2 Bronze

Role Base Access for AD Groups

HI All,

I need to give two AD groups for Isilon Access.

  AdminGroup -- Login to Web Console and manage ( same as root)

  Backupgroup -  Only SynIQ access and Share  other area read only

monitorgroup-  read only

How do i setup this?


0 Kudos
5 Replies

Re: Role Base Access for AD Groups

Hi AS,

First, it’s important to understand that in OneFS 7.0 and then 7.1 not all features are PAPI enabled, meaning you can get most features of root, but not all of them yet. With each 7.x release more is being added. But for most day to day administration tasks you’ll probably be just fine today on the latest 7.0.2 or 7.1 code.

Also, all RBAC configuration at this time is done through the CLI.

There are 2 concepts at play here:

Roles and Privileges.


A role is a collection of priviliges

A role has members.

Those members can be local users, or they can be users or groups from AD.


Privileges give access to things on the system, and can be either read-only or R/W when added to a role

Some examples are

login via ssh

login to the webui

change NFS settings

change Quota Settings


There are some built in roles (or you can create your own):

#To view the roles on your cluster:

isi02-3# isi auth role list


0 Kudos
2 Bronze

Re: Role Base Access for AD Groups

U have simplified it..... Thanks....

I want to create a role which can only create

Modify and delete quotas of a particular smb share only. Please guide.

0 Kudos
3 Argentum

Re: Role Base Access for AD Groups

You can create a new custom role:

# isi auth roles create QuotaAdmin

Then you can give this role access to the quota system:

# isi auth roles modify QuotaAdmin --add-priv ISI_PRIV_QUOTA

This provides access to all features of SmartQuotas. 

You can see the available options for further modifying roles here:

# isi auth privileges --verbose

# isi auth roles modify --help

2 Bronze

Re: Role Base Access for AD Groups

Thanks.... I did the same and it works...

0 Kudos
3 Silver

Re: Role Base Access for AD Groups

Sorry for digging this old one out:

Does this actually work for AD users or groups? I was trying around and could only make this work for Local Users.

Isilon is joined to an AD in the System Zone.

0 Kudos