Workload Security - Merge the permissions for ONTAP ARP and ONTAP Access Denied

[pixelchrome]

Summary

According to the documentation there are two roles created for getting events from ONTAP for ARP and Access Denied. If you are configuring permissions for ONTAP ARP first with the arwrole and then create for ONTAP Access Denied the role csrestrole you will get an error during the setup (via ONTAP CLI) and the Datacollector will not start and show an error (Reason: Object is missing required member 'records') There is an internal case (contact me directly for more details) which describes this problem in more detail.

It makes more sense to create ONE role for REST API and merge the permissions (in the example below it is the csrestrole the arwrole is not being created). The whole setup of the permissions is shown below:

-- For traditional role "csrole"
security login role create -role csrole -cmddirname DEFAULT -access readonly
security login role create -role csrole -cmddirname "vserver fpolicy" -access all
security login role create -role csrole -cmddirname "volume snapshot" -access all -query "-snapshot cloudsecure_*"
security login role create -role csrole -cmddirname "event catalog" -access all
security login role create -role csrole -cmddirname "event filter" -access all
security login role create -role csrole -cmddirname "event notification destination" -access all
security login role create -role csrole -cmddirname "event notification" -access all
security login role create -role csrole -cmddirname "security certificate" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole
security login create -user-or-group-name csuser -application ssh -authmethod password -role csrole
-- For rest role "csrestrole"
security login rest-role create -role csrestrole -api /api/storage/volumes -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/security/anti-ransomware -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <cluster-name> (needed for access denied feature) 
security login create -user-or-group-name csuser -application http -authmethod password -role csrestrole

Public issues must not contain sensitive information

• [X] This issue contains no sensitive information.

[pixelchrome]

In the above commands is the part missing for the User Blocking

security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all

All of the commands:

# the traditional "csrole"
security login role create -role csrole -cmddirname DEFAULT -access readonly
security login role create -role csrole -cmddirname "vserver fpolicy" -access all
security login role create -role csrole -cmddirname "volume snapshot" -access all -query "-snapshot cloudsecure_*"
security login role create -role csrole -cmddirname "event catalog" -access all
security login role create -role csrole -cmddirname "event filter" -access all
security login role create -role csrole -cmddirname "event notification destination" -access all
security login role create -role csrole -cmddirname "event notification" -access all
security login role create -role csrole -cmddirname "security certificate" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole
security login create -user-or-group-name csuser -application ssh -authmethod password -role csrole
# the user blocking permissions
security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all
# for rest role "csrestrole"
security login rest-role create -role csrestrole -api /api/storage/volumes -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/security/anti-ransomware -access readonly -vserver <cluster-name> (needed for ONTAP ARP feature)
security login rest-role create -role csrestrole -api /api/protocols/fpolicy -access all -vserver <cluster-name> (needed for access denied feature) 
security login create -user-or-group-name csuser -application http -authmethod password -role csrestrole

[netapp-alavoie]

Hi Harald! I'm looking into merging these permissions on the https://docs.netapp.com/us-en/cloudinsights/task_add_collector_svm.html page. Keeping in mind that I don't understand this as fully as you do, are you requesting that we consolidate all of the permissions in the "A Note About Permissions" section into the concisse block you suggest above, or is there a need to still have some of ther permissions on that page separated out?