Go Up
You are here: DeploymentConfigure Netwrix Auditor Service AccountsData Collecting AccountCreating Role on NetApp Clustered Data ONTAP 8 or ONTAP 9 and Enabling AD User Access

Creating Role on NetApp Clustered Data ONTAP 8 or ONTAP 9 and Enabling AD User Access

NOTE: You must be a cluster administrator to run the commands below.

  1. Create a new role (e.g., fsa_role) on your SVM (e.g., vs1). For example:

    security login role create -role fsa_role -cmddirname version -access readonly -vserver vs1

  2. Add the following capabilities to the role:

    Capability Related command (example)
    version readonly security login role create.-role fsa_role -cmddirname version -access readonly -vserver vs1
    volume readonly security login role create.-role fsa_role -cmddirname volume -access readonly -vserver vs1
    vserver audit all security login role create.-role fsa_role -cmddirname "vserver audit" -access all -vserver vs1
    vserver audit rotate-log all security login role create.-role fsa_role -cmddirname "vserver audit rotate-log" -access all -vserver vs1

    vserver cifs readonly

    security login role create.-role fsa_role -cmddirname "vserver cifs" -access readonly -vserver vs1

    NOTE: The capabilities must be assigned one by one.

    To review currently applied capabilities, you can use the following command:

    security login role show -vserver vs1 -role fsa_role

  3. Create a login for the account that is going to authenticate and collect data from NetApp. If you want to use an AD account for collecting data, enable it to access SVM through ONTAPI. For example:

    security login create -vserver vs1 -username Enterprise\Administrator

    -application ontapi -authmethod domain -role fsa_role

    where Enterprise\Administrator is your data collecting account.

  4. To be able to add event policy for NetApp, the role you set up for working with ONTAPI must have

    the following attributes:

    • version readonly
    • volume readonly
    • vserver audit all
    • vserver audit rotate-log all
    • vserver cifs readonly

    NOTE: This relates to NetApp 8.3.2 and later

Go Up