefon: +43-463-208501-320
> > >> Telefax: +43-463-208501-500
> > >>
> > >> E-Mail: ag@anexia.at
> > >> Web: http://www.anexia.at
> > >>
> > >> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
> > >> Geschäftsführer: Alexander Windbichler
> > >> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
> > >>
> > >> -----Ursprüngliche Nachricht-----
> > >> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert Rupkins
> > >> Gesendet: Mittwoch, 23. September 2020 00:25
> > >> An: Toasters <toasters@teaparty.net>
> > >> Betreff: SVM Admin Access
> > >>
> > >> Toasters,
> > >>
> > >> I work with a team of Windows Server admins who are open to
> > >> provisioning their own storage but strongly prefer a GUI. I'd like
> > >> to provide this ability by granting System Manager access to the specific SVM's that host their resources.
> > >>
> > >> Much to my chagrin, it doesn't appear RBAC allows for System Manager
> > >> access to particular SVMs. Instead, privileges must be granted at
> > >> the cluster level which of course means those privs are effective for all data SVMs (this is a non-starter).
> > >>
> > >> Per NetApp docs, my only option appears to be SVM level RBAC privs via SSH. Not quite the GUI option they are looking for but, organizationally, we're making a push for more automation and use of Ansible so it's not completely out of the question.
> > >>
> > >> Is there an angle Im not considering that would allow for SVM level
> > >> access via System Manager? Has anybody else come up with creative
> > >> ways to address this problem?
> > >>
> > >> I'd love to hear from you.
> > >>
> > >> Thanks,
> > >> Phil
> > >> _______________________________________________
> > >> Toasters mailing list
> > >> Toasters@teaparty.net
> > >> https://www.teaparty.net/mailman/listinfo/toasters
> > >>
> > >> _______________________________________________
> > >> Toasters mailing list
> > >> Toasters@teaparty.net
> > >> https://www.teaparty.net/mailman/listinfo/toasters
> >
> > _______________________________________________
> > Toasters mailing list
> > Toasters@teaparty.net
> > https://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

On Thu, Sep 24, 2020 at 3:38 PM Philbert Rupkins <philbertrupkins@gmail.com>
wrote:

> hmmmm....I will get confirmation. I hope my information is incorrect
> as WFA sounds like it will address our particular need.
>

FYI, take a look at ansible instead of WFA, as I suspect WFA has a limited
future.

-skottie


>
> On Wed, Sep 23, 2020 at 7:40 PM Scott Eno <cse@hey.com> wrote:
> >
> > “I explored WFA a while back but was told NetApp
> > is moving away from that product in favor of Ansible and open
> > automation via the ONTAP REST API.”
> >
> > Wut? This would be ... bad.
> >
> > On September 23, 2020, Philbert Rupkins <philbertrupkins@gmail.com>
> wrote:
> >
> > Hi André,
> >
> > Thanks for the note. I explored WFA a while back but was told NetApp
> > is moving away from that product in favor of Ansible and open
> > automation via the ONTAP REST API. As such, I chose to spend my time
> > looking into the available Ansible modules and REST API functionality
> > in 9.7.
> >
> > Do you know if NetApp plans to continue to develop/support WFA
> > long-term? Perhaps my source was mistaken.
> >
> > Cheers,
> > Phil
> >
> > On Wed, Sep 23, 2020 at 10:40 AM André M. Clark <andre.m.clark@gmail.com>
> wrote:
> > >
> > > Phil,
> > >
> > > So that level of control/access is at the Cluster level and not at the
> SVM level. If you want to do something like this with delegated access, WFA
> is definitely one way. Other alternatives is to use automation via Ansible
> in conjunction with Ansible Tower. There you can use predefined playbooks
> to perform the operations that you want, using naming standard that you
> want. And, use Ansible Tower to control who has the rights to execute the
> playbooks at certain levels.
> > >
> > > Regards,
> > > André M. Clark
> > >
> > > On September 23, 2020 at 09:51:14, Rupkins Philbert (
> philbertrupkins@gmail.com) wrote:
> > >
> > > Hello,
> > >
> > > Thanks for the responses. I should have included more details,
> apologies.
> > >
> > > Environment:
> > > * ONTAP 9.3 P19 (9.7 by EoY)
> > > * Windows Server 2008/2012/2016
> > > * vSphere 6.0 (6.7 by EoY)
> > > * RHEL7/8 based Linux hosts
> > >
> > > The following summarizes the SVM scoped privs we'd like them to have
> > > via System Manager:
> > >
> > > * Provision RW Flexvols
> > > * Create Junction Paths
> > > * Provision DR Flexvols
> > > * Provision CIFS Shares
> > > * Configure CIFS share permissions
> > > * Provision NFS exports
> > > * Configure export policies
> > > * Manage local SVM user accounts (multiprotocol access / user mappings)
> > > * Create and manage Snapmirror relationships
> > > * Create and manage snapshot policies
> > >
> > > We'd like to stay away from delegating cluster level privs so no need
> > > for them to create SVM's , LIF's, etc - the platform team will
> > > continue to do that.
> > >
> > > We do use VSC today. But that doesnt address general use CIFS shares
> > > and NFS exports.
> > >
> > > My understanding is WFA is being retired. Is this not true?
> > >
> > > Cheers,
> > > Phil
> > >
> > > On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
> > > >
> > > > Might want to take a look at installing OnCommand Worfklow
> Automation.
> > > > I suspect this may allow you to do what you need. Some YouTube
> videos:
> > > > Technical Introduction
> > > > OnCommand Workflow Automation Introduction
> > > >
> > > > Product page:
> https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
> > > >
> > > >
> > > > --tmac
> > > >
> > > > Tim McCarthy, Principal Consultant
> > > >
> > > > Proud Member of the #NetAppATeam
> > > >
> > > > I Blog at TMACsRack
> > > >
> > > >
> > > >
> > > >
> > > > On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <
> AGriesser@anexia-it.com> wrote:
> > > >>
> > > >> Hey,
> > > >>
> > > >> what exactly are the requirements? What do you need them to do,
> when you say "provision storage"?
> > > >> Should they just be able to create new shares on already existing
> volumes or do they need to create new volumes, new LIFs, local user
> accounts, etc.?
> > > >>
> > > >> Best,
> > > >>
> > > >> Alexander Griesser
> > > >> System-Administrator
> > > >>
> > > >> ANEXIA Internetdienstleistungs GmbH
> > > >>
> > > >> Telefon: +43-463-208501-320
> > > >> Telefax: +43-463-208501-500
> > > >>
> > > >> E-Mail: ag@anexia.at
> > > >> Web: http://www.anexia.at
> > > >>
> > > >> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020
> Klagenfurt
> > > >> Geschäftsführer: Alexander Windbichler
> > > >> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT
> U63216601
> > > >>
> > > >> -----Ursprüngliche Nachricht-----
> > > >> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von
> Philbert Rupkins
> > > >> Gesendet: Mittwoch, 23. September 2020 00:25
> > > >> An: Toasters <toasters@teaparty.net>
> > > >> Betreff: SVM Admin Access
> > > >>
> > > >> Toasters,
> > > >>
> > > >> I work with a team of Windows Server admins who are open to
> > > >> provisioning their own storage but strongly prefer a GUI. I'd like
> > > >> to provide this ability by granting System Manager access to the
> specific SVM's that host their resources.
> > > >>
> > > >> Much to my chagrin, it doesn't appear RBAC allows for System Manager
> > > >> access to particular SVMs. Instead, privileges must be granted at
> > > >> the cluster level which of course means those privs are effective
> for all data SVMs (this is a non-starter).
> > > >>
> > > >> Per NetApp docs, my only option appears to be SVM level RBAC privs
> via SSH. Not quite the GUI option they are looking for but,
> organizationally, we're making a push for more automation and use of
> Ansible so it's not completely out of the question.
> > > >>
> > > >> Is there an angle Im not considering that would allow for SVM level
> > > >> access via System Manager? Has anybody else come up with creative
> > > >> ways to address this problem?
> > > >>
> > > >> I'd love to hear from you.
> > > >>
> > > >> Thanks,
> > > >> Phil
> > > >> _______________________________________________
> > > >> Toasters mailing list
> > > >> Toasters@teaparty.net
> > > >> https://www.teaparty.net/mailman/listinfo/toasters
> > > >>
> > > >> _______________________________________________
> > > >> Toasters mailing list
> > > >> Toasters@teaparty.net
> > > >> https://www.teaparty.net/mailman/listinfo/toasters
> > >
> > > _______________________________________________
> > > Toasters mailing list
> > > Toasters@teaparty.net
> > > https://www.teaparty.net/mailman/listinfo/toasters
> >
> > _______________________________________________
> > Toasters mailing list
> > Toasters@teaparty.net
> > https://www.teaparty.net/mailman/listinfo/toasters
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters

Yup. So if you’re building new automation, do you want to replace
It in two years, or use ansible now?

-Skottie

On Thu, Sep 24, 2020 at 7:08 PM Scott Eno <cse@hey.com> wrote:

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> I asked today and was told WFA has "two years" left then everything will
> be REST API and Ansible
>
> On September 24, 2020, Scott Miller <scott.miller@dreamworks.com> wrote:
>
> On Thu, Sep 24, 2020 at 3:38 PM Philbert Rupkins <
> philbertrupkins@gmail.com> wrote:
>>
>> hmmmm....I will get confirmation. I hope my information is incorrect
>>
>>
>>
>> as WFA sounds like it will address our particular need.
>>
>
>
> FYI, take a look at ansible instead of WFA, as I suspect WFA has a limited
> future.
>
> -skottie
>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Sep 23, 2020 at 7:40 PM Scott Eno <cse@hey.com> wrote:
>>
>>
>>
>> >
>>
>>
>>
>> > “I explored WFA a while back but was told NetApp
>>
>>
>>
>> > is moving away from that product in favor of Ansible and open
>>
>>
>>
>> > automation via the ONTAP REST API.”
>>
>>
>>
>> >
>>
>>
>>
>> > Wut? This would be ... bad.
>>
>>
>>
>> >
>>
>>
>>
>> > On September 23, 2020, Philbert Rupkins <philbertrupkins@gmail.com>
>> wrote:
>>
>>
>>
>> >
>>
>>
>>
>> > Hi André,
>>
>>
>>
>> >
>>
>>
>>
>> > Thanks for the note. I explored WFA a while back but was told NetApp
>>
>>
>>
>> > is moving away from that product in favor of Ansible and open
>>
>>
>>
>> > automation via the ONTAP REST API. As such, I chose to spend my time
>>
>>
>>
>> > looking into the available Ansible modules and REST API functionality
>>
>>
>>
>> > in 9.7.
>>
>>
>>
>> >
>>
>>
>>
>> > Do you know if NetApp plans to continue to develop/support WFA
>>
>>
>>
>> > long-term? Perhaps my source was mistaken.
>>
>>
>>
>> >
>>
>>
>>
>> > Cheers,
>>
>>
>>
>> > Phil
>>
>>
>>
>> >
>>
>>
>>
>> > On Wed, Sep 23, 2020 at 10:40 AM André M. Clark <
>> andre.m.clark@gmail.com> wrote:
>>
>>
>>
>> > >
>>
>>
>>
>> > > Phil,
>>
>>
>>
>> > >
>>
>>
>>
>> > > So that level of control/access is at the Cluster level and not at
>> the SVM level. If you want to do something like this with delegated access,
>> WFA is definitely one way. Other alternatives is to use automation via
>> Ansible in conjunction with Ansible Tower. There you can use predefined
>> playbooks to perform the operations that you want, using naming standard
>> that you want. And, use Ansible Tower to control who has the rights to
>> execute the playbooks at certain levels.
>>
>>
>>
>> > >
>>
>>
>>
>> > > Regards,
>>
>>
>>
>> > > André M. Clark
>>
>>
>>
>> > >
>>
>>
>>
>> > > On September 23, 2020 at 09:51:14, Rupkins Philbert (
>> philbertrupkins@gmail.com) wrote:
>>
>>
>>
>> > >
>>
>>
>>
>> > > Hello,
>>
>>
>>
>> > >
>>
>>
>>
>> > > Thanks for the responses. I should have included more details,
>> apologies.
>>
>>
>>
>> > >
>>
>>
>>
>> > > Environment:
>>
>>
>>
>> > > * ONTAP 9.3 P19 (9.7 by EoY)
>>
>>
>>
>> > > * Windows Server 2008/2012/2016
>>
>>
>>
>> > > * vSphere 6.0 (6.7 by EoY)
>>
>>
>>
>> > > * RHEL7/8 based Linux hosts
>>
>>
>>
>> > >
>>
>>
>>
>> > > The following summarizes the SVM scoped privs we'd like them to have
>>
>>
>>
>> > > via System Manager:
>>
>>
>>
>> > >
>>
>>
>>
>> > > * Provision RW Flexvols
>>
>>
>>
>> > > * Create Junction Paths
>>
>>
>>
>> > > * Provision DR Flexvols
>>
>>
>>
>> > > * Provision CIFS Shares
>>
>>
>>
>> > > * Configure CIFS share permissions
>>
>>
>>
>> > > * Provision NFS exports
>>
>>
>>
>> > > * Configure export policies
>>
>>
>>
>> > > * Manage local SVM user accounts (multiprotocol access / user
>> mappings)
>>
>>
>>
>> > > * Create and manage Snapmirror relationships
>>
>>
>>
>> > > * Create and manage snapshot policies
>>
>>
>>
>> > >
>>
>>
>>
>> > > We'd like to stay away from delegating cluster level privs so no need
>>
>>
>>
>> > > for them to create SVM's , LIF's, etc - the platform team will
>>
>>
>>
>> > > continue to do that.
>>
>>
>>
>> > >
>>
>>
>>
>> > > We do use VSC today. But that doesnt address general use CIFS shares
>>
>>
>>
>> > > and NFS exports.
>>
>>
>>
>> > >
>>
>>
>>
>> > > My understanding is WFA is being retired. Is this not true?
>>
>>
>>
>> > >
>>
>>
>>
>> > > Cheers,
>>
>>
>>
>> > > Phil
>>
>>
>>
>> > >
>>
>>
>>
>> > > On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > Might want to take a look at installing OnCommand Worfklow
>> Automation.
>>
>>
>>
>> > > > I suspect this may allow you to do what you need. Some YouTube
>> videos:
>>
>>
>>
>> > > > Technical Introduction
>>
>>
>>
>> > > > OnCommand Workflow Automation Introduction
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > Product page:
>> https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
>>
>>
>>
>> > > >
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > --tmac
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > Tim McCarthy, Principal Consultant
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > Proud Member of the #NetAppATeam
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > I Blog at TMACsRack
>>
>>
>>
>> > > >
>>
>>
>>
>> > > >
>>
>>
>>
>> > > >
>>
>>
>>
>> > > >
>>
>>
>>
>> > > > On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <
>> AGriesser@anexia-it.com> wrote:
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Hey,
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> what exactly are the requirements? What do you need them to do,
>> when you say "provision storage"?
>>
>>
>>
>> > > >> Should they just be able to create new shares on already existing
>> volumes or do they need to create new volumes, new LIFs, local user
>> accounts, etc.?
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Best,
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Alexander Griesser
>>
>>
>>
>> > > >> System-Administrator
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> ANEXIA Internetdienstleistungs GmbH
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Telefon: +43-463-208501-320
>>
>>
>>
>> > > >> Telefax: +43-463-208501-500
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> E-Mail: ag@anexia.at
>>
>>
>>
>> > > >> Web: http://www.anexia.at
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020
>> Klagenfurt
>> <https://www.google.com/maps/search/Klagenfurt:+Feldkirchnerstra%C3%9Fe+140,+9020+Klagenfurt?entry=gmail&source=g>
>>
>>
>>
>> > > >> Geschäftsführer: Alexander Windbichler
>>
>>
>>
>> > > >> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer:
>> AT U63216601
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> -----Ursprüngliche Nachricht-----
>>
>>
>>
>> > > >> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von
>> Philbert Rupkins
>>
>>
>>
>> > > >> Gesendet: Mittwoch, 23. September 2020 00:25
>>
>>
>>
>> > > >> An: Toasters <toasters@teaparty.net>
>>
>>
>>
>> > > >> Betreff: SVM Admin Access
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Toasters,
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> I work with a team of Windows Server admins who are open to
>>
>>
>>
>> > > >> provisioning their own storage but strongly prefer a GUI. I'd like
>>
>>
>>
>> > > >> to provide this ability by granting System Manager access to the
>> specific SVM's that host their resources.
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Much to my chagrin, it doesn't appear RBAC allows for System
>> Manager
>>
>>
>>
>> > > >> access to particular SVMs. Instead, privileges must be granted at
>>
>>
>>
>> > > >> the cluster level which of course means those privs are effective
>> for all data SVMs (this is a non-starter).
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Per NetApp docs, my only option appears to be SVM level RBAC privs
>> via SSH. Not quite the GUI option they are looking for but,
>> organizationally, we're making a push for more automation and use of
>> Ansible so it's not completely out of the question.
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Is there an angle Im not considering that would allow for SVM level
>>
>>
>>
>> > > >> access via System Manager? Has anybody else come up with creative
>>
>>
>>
>> > > >> ways to address this problem?
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> I'd love to hear from you.
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> Thanks,
>>
>>
>>
>> > > >> Phil
>>
>>
>>
>> > > >> _______________________________________________
>>
>>
>>
>> > > >> Toasters mailing list
>>
>>
>>
>> > > >> Toasters@teaparty.net
>>
>>
>>
>> > > >> https://www.teaparty.net/mailman/listinfo/toasters
>>
>>
>>
>> > > >>
>>
>>
>>
>> > > >> _______________________________________________
>>
>>
>>
>> > > >> Toasters mailing list
>>
>>
>>
>> > > >> Toasters@teaparty.net
>>
>>
>>
>> > > >> https://www.teaparty.net/mailman/listinfo/toasters
>>
>>
>>
>> > >
>>
>>
>>
>> > > _______________________________________________
>>
>>
>>
>> > > Toasters mailing list
>>
>>
>>
>> > > Toasters@teaparty.net
>>
>>
>>
>> > > https://www.teaparty.net/mailman/listinfo/toasters
>>
>>
>>
>> >
>>
>>
>>
>> > _______________________________________________
>>
>>
>>
>> > Toasters mailing list
>>
>>
>>
>> > Toasters@teaparty.net
>>
>>
>>
>> > https://www.teaparty.net/mailman/listinfo/toasters
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>>
>>
>> Toasters mailing list
>>
>>
>>
>> Toasters@teaparty.net
>>
>>
>>
>> https://www.teaparty.net/mailman/listinfo/toasters
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Appreciate the info. Ansible / REST API it is.

On Thu, Sep 24, 2020 at 9:31 PM Scott Miller
<scott.miller@dreamworks.com> wrote:
>
>
> Yup. So if you’re building new automation, do you want to replace
> It in two years, or use ansible now?
>
> -Skottie
>
> On Thu, Sep 24, 2020 at 7:08 PM Scott Eno <cse@hey.com> wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> I asked today and was told WFA has "two years" left then everything will be REST API and Ansible
>>
>> On September 24, 2020, Scott Miller <scott.miller@dreamworks.com> wrote:
>>
>> On Thu, Sep 24, 2020 at 3:38 PM Philbert Rupkins <philbertrupkins@gmail.com> wrote:
>>>
>>> hmmmm....I will get confirmation. I hope my information is incorrect
>>>
>>>
>>>
>>> as WFA sounds like it will address our particular need.
>>
>>
>>
>> FYI, take a look at ansible instead of WFA, as I suspect WFA has a limited future.
>>
>> -skottie
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Sep 23, 2020 at 7:40 PM Scott Eno <cse@hey.com> wrote:
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > “I explored WFA a while back but was told NetApp
>>>
>>>
>>>
>>> > is moving away from that product in favor of Ansible and open
>>>
>>>
>>>
>>> > automation via the ONTAP REST API.”
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > Wut? This would be ... bad.
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > On September 23, 2020, Philbert Rupkins <philbertrupkins@gmail.com> wrote:
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > Hi André,
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > Thanks for the note. I explored WFA a while back but was told NetApp
>>>
>>>
>>>
>>> > is moving away from that product in favor of Ansible and open
>>>
>>>
>>>
>>> > automation via the ONTAP REST API. As such, I chose to spend my time
>>>
>>>
>>>
>>> > looking into the available Ansible modules and REST API functionality
>>>
>>>
>>>
>>> > in 9.7.
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > Do you know if NetApp plans to continue to develop/support WFA
>>>
>>>
>>>
>>> > long-term? Perhaps my source was mistaken.
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > Cheers,
>>>
>>>
>>>
>>> > Phil
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > On Wed, Sep 23, 2020 at 10:40 AM André M. Clark <andre.m.clark@gmail.com> wrote:
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Phil,
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > So that level of control/access is at the Cluster level and not at the SVM level. If you want to do something like this with delegated access, WFA is definitely one way. Other alternatives is to use automation via Ansible in conjunction with Ansible Tower. There you can use predefined playbooks to perform the operations that you want, using naming standard that you want. And, use Ansible Tower to control who has the rights to execute the playbooks at certain levels.
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Regards,
>>>
>>>
>>>
>>> > > André M. Clark
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > On September 23, 2020 at 09:51:14, Rupkins Philbert (philbertrupkins@gmail.com) wrote:
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Hello,
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Thanks for the responses. I should have included more details, apologies.
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Environment:
>>>
>>>
>>>
>>> > > * ONTAP 9.3 P19 (9.7 by EoY)
>>>
>>>
>>>
>>> > > * Windows Server 2008/2012/2016
>>>
>>>
>>>
>>> > > * vSphere 6.0 (6.7 by EoY)
>>>
>>>
>>>
>>> > > * RHEL7/8 based Linux hosts
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > The following summarizes the SVM scoped privs we'd like them to have
>>>
>>>
>>>
>>> > > via System Manager:
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > * Provision RW Flexvols
>>>
>>>
>>>
>>> > > * Create Junction Paths
>>>
>>>
>>>
>>> > > * Provision DR Flexvols
>>>
>>>
>>>
>>> > > * Provision CIFS Shares
>>>
>>>
>>>
>>> > > * Configure CIFS share permissions
>>>
>>>
>>>
>>> > > * Provision NFS exports
>>>
>>>
>>>
>>> > > * Configure export policies
>>>
>>>
>>>
>>> > > * Manage local SVM user accounts (multiprotocol access / user mappings)
>>>
>>>
>>>
>>> > > * Create and manage Snapmirror relationships
>>>
>>>
>>>
>>> > > * Create and manage snapshot policies
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > We'd like to stay away from delegating cluster level privs so no need
>>>
>>>
>>>
>>> > > for them to create SVM's , LIF's, etc - the platform team will
>>>
>>>
>>>
>>> > > continue to do that.
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > We do use VSC today. But that doesnt address general use CIFS shares
>>>
>>>
>>>
>>> > > and NFS exports.
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > My understanding is WFA is being retired. Is this not true?
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > Cheers,
>>>
>>>
>>>
>>> > > Phil
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > On Wed, Sep 23, 2020 at 8:23 AM tmac <tmacmd@gmail.com> wrote:
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > Might want to take a look at installing OnCommand Worfklow Automation.
>>>
>>>
>>>
>>> > > > I suspect this may allow you to do what you need. Some YouTube videos:
>>>
>>>
>>>
>>> > > > Technical Introduction
>>>
>>>
>>>
>>> > > > OnCommand Workflow Automation Introduction
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > Product page: https://mysupport.netapp.com/site/products/all/details/ocwfa/downloads-tab
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > --tmac
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > Tim McCarthy, Principal Consultant
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > Proud Member of the #NetAppATeam
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > I Blog at TMACsRack
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > >
>>>
>>>
>>>
>>> > > > On Wed, Sep 23, 2020 at 2:04 AM Alexander Griesser <AGriesser@anexia-it.com> wrote:
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Hey,
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> what exactly are the requirements? What do you need them to do, when you say "provision storage"?
>>>
>>>
>>>
>>> > > >> Should they just be able to create new shares on already existing volumes or do they need to create new volumes, new LIFs, local user accounts, etc.?
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Best,
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Alexander Griesser
>>>
>>>
>>>
>>> > > >> System-Administrator
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> ANEXIA Internetdienstleistungs GmbH
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Telefon: +43-463-208501-320
>>>
>>>
>>>
>>> > > >> Telefax: +43-463-208501-500
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> E-Mail: ag@anexia.at
>>>
>>>
>>>
>>> > > >> Web: http://www.anexia.at
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
>>>
>>>
>>>
>>> > > >> Geschäftsführer: Alexander Windbichler
>>>
>>>
>>>
>>> > > >> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> -----Ursprüngliche Nachricht-----
>>>
>>>
>>>
>>> > > >> Von: Toasters <toasters-bounces@teaparty.net> Im Auftrag von Philbert Rupkins
>>>
>>>
>>>
>>> > > >> Gesendet: Mittwoch, 23. September 2020 00:25
>>>
>>>
>>>
>>> > > >> An: Toasters <toasters@teaparty.net>
>>>
>>>
>>>
>>> > > >> Betreff: SVM Admin Access
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Toasters,
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> I work with a team of Windows Server admins who are open to
>>>
>>>
>>>
>>> > > >> provisioning their own storage but strongly prefer a GUI. I'd like
>>>
>>>
>>>
>>> > > >> to provide this ability by granting System Manager access to the specific SVM's that host their resources.
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Much to my chagrin, it doesn't appear RBAC allows for System Manager
>>>
>>>
>>>
>>> > > >> access to particular SVMs. Instead, privileges must be granted at
>>>
>>>
>>>
>>> > > >> the cluster level which of course means those privs are effective for all data SVMs (this is a non-starter).
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Per NetApp docs, my only option appears to be SVM level RBAC privs via SSH. Not quite the GUI option they are looking for but, organizationally, we're making a push for more automation and use of Ansible so it's not completely out of the question.
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Is there an angle Im not considering that would allow for SVM level
>>>
>>>
>>>
>>> > > >> access via System Manager? Has anybody else come up with creative
>>>
>>>
>>>
>>> > > >> ways to address this problem?
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> I'd love to hear from you.
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> Thanks,
>>>
>>>
>>>
>>> > > >> Phil
>>>
>>>
>>>
>>> > > >> _______________________________________________
>>>
>>>
>>>
>>> > > >> Toasters mailing list
>>>
>>>
>>>
>>> > > >> Toasters@teaparty.net
>>>
>>>
>>>
>>> > > >> https://www.teaparty.net/mailman/listinfo/toasters
>>>
>>>
>>>
>>> > > >>
>>>
>>>
>>>
>>> > > >> _______________________________________________
>>>
>>>
>>>
>>> > > >> Toasters mailing list
>>>
>>>
>>>
>>> > > >> Toasters@teaparty.net
>>>
>>>
>>>
>>> > > >> https://www.teaparty.net/mailman/listinfo/toasters
>>>
>>>
>>>
>>> > >
>>>
>>>
>>>
>>> > > _______________________________________________
>>>
>>>
>>>
>>> > > Toasters mailing list
>>>
>>>
>>>
>>> > > Toasters@teaparty.net
>>>
>>>
>>>
>>> > > https://www.teaparty.net/mailman/listinfo/toasters
>>>
>>>
>>>
>>> >
>>>
>>>
>>>
>>> > _______________________________________________
>>>
>>>
>>>
>>> > Toasters mailing list
>>>
>>>
>>>
>>> > Toasters@teaparty.net
>>>
>>>
>>>
>>> > https://www.teaparty.net/mailman/listinfo/toasters
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>>
>>> Toasters mailing list
>>>
>>>
>>>
>>> Toasters@teaparty.net
>>>
>>>
>>>
>>> https://www.teaparty.net/mailman/listinfo/toasters
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters

From what I hear from my students, most of the time they solve this problem
by telling the admins to use the MMC.

Would that solve your problem?
They can create shares in existing volumes there... If necessary the
volumes could auto-grow... And it's a familiar interface and you could give
them access easily with their domain accounts and the predefined role
vsadmin-protocol (or vsadmin-volume).

Just saying...

Sebastian



sent from my mobile, spellchecker might have messed up...

On Wed, 23 Sep 2020, 00:28 Philbert Rupkins <philbertrupkins@gmail.com>
wrote:

> Toasters,
>
> I work with a team of Windows Server admins who are open to
> provisioning their own storage but strongly prefer a GUI. I'd like
> to provide this ability by granting System Manager access to the
> specific SVM's that host their resources.
>
> Much to my chagrin, it doesn't appear RBAC allows for System Manager
> access to particular SVMs. Instead, privileges must be granted at
> the cluster level which of course means those privs are effective for
> all data SVMs (this is a non-starter).
>
> Per NetApp docs, my only option appears to be SVM level RBAC privs via
> SSH. Not quite the GUI option they are looking for but,
> organizationally, we're making a push for more automation and use of
> Ansible so it's not completely out of the question.
>
> Is there an angle Im not considering that would allow for SVM level
> access via System Manager? Has anybody else come up with creative
> ways to address this problem?
>
> I'd love to hear from you.
>
> Thanks,
> Phil
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> https://www.teaparty.net/mailman/listinfo/toasters
>