Although NetApp’s clustered OnTap was designed for secure multi-tenancy, the OnCommand System Manager GUI is currently unable to provide per-SVM access; you must do it via SSH. I need to be able to give my Windows admins access to configure the CIFS shares on our new cDOT system. They’re used to System Manager under 7-mode OnTap and cDOT’s System Manager adds quite a bite of extra stuff.

The storage system is connected to our Active Directory domain via the CIFS server in the SVM vs1. The domain tunnel can use this for authentication – just log in with “domain\username” in the GUI.

In order to log into System Manager, a user must be given the “admin” role on the “http” application. This allows them to see the GUI, but doesn’t give them access to the actual commands that System Manager is running. For that, we use the “ontapi” application. We configure a new role that gets readonly permissions on everything, but “all” access on just the cifs commands in the “vserver cifs share” directory of the API.

create -vserver vs1 -role sharesadmin -cmddirname “vserver cifs share” -access all
create -vserver vs1 -role sharesadmin -cmddirname DEFAULT -access readonly

Then we assign our Windows admins to the admin role in http and sharesadmin in ontapi:

create -vserver vs1 -role admin -application http -authmethod domain -user-or-group-name domain\user
create -vserver vs1 -role sharesadmin -application ontapi -authmethod domain -user-or-group-name domain\user