|
APIs in Category: rbac |
API version 3.7.1 |
rbac-access-check |
This set of API's can be used to manage an RBAC infrastructure as well as for making applications RBAC aware. Applications can become a Policy Enforcement Point (PEP) by utilizing these API's. There are interfaces for populating as well as administering RBAC data. The data lives in the DFM database. Applications can add access control to resources by calling rbac-access-check (defined below). By making this call, they effectively become RBAC aware. Some APIs depend on a resource. The specifics of a resource are defined by the definition, resource-identifier. |
| rbac-access-check | [top] |
Checks whether the given admin or usergroup has access to the specified resource. For example, rbac-access-check will return "allow" or "deny" on the following query: Is admin joe allowed to configure storage system, host1.abc.xyz.com, from DFM? One could pass the following as input to answer this question: admin=joe operation=DFM.Event.Read resource=host1.abc.xyz.com In order to prevent an admin from querying everyone's privileges on the system, the system will only allow admins to check their own access by cross-referencing with however they authenticated to the API server. If the admin has Full Control, or has the privilege to query other admin's access, then they will be allowed to make the query. Per software security best practice, this API limits error reporting when access is denied on a particular resource.
Input Name Range Type Description admin-name-or-id string
The admin or usergroup name or object id of an admin or usergroup to check access. operation string
operation requested on given resource resource resource-identifier
The specific resource to check access Output Name Range Type Description global-usergroup-status string
If roles assigned to global usergroup accounts where considered, but it was not possible to get glogal group account information from the system, then global-usergroup-status will contain the reason why it was not possible to get global group account information from the system. An empty value in this field means that roles assigned to global usergroup accounts were considered and it was possible to obtain this information from the system local-usergroup-status string
If roles assigned to local usergroup accounts where considered, but it was not possible to get local group account information from the system, then local-usergroup-status will contain the reason why it was not possible to get local group account information from the system. An empty value in this field means that roles assigned to local usergroup accounts were considered and it was possible to obtain this information from the system, result string
Result of whether or not the given admin or usergroup is allowed to perform the specified action on the given resource. In essence, it answers whether the given admin or usergroup can perform the specified operation on the the given resource. Possible values: "allow" for access allowed and "deny" for access denied.
Errno Description EINTERNALERROR EINVALIDINPUTERROR
| rbac-admin-list-info-iter-end | [top] |
Ends listing of admins.
Input Name Range Type Description tag string
Tag returned from rbac-admin-list-iter-start.
Errno Description EINVALIDTAG
| rbac-admin-list-info-iter-next | [top] |
Returns items from list generated by rbac-admin-list-info-iter-start.
Input Name Range Type Description maximum integer
validate
The maximum number of entries to retrieve. tag string
The tag returned in rbac-admin-list-iter-start call. Output Name Range Type Description admins admin-info[]
The list returned includes the id, name of administrators and their email/pager addresses.
Errno Description EINVALIDTAG
| rbac-admin-list-info-iter-start | [top] |
Lists all the administrators and their attributes.
Input Name Range Type Description admin-name-or-id string
optional
The admin or usergroup name or id whose details are necessary. Output Name Range Type Description records integer
validate
Number indicating how many items are available for future retrieval with rbac-admin-list-info-iter-next. tag string
Tag to be used in subsequent calls to rbac-admin-list-info-iter-next or rbac-admin-list-info-iter-end.
Errno Description EOBJECTAMBIGUOUS EOBJECTNOTFOUND EDATABASEERROR
| rbac-admin-role-add | [top] |
Assign an existing role to an existing administrator or usergroup. The administrator effectively gains the capabilities from the role and its inherited roles. As for a usergroup, all members of the usergroup will gain the capabilities assigned to that role and its inherited roles.
Input Name Range Type Description admin-name-or-id string
The admin or usergroup name or object id of an admin or usergroup to add role to. role-name-or-id string
A role name or object id of a role to add to an administrator or usergroup. Output Name Range Type Description admin-name-or-id rbac-admin-name-or-id
The name of the new admin or usergroup or the object id of the new admin or usergroup.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDUSER ENOTFOUNDROLE EROLEASSIGNED
| rbac-admin-role-info-list | [top] |
List the administrators or usergroups assigned to an existing role directly or indirectly. In essence, this API lists the admins or usergroups that have the capabilities of the given role. This API drills into all the possible ways that an admin or usergroup can effectively have the given role. Admins or usergroups are assigned roles indirectly via role inheritance or usergroup assignment (note: a usergroup can be a member of another usergroup). So an admin or usergroup will be listed if any of the following conditions apply: 1. Given role is directly assigned to the admin or usergroup 2. Admin or usergroup has a role directly assigned that inherits given role. 3. Admin or usergroup gains the given role via usergroup membership
Input Name Range Type Description role-name-or-id string
An role name or object id of a role. Output Name Range Type Description admin-list rbac-admin-or-usergroup[]
List of admins and usergroups assigned to given role
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTASSIGNEDROLE
| rbac-admin-role-remove | [top] |
Remove one or more roles from an administrator or usergroup. The admin will no longer have the capabilities gained from the role(s) and its inherited roles. As for a usergroup, the members of the usergroup will no longer have the capabilities gained from the role(s) and its inherited roles. If delete-all is not specified or is FALSE, then role-name-or-id must be specified. If delete-all is TRUE, then all roles assigned to admin will be removed.
Input Name Range Type Description admin-name-or-id string
An admin or usergroup name or object id of an admin or usergroup to remove role from. If delete-all is not specified or is FALSE then role-name-or-id must be specified. delete-all boolean
optional
If TRUE, removes all the roles for given administrator role-name-or-id string
optional
A role name or object id of a role to remove from an admin or usergroup.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE ENOTFOUNDUSER
| rbac-operation-add | [top] |
Add a new operation to the RBAC system. An operation is an ability to perform an action on a particular resource type. An operation is tied to a specific application so that different applications are able to manage access control that are specific to them.
Input Name Range Type Description operation rbac-operation
Operation to be added
Errno Description EINTERNALERROR EINVALIDINPUTERROR EINVALIDOPERATIONNAME EINVALIDAPPLICATIONNAME EINVALIDRESOURCETYPE EINVALIDLONGDESC EINVALIDSHORTDESC EDUPOPERATION
| rbac-operation-delete | [top] |
Delete an existing operation
Input Name Range Type Description operation string
Operation to delete
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDOPERATION EOPERATIONISPERMANENT
| rbac-operation-info-list | [top] |
Get information about an existing operation or all operations in the system.
Input Name Range Type Description operation string
optional
Operation to get information about. If not specified, then it gets info on all operations in the system. Output Name Range Type Description operation-list rbac-operation[]
A list of operations with their details
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDOPERATION
| rbac-role-add | [top] |
Add a new role to the RBAC system
Input Name Range Type Description description string
optional
Description of the role. The maximum length is 255 characters. owner-name-or-id string
optional
Owner role name to add. The maximum length is 64 characters. role-name string
Role name to add. The maximum length is 64 characters. Output Name Range Type Description role-id integer
role id of the newly created role.
Errno Description EINTERNALERROR EINVALIDINPUTERROR EINVALIDROLENAME EINVALIDDESCRIPTION EDUPLICATEROLE ENOTFOUNDROLE
| rbac-role-admin-info-list | [top] |
List the roles assigned to an existing administratror or usergroup. A role is considered assigned to the administrator if that role is gained directly or indirectly via role inheritance or usergroup membership.
Input Name Range Type Description admin-name-or-id string
An administrator or usergroup name or object id of an administrator or usergroup to list roles assigned. follow-role-inheritance boolean
optional
If TRUE, return all roles that given role inherits directly and indirectly. If FALSE or not set, return only roles that are directly assigned to the given administrator or usergroup. Output Name Range Type Description admin-name-or-id rbac-admin-name-or-id
The name of the admin or usergroup or the object id of the admin or usergroup. global-usergroup-status string
optional
If roles assigned to global usergroup accounts where considered, but it was not possible to get glogal group account information from the system, then global-usergroup-status will contain the reason why it was not possible to get global group account information from the system. An empty value in this field means that roles assigned to global usergroup accounts were considered and it was possible to obtain this information from the system local-usergroup-status string
optional
If roles assigned to local usergroup accounts where considered, but it was not possible to get local group account information from the system, then local-usergroup-status will contain the reason why it was not possible to get local group account information from the system. An empty value in this field means that roles assigned to local usergroup accounts were considered and it was possible to obtain this information from the system, role-list rbac-role-resource[]
optional
A list of role names assigned to the given administratror or usergroup. The list will be empty if no roles are currently assigned to the administrator or usergroup.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDUSER
| rbac-role-capability-add | [top] |
Add an existing resource/operation pair to a role. In essence, this adds a capability to a role.
Input Name Range Type Description operation string
An existing operation to add to the specified role. resource resource-identifier
The resource associated with the given operation role-name-or-id string
Role name or object id of the role to add the capability (operation/resource pair)
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE ENOTFOUNDOPERATION EINVALIDRESOURCE EDUPCAPABILITY EROLEISPERMANENT
| rbac-role-capability-remove | [top] |
Remove one or more capabilities (resource/operation pair) from an existing role. If delete-all is TRUE, it removes all capabilities from given role. Otherwise, it removes only the given capability (resource/operation pair). If delete-all is not specified or is FALSE, then operation and resource must be specified.
Input Name Range Type Description delete-all boolean
optional
If TRUE, removes all the capabilities for given role. If FALSE, a valid operation must be provided in the operation parameter. operation string
optional
An operation to remove. If delete-all is FALSE, the caller must provide a valid operation here. resource resource-identifier
optional
The resource associated with the given operation. If delete-all is FALSE, the caller must provide a valid resource identifier here. role-name-or-id string
Role name or object id of the role to remove the capability.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE ENOTFOUNDRESOURCE ENOTFOUNDOPERATION ENOTASSIGNECAPABILITY EROLEISPERMANENT
| rbac-role-delete | [top] |
Delete an existing role from the RBAC system
Input Name Range Type Description role-name-or-id string
A role name or object id of a role to delete
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE EROLEISPERMANENT
| rbac-role-disinherit | [top] |
Disinherit one or more roles. The effect is that the affected role will no longer have the capabilities gained from the disinherited role(s). If disinherit-all is not specified or is FALSE, then disinherited-role-name-or-id must be specified.
Input Name Range Type Description disinherit-all boolean
optional
If TRUE, disinherits all the roles that given role-name-or-id inherits. disinherited-role-name-or-id string
optional
A role name or object id of a role to disinherit from. role-name-or-id string
An existing role name or object id of a role to modify.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE ENOTINHERITEDROLE EROLEISPERMANENT
| rbac-role-info-list | [top] |
Get the operations, capabilities and inherited roles that one or more roles have.
Input Name Range Type Description follow-role-inheritance boolean
optional
If TRUE, return all roles that given role inherits directly and indirectly. If FALSE or not set, return only roles that are directly inherited by given role. role-name-or-id string
optional
Role name or object id of a role. If not specified, then it gets info on all the roles. Output Name Range Type Description role-attributes role-attributes-identifier[]
A list of roles and its associated attributes
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE
| rbac-role-inherit | [top] |
Inherit from a role. The effect is that the affected role will gain the capabilities from the inherited role.
Input Name Range Type Description inherited-role-name-or-id string
A role name or object id of a role to inherit from. role-name-or-id string
A role name or object id of a role to modify.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE EDUPLICATEROLEREF EROLEISPERMANENT
| rbac-role-modify | [top] |
Modify an existing role name and/or its description.
Input Name Range Type Description role-description-new string
optional
The new role description for the old role, role-name-or-id-old. role-name-new string
optional
The new role name for the old role, role-name-or-id-old. role-name-or-id-old string
A role name or object id of a role to modify. Either role-name-new or role-description-new or both must be specified. The object Id of a role cannot be modified.
Errno Description EINTERNALERROR EINVALIDINPUTERROR ENOTFOUNDROLE EROLEISPERMANENT EINVALIDROLENAME EINVALIDDESCRIPTION
| Element definition: admin-info | [top] |
Details of a administrator.
Name Range Type Description admin-id integer
validate
The id of the admin or usergroup. admin-name string
Name of the admin or usergroup. email-address string
optional
Email address of the administrator if it has been set in the server pager-address string
optional
Pager address of the administrator if it has been set in the server
| Element definition: rbac-admin-name-or-id | [top] |
an admin name or object id
Name Range Type Description admin-id string
The adminId of the administrator admin-name string
The name of an administrator
| Element definition: rbac-admin-or-usergroup | [top] |
An admin or usergroup. When used as an input element, specify only one of admin-or-usergroup-name or admin-or-usergroup-id (not both). When used as an output element, both of them are returned.
Name Range Type Description admin-or-usergroup-id integer
optional
The id of the admin or usergroup which is an object id from the objects table within the DFM database. Range: [0..2^32-1] admin-or-usergroup-name string
optional
An admin or usergroup name. The format of the admin name consists of a sequence of one or more characters up to a maximum of 255 characters. The usergroup refers to an existing usergroup in Microsoft's Active Directory. The format of the usergroup name is DOMAIN\USER. For example, "ABC\eng"
| Element definition: rbac-operation | [top] |
An operation
Name Range Type Description operation-name string
Name of a operation. The maximum length allowed is 255 characters. It is of the form: . . For example: "DFM.SRM.Read" operation-name-details rbac-operation-name-details
Other details of an operation
| Element definition: rbac-role-resource | [top] |
Identifies an RBAC role resource. When used as input only one of rbac-role-name or rbac-role-id is specified. When used as output, both of them will be returned
Name Range Type Description rbac-role-id integer
optional
The object id of an RBAC role. Range: [0..2^32-1] rbac-role-name string
optional
An RBAC role name. Must be less than or equal to 64 characters in length.
| Element definition: resource-identifier | [top] |
Identifies a resource. Only one resource field must be set. i.e. one of resource-id, rbac-role, host, group, storage system, vfiler, aggregate, volume, resource-pool, data set, qtree, protection policy, provisioning policy, lun or vFiler template. When an object id is specified, it refers to the object id field in the objects table from the DFM database.
Name Range Type Description aggregate aggregate-resource
optional
An aggregate dataset dataset-resource
optional
A DFM dataset filer filer-resource
optional
A storage system (filer) group group-resource
optional
A DFM group host host-resource
optional
A host lun lun-resource
optional
A lun policy policy-resource
optional
A policy can refer to either a protection policy or provisioning policy. qtree qtree-resource
optional
A qtree rbac-role rbac-role-resource
optional
An RBAC role resource-id integer
optional
An object id of a resource. A resource-id of 0 represents the global resource which is the global scope. Range: [0..2^32-1] resource-pool resource-pool-resource
optional
A DFM resource pool vfiler vfiler-resource
optional
A vfiler vfiler-template vfiler-template-resource
optional
A vFiler template. volume volume-resource
optional
A volume
| Element definition: role-attributes-identifier | [top] |
The attributes of a role: role name and id, inherited roles, capabilities and operations.
Name Range Type Description capabilities rbac-resource-operation[]
Capabilities assigned to the given role and inherited roles. description string
description of the role inherited-roles rbac-role-resource[]
List of inherited roles role-name-and-id rbac-role-resource
Role name and its id
| Element definition: aggregate-resource | [top] |
Details of an aggregate resource. aggregate-resource-name-or-id must be specified. If aggregate-name is specified, then need to also specify filer-identifier.
Name Range Type Description aggregate-resource-name-or-id aggregate-name-or-id
An aggregate name or id. If an aggregate name is specified, then the filer-identifier must also be specified filer-identifier filer-resource
optional
The storage system where the aggregate lives in.
| Element definition: dataset-resource | [top] |
Details of a DFM dataset resource. DFM dataset name or object id of a DFM dataset. When used as input only one of dataset-name or dataset-id is specified. When used as output, both of them will be returned.
Name Range Type Description dataset-id integer
optional
Object id of a DFM dataset. Range: [0..2^32-1] dataset-name string
optional
DFM dataset name
| Element definition: filer-resource | [top] |
Details of a storage system resource. When used as input only one of filer-name or filer-id is specified. When used as output, both of them will be returned.
Name Range Type Description filer-id integer
optional
The object id or serial number of a storage system. Range: [0..2^32-1] filer-name string
optional
The FQDN of a storage system
| Element definition: group-resource | [top] |
Details of a DFM group resource. DFM group name or object id of a DFM group. When used as input only one of group-name or group-id is specified. When used as output, both of them will be returned.
Name Range Type Description group-id integer
optional
Object id of a DFM group. Range: [0..2^32-1] group-name string
optional
DFM group name
| Element definition: host-resource | [top] |
Identifies a host resource. When used as input only one of host-name orhost-id is specified. When used as output, both of them will be returned
Name Range Type Description host-id integer
optional
An object id of a host. Range: [0..2^32-1] host-name string
optional
A FQDN of a host
| Element definition: lun-resource | [top] |
Details of a LUN. lun-identifier-name-or-id must be specified. If lun-name is specified, then either volume-identifier or host-identifier must also be specified. See the description for lun-name for more information.
Name Range Type Description host-identifier host-resource
optional
LUN within a host. lun-name-or-id must be the LUN's serial number or object id (not path). lun-identifier-name-or-id lun-name-or-id
A LUN's name or id. If the LUN's name is specified, then either volume-identifier or host-identifier must also be specified. volume-identifier volume-resource
optional
LUN within a volume
| Element definition: policy-resource | [top] |
Identifies a policy resource. When used as input one or more of policy-name or policy-id is specified. When used as output, both of them will be returned. Policy can refer to either a protection policy or a provisioning policy.
Name Range Type Description policy-id obj-id
optional
Object identifier of the protection or proviisoning policy. policy-name obj-name
optional
Name of the protection or provisioning policy.
| Element definition: qtree-resource | [top] |
Details of a qtree. qtree-identifier-name-or-id must be specified. If qtree-name is specified, then either volume-identifier or host-identifier must also be specified. See the description for qtree-name for more information.
Name Range Type Description host-identifier host-resource
optional
Host in which the qtree resides. qtree-identifier-name-or-id qtree-name-or-id
A qtree's name or id. If the qtree's name is specified, then either volume-identifier or host-identifier must also be specified. volume-identifier volume-resource
optional
Volume in which the qtree resides.
| Element definition: rbac-operation-name-details | [top] |
more details of an operation
Name Range Type Description operation-description string
A longer (multiple line) description suitable for completely explaining the operation and the places where it has an effect. The maximum length allowed is 255 characters. operation-synopsis string
A short description (only a few words) suitable for use in a user interface when showing/ selecting this operation. The maximum length. Allowed is 255 characters. resource-type string
Type of resource that the operation applies to. Possible values: "managementstation", "filer", "aggregate", "volume", "lun", "vfiler", "host", "group", "rbac_role", "dataset", "resource_pool". Note that group refers to a DFM resource group.
| Element definition: rbac-resource-operation | [top] |
operation assigned to a given resource
Name Range Type Description operation rbac-operation
Complete details of a operation resource resource-identifier
The resource for which the operation applies
| Element definition: rbac-role-resource | [top] |
Identifies an RBAC role resource. When used as input only one of rbac-role-name or rbac-role-id is specified. When used as output, both of them will be returned
Name Range Type Description rbac-role-id integer
optional
The object id of an RBAC role. Range: [0..2^32-1] rbac-role-name string
optional
An RBAC role name. Must be less than or equal to 64 characters in length.
| Element definition: resource-identifier | [top] |
Identifies a resource. Only one resource field must be set. i.e. one of resource-id, rbac-role, host, group, storage system, vfiler, aggregate, volume, resource-pool, data set, qtree, protection policy, provisioning policy, lun or vFiler template. When an object id is specified, it refers to the object id field in the objects table from the DFM database.
Name Range Type Description aggregate aggregate-resource
optional
An aggregate dataset dataset-resource
optional
A DFM dataset filer filer-resource
optional
A storage system (filer) group group-resource
optional
A DFM group host host-resource
optional
A host lun lun-resource
optional
A lun policy policy-resource
optional
A policy can refer to either a protection policy or provisioning policy. qtree qtree-resource
optional
A qtree rbac-role rbac-role-resource
optional
An RBAC role resource-id integer
optional
An object id of a resource. A resource-id of 0 represents the global resource which is the global scope. Range: [0..2^32-1] resource-pool resource-pool-resource
optional
A DFM resource pool vfiler vfiler-resource
optional
A vfiler vfiler-template vfiler-template-resource
optional
A vFiler template. volume volume-resource
optional
A volume
| Element definition: resource-pool-resource | [top] |
Details of a DFM resource-pool resource. DFM resource-pool name or object id of a DFM resource-pool. When used as input only one of resource-pool-name or resource-pool-id is specified. When used as output, both of them will be returned.
Name Range Type Description resource-pool-id integer
optional
Object id of a DFM resource pool. Range: [0..2^32-1] resource-pool-name string
optional
DFM resource pool name
| Element definition: vfiler-resource | [top] |
Details of a vfiler resource. When used as input only one of vfiler-name-or-uuid or vfiler-id is specified. When used as output, both of them will be returned.
Name Range Type Description vfiler-id integer
optional
The object id of a vfiler. Range: [0..2^32-1] vfiler-name-or-uuid string
optional
The FQDN or UUID of a vfiler
| Element definition: vfiler-template-resource | [top] |
Identifies a vfiler template resource. When used as input only one of vfiler-template-name or vfiler-template-id is specified. When used as output, both of them will be returned.
Name Range Type Description vfiler-template-id obj-id
optional
A vFiler template identifier. vfiler-template-name obj-name
optional
A vFiler template name.
| Element definition: volume-resource | [top] |
Details of a volume.
Name Range Type Description aggregate-identifier aggregate-resource
optional
volume within an aggregate host-identifier host-resource
optional
Host on which the volume resides. vfiler-identifier vfiler-resource
optional
volume within a vfiler e.g. vfiler where the volume resides. volume-identifier-name-or-id volume-name-or-id
The volume name or id. If a volume name is specified, then either aggregate-identifier, vfiler-identifier or host-identifier must also be specified.
| Element definition: aggregate-name-or-id | [top] |
Details of an aggregate name or id. When used as input only one of aggregate-name or aggregate-id is specified. When used as output, both of them will be returned.
Name Range Type Description aggregate-id integer
optional
The object id of an aggregate. Range: [0..2^32-1] aggregate-name string
optional
An aggregate name. If this is specified, also need to specify filer-identifier.
| Element definition: aggregate-resource | [top] |
Details of an aggregate resource. aggregate-resource-name-or-id must be specified. If aggregate-name is specified, then need to also specify filer-identifier.
Name Range Type Description aggregate-resource-name-or-id aggregate-name-or-id
An aggregate name or id. If an aggregate name is specified, then the filer-identifier must also be specified filer-identifier filer-resource
optional
The storage system where the aggregate lives in.
| Element definition: dataset-resource | [top] |
Details of a DFM dataset resource. DFM dataset name or object id of a DFM dataset. When used as input only one of dataset-name or dataset-id is specified. When used as output, both of them will be returned.
Name Range Type Description dataset-id integer
optional
Object id of a DFM dataset. Range: [0..2^32-1] dataset-name string
optional
DFM dataset name
| Element definition: filer-resource | [top] |
Details of a storage system resource. When used as input only one of filer-name or filer-id is specified. When used as output, both of them will be returned.
Name Range Type Description filer-id integer
optional
The object id or serial number of a storage system. Range: [0..2^32-1] filer-name string
optional
The FQDN of a storage system
| Element definition: group-resource | [top] |
Details of a DFM group resource. DFM group name or object id of a DFM group. When used as input only one of group-name or group-id is specified. When used as output, both of them will be returned.
Name Range Type Description group-id integer
optional
Object id of a DFM group. Range: [0..2^32-1] group-name string
optional
DFM group name
| Element definition: host-resource | [top] |
Identifies a host resource. When used as input only one of host-name orhost-id is specified. When used as output, both of them will be returned
Name Range Type Description host-id integer
optional
An object id of a host. Range: [0..2^32-1] host-name string
optional
A FQDN of a host
| Element definition: lun-name-or-id | [top] |
Details of a LUN name or id. When used as input only one of lun-name or lun-id is specified. When used as as output both will be returned. If a lun-name is specified, then either volume-identifier or host-identifier must also be specified.
Name Range Type Description lun-id integer
optional
The object id of a lun. Range: [0..2^32-1] lun-name string
optional
The serial number or path name of a LUN. Path name of LUN is written as volume-name/lun-name or volume-name/qtree-name/lun-name. One of either volume-identifier or host-identifier must also be specified. However, if a host-identifier specified, the lun-name must be only a serial number.
| Element definition: lun-resource | [top] |
Details of a LUN. lun-identifier-name-or-id must be specified. If lun-name is specified, then either volume-identifier or host-identifier must also be specified. See the description for lun-name for more information.
Name Range Type Description host-identifier host-resource
optional
LUN within a host. lun-name-or-id must be the LUN's serial number or object id (not path). lun-identifier-name-or-id lun-name-or-id
A LUN's name or id. If the LUN's name is specified, then either volume-identifier or host-identifier must also be specified. volume-identifier volume-resource
optional
LUN within a volume
| Element definition: obj-id | [top] |
Identification number (ID) for a DFM object. This typedef is an alias for the builtin ZAPI type integer. Object IDs are unsigned integers in the range [1..2^31 - 1]. In some contexts, an object ID is also allowed to be 0, which is interpreted as a null value, e.g., a reference to no object at all. The ID for a DFM object is always assigned by the system; the user is never allowed to assign an ID to an object. Therefore, an input element of type obj-id is always used to refer to an existing object by its ID. The ZAPI must specify the object's DFM object type (e.g. data set, host, DP policy, etc.). Some ZAPIs allow the object to be one of several different types.
If the value of an obj-id input element does not match the ID of any existing DFM object of the specified type or types, then typically the ZAPI fails with error code EOBJECTNOTFOUND. A ZAPI may deviate from this general rule, for example, it may return a more specific error code. In either case, the ZAPI specification must document its behavior.
[none]
| Element definition: obj-name | [top] |
Name of a DFM object. This typedef is an alias for the builtin ZAPI type string. An object name must conform to the following format: The behavior of a ZAPI when it encounters an error involving an obj-name input element depends on how the ZAPI uses the input element. Here are the general rules:
- It must contain between 1 and 64 characters.
- It may start with any character and may contain any combination of characters, except that it may not consist solely of decimal digits ('0' through '9').
- In some contexts, a name may be the empty string (""), which is interpreted as a null value, e.g., a reference to no object at all.
A ZAPI may deviate from these general rules, for example, it may return more specific error codes. In such cases, the ZAPI specification must document its behavior.
- If the input name element is used to create a new object with the given name, or rename an existing object to that name, and the name does not conform to the above format, then the ZAPI fails with error code EINVALIDINPUTERROR. Note that because EINVALIDINPUTERROR is such a common error code, ZAPI specifications are not required to document cases when they may return it.
- If the input name element is used to refer to an existing object with that name, and there is no object with that name, then the ZAPI fails with error code EOBJECTNOTFOUND. Generally the ZAPI specification documents cases when it may return this error code.
If an input name element is used to refer to an existing object, then the ZAPI specification must specify which DFM object type (e.g. data set, host, DP policy, etc.) is allowed. Some ZAPIs allow the object to be one of several different types. See the description of obj-full-name for examples of valid input formats.
Note that there is no requirement that all object names must be unique. However, the names for some specific types of objects are constrained such that no two objects of that type may have the same name. For example, this constraint applies to data sets, DP schedules, and DP policies. This means that no two data sets may have the same name, but a data set may have the same name as a DP schedule or DP policy.
In general, object names are compared in a case-insensitive manner. This means that, for example, "MyObject" and "MYOBJECT" are considered to be the same name for purposes of: creating new objects, renaming existing objects, or looking up an object by name. On the other hand, ZAPIs that return an obj-name generally do not change the capitalization at all. For example, if an object's name has been set to "MyObject", then list iteration ZAPIs that return the object's name return it as "MyObject" rather than "MYOBJECT" or "myobject".
ZAPIs that operate on obj-name values and do not follow these general rules about case sensitivity must document the rules that they do follow.
One important exception to these general rules is that volumes, qtrees, OSSV directories, SRM paths, interfaces, FCP targets and FC switch ports all have case-sensitive names. When looking up objects of these types by name, the case must match the object name.
[none]
| Element definition: policy-resource | [top] |
Identifies a policy resource. When used as input one or more of policy-name or policy-id is specified. When used as output, both of them will be returned. Policy can refer to either a protection policy or a provisioning policy.
Name Range Type Description policy-id obj-id
optional
Object identifier of the protection or proviisoning policy. policy-name obj-name
optional
Name of the protection or provisioning policy.
| Element definition: qtree-name-or-id | [top] |
A qtree name or id. When used as input only one of qtree-name or qtree-id is specified. When used as output, both of them will be returned. If qtree-name is specified, then either host-identifier or volume-identifier must also be specified but not both.
Name Range Type Description qtree-id obj-id
optional
The object id of a volume. Range: [0..2^32-1] qtree-name obj-name
optional
The name of a qtree. Also need either host-identifier or volume-identifier.
| Element definition: qtree-resource | [top] |
Details of a qtree. qtree-identifier-name-or-id must be specified. If qtree-name is specified, then either volume-identifier or host-identifier must also be specified. See the description for qtree-name for more information.
Name Range Type Description host-identifier host-resource
optional
Host in which the qtree resides. qtree-identifier-name-or-id qtree-name-or-id
A qtree's name or id. If the qtree's name is specified, then either volume-identifier or host-identifier must also be specified. volume-identifier volume-resource
optional
Volume in which the qtree resides.
| Element definition: rbac-operation | [top] |
An operation
Name Range Type Description operation-name string
Name of a operation. The maximum length allowed is 255 characters. It is of the form: . . For example: "DFM.SRM.Read" operation-name-details rbac-operation-name-details
Other details of an operation
| Element definition: rbac-operation-name-details | [top] |
more details of an operation
Name Range Type Description operation-description string
A longer (multiple line) description suitable for completely explaining the operation and the places where it has an effect. The maximum length allowed is 255 characters. operation-synopsis string
A short description (only a few words) suitable for use in a user interface when showing/ selecting this operation. The maximum length. Allowed is 255 characters. resource-type string
Type of resource that the operation applies to. Possible values: "managementstation", "filer", "aggregate", "volume", "lun", "vfiler", "host", "group", "rbac_role", "dataset", "resource_pool". Note that group refers to a DFM resource group.
| Element definition: rbac-role-resource | [top] |
Identifies an RBAC role resource. When used as input only one of rbac-role-name or rbac-role-id is specified. When used as output, both of them will be returned
Name Range Type Description rbac-role-id integer
optional
The object id of an RBAC role. Range: [0..2^32-1] rbac-role-name string
optional
An RBAC role name. Must be less than or equal to 64 characters in length.
| Element definition: vfiler-resource | [top] |
Details of a vfiler resource. When used as input only one of vfiler-name-or-uuid or vfiler-id is specified. When used as output, both of them will be returned.
Name Range Type Description vfiler-id integer
optional
The object id of a vfiler. Range: [0..2^32-1] vfiler-name-or-uuid string
optional
The FQDN or UUID of a vfiler
| Element definition: volume-name-or-id | [top] |
A volume name or id. When used as input only one of volume-name or volume-id is specified. When used as output, both of them will be returned. If volume-name is specified, then either host-identifier, vfiler-identifier or aggregate-identifier must also be specified but not both.
Name Range Type Description volume-id integer
optional
The object id of a volume. Range: [0..2^32-1] volume-name string
optional
The name of a volume. Also need either host-identifier, vfiler-identifier or aggregate-identifier.
| Element definition: volume-resource | [top] |
Details of a volume.
Name Range Type Description aggregate-identifier aggregate-resource
optional
volume within an aggregate host-identifier host-resource
optional
Host on which the volume resides. vfiler-identifier vfiler-resource
optional
volume within a vfiler e.g. vfiler where the volume resides. volume-identifier-name-or-id volume-name-or-id
The volume name or id. If a volume name is specified, then either aggregate-identifier, vfiler-identifier or host-identifier must also be specified.
| Element definition: aggregate-name-or-id | [top] |
Details of an aggregate name or id. When used as input only one of aggregate-name or aggregate-id is specified. When used as output, both of them will be returned.
Name Range Type Description aggregate-id integer
optional
The object id of an aggregate. Range: [0..2^32-1] aggregate-name string
optional
An aggregate name. If this is specified, also need to specify filer-identifier.
| Element definition: aggregate-resource | [top] |
Details of an aggregate resource. aggregate-resource-name-or-id must be specified. If aggregate-name is specified, then need to also specify filer-identifier.
Name Range Type Description aggregate-resource-name-or-id aggregate-name-or-id
An aggregate name or id. If an aggregate name is specified, then the filer-identifier must also be specified filer-identifier filer-resource
optional
The storage system where the aggregate lives in.
| Element definition: filer-resource | [top] |
Details of a storage system resource. When used as input only one of filer-name or filer-id is specified. When used as output, both of them will be returned.
Name Range Type Description filer-id integer
optional
The object id or serial number of a storage system. Range: [0..2^32-1] filer-name string
optional
The FQDN of a storage system
| Element definition: host-resource | [top] |
Identifies a host resource. When used as input only one of host-name orhost-id is specified. When used as output, both of them will be returned
Name Range Type Description host-id integer
optional
An object id of a host. Range: [0..2^32-1] host-name string
optional
A FQDN of a host
| Element definition: lun-name-or-id | [top] |
Details of a LUN name or id. When used as input only one of lun-name or lun-id is specified. When used as as output both will be returned. If a lun-name is specified, then either volume-identifier or host-identifier must also be specified.
Name Range Type Description lun-id integer
optional
The object id of a lun. Range: [0..2^32-1] lun-name string
optional
The serial number or path name of a LUN. Path name of LUN is written as volume-name/lun-name or volume-name/qtree-name/lun-name. One of either volume-identifier or host-identifier must also be specified. However, if a host-identifier specified, the lun-name must be only a serial number.
| Element definition: obj-id | [top] |
Identification number (ID) for a DFM object. This typedef is an alias for the builtin ZAPI type integer. Object IDs are unsigned integers in the range [1..2^31 - 1]. In some contexts, an object ID is also allowed to be 0, which is interpreted as a null value, e.g., a reference to no object at all. The ID for a DFM object is always assigned by the system; the user is never allowed to assign an ID to an object. Therefore, an input element of type obj-id is always used to refer to an existing object by its ID. The ZAPI must specify the object's DFM object type (e.g. data set, host, DP policy, etc.). Some ZAPIs allow the object to be one of several different types.
If the value of an obj-id input element does not match the ID of any existing DFM object of the specified type or types, then typically the ZAPI fails with error code EOBJECTNOTFOUND. A ZAPI may deviate from this general rule, for example, it may return a more specific error code. In either case, the ZAPI specification must document its behavior.
[none]
| Element definition: obj-name | [top] |
Name of a DFM object. This typedef is an alias for the builtin ZAPI type string. An object name must conform to the following format: The behavior of a ZAPI when it encounters an error involving an obj-name input element depends on how the ZAPI uses the input element. Here are the general rules:
- It must contain between 1 and 64 characters.
- It may start with any character and may contain any combination of characters, except that it may not consist solely of decimal digits ('0' through '9').
- In some contexts, a name may be the empty string (""), which is interpreted as a null value, e.g., a reference to no object at all.
A ZAPI may deviate from these general rules, for example, it may return more specific error codes. In such cases, the ZAPI specification must document its behavior.
- If the input name element is used to create a new object with the given name, or rename an existing object to that name, and the name does not conform to the above format, then the ZAPI fails with error code EINVALIDINPUTERROR. Note that because EINVALIDINPUTERROR is such a common error code, ZAPI specifications are not required to document cases when they may return it.
- If the input name element is used to refer to an existing object with that name, and there is no object with that name, then the ZAPI fails with error code EOBJECTNOTFOUND. Generally the ZAPI specification documents cases when it may return this error code.
If an input name element is used to refer to an existing object, then the ZAPI specification must specify which DFM object type (e.g. data set, host, DP policy, etc.) is allowed. Some ZAPIs allow the object to be one of several different types. See the description of obj-full-name for examples of valid input formats.
Note that there is no requirement that all object names must be unique. However, the names for some specific types of objects are constrained such that no two objects of that type may have the same name. For example, this constraint applies to data sets, DP schedules, and DP policies. This means that no two data sets may have the same name, but a data set may have the same name as a DP schedule or DP policy.
In general, object names are compared in a case-insensitive manner. This means that, for example, "MyObject" and "MYOBJECT" are considered to be the same name for purposes of: creating new objects, renaming existing objects, or looking up an object by name. On the other hand, ZAPIs that return an obj-name generally do not change the capitalization at all. For example, if an object's name has been set to "MyObject", then list iteration ZAPIs that return the object's name return it as "MyObject" rather than "MYOBJECT" or "myobject".
ZAPIs that operate on obj-name values and do not follow these general rules about case sensitivity must document the rules that they do follow.
One important exception to these general rules is that volumes, qtrees, OSSV directories, SRM paths, interfaces, FCP targets and FC switch ports all have case-sensitive names. When looking up objects of these types by name, the case must match the object name.
[none]
| Element definition: qtree-name-or-id | [top] |
A qtree name or id. When used as input only one of qtree-name or qtree-id is specified. When used as output, both of them will be returned. If qtree-name is specified, then either host-identifier or volume-identifier must also be specified but not both.
Name Range Type Description qtree-id obj-id
optional
The object id of a volume. Range: [0..2^32-1] qtree-name obj-name
optional
The name of a qtree. Also need either host-identifier or volume-identifier.
| Element definition: vfiler-resource | [top] |
Details of a vfiler resource. When used as input only one of vfiler-name-or-uuid or vfiler-id is specified. When used as output, both of them will be returned.
Name Range Type Description vfiler-id integer
optional
The object id of a vfiler. Range: [0..2^32-1] vfiler-name-or-uuid string
optional
The FQDN or UUID of a vfiler
| Element definition: volume-name-or-id | [top] |
A volume name or id. When used as input only one of volume-name or volume-id is specified. When used as output, both of them will be returned. If volume-name is specified, then either host-identifier, vfiler-identifier or aggregate-identifier must also be specified but not both.
Name Range Type Description volume-id integer
optional
The object id of a volume. Range: [0..2^32-1] volume-name string
optional
The name of a volume. Also need either host-identifier, vfiler-identifier or aggregate-identifier.
| Element definition: aggregate-name-or-id | [top] |
Details of an aggregate name or id. When used as input only one of aggregate-name or aggregate-id is specified. When used as output, both of them will be returned.
Name Range Type Description aggregate-id integer
optional
The object id of an aggregate. Range: [0..2^32-1] aggregate-name string
optional
An aggregate name. If this is specified, also need to specify filer-identifier.
| Element definition: obj-id | [top] |
Identification number (ID) for a DFM object. This typedef is an alias for the builtin ZAPI type integer. Object IDs are unsigned integers in the range [1..2^31 - 1]. In some contexts, an object ID is also allowed to be 0, which is interpreted as a null value, e.g., a reference to no object at all. The ID for a DFM object is always assigned by the system; the user is never allowed to assign an ID to an object. Therefore, an input element of type obj-id is always used to refer to an existing object by its ID. The ZAPI must specify the object's DFM object type (e.g. data set, host, DP policy, etc.). Some ZAPIs allow the object to be one of several different types.
If the value of an obj-id input element does not match the ID of any existing DFM object of the specified type or types, then typically the ZAPI fails with error code EOBJECTNOTFOUND. A ZAPI may deviate from this general rule, for example, it may return a more specific error code. In either case, the ZAPI specification must document its behavior.
[none]
| Element definition: obj-name | [top] |
Name of a DFM object. This typedef is an alias for the builtin ZAPI type string. An object name must conform to the following format: The behavior of a ZAPI when it encounters an error involving an obj-name input element depends on how the ZAPI uses the input element. Here are the general rules:
- It must contain between 1 and 64 characters.
- It may start with any character and may contain any combination of characters, except that it may not consist solely of decimal digits ('0' through '9').
- In some contexts, a name may be the empty string (""), which is interpreted as a null value, e.g., a reference to no object at all.
A ZAPI may deviate from these general rules, for example, it may return more specific error codes. In such cases, the ZAPI specification must document its behavior.
- If the input name element is used to create a new object with the given name, or rename an existing object to that name, and the name does not conform to the above format, then the ZAPI fails with error code EINVALIDINPUTERROR. Note that because EINVALIDINPUTERROR is such a common error code, ZAPI specifications are not required to document cases when they may return it.
- If the input name element is used to refer to an existing object with that name, and there is no object with that name, then the ZAPI fails with error code EOBJECTNOTFOUND. Generally the ZAPI specification documents cases when it may return this error code.
If an input name element is used to refer to an existing object, then the ZAPI specification must specify which DFM object type (e.g. data set, host, DP policy, etc.) is allowed. Some ZAPIs allow the object to be one of several different types. See the description of obj-full-name for examples of valid input formats.
Note that there is no requirement that all object names must be unique. However, the names for some specific types of objects are constrained such that no two objects of that type may have the same name. For example, this constraint applies to data sets, DP schedules, and DP policies. This means that no two data sets may have the same name, but a data set may have the same name as a DP schedule or DP policy.
In general, object names are compared in a case-insensitive manner. This means that, for example, "MyObject" and "MYOBJECT" are considered to be the same name for purposes of: creating new objects, renaming existing objects, or looking up an object by name. On the other hand, ZAPIs that return an obj-name generally do not change the capitalization at all. For example, if an object's name has been set to "MyObject", then list iteration ZAPIs that return the object's name return it as "MyObject" rather than "MYOBJECT" or "myobject".
ZAPIs that operate on obj-name values and do not follow these general rules about case sensitivity must document the rules that they do follow.
One important exception to these general rules is that volumes, qtrees, OSSV directories, SRM paths, interfaces, FCP targets and FC switch ports all have case-sensitive names. When looking up objects of these types by name, the case must match the object name.
[none]