security login create

Add a login method

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login create command creates a login method for the management utility. A login method consists of a user name, an application (access method), and an authentication method. A user name can be associated with multiple applications. It can optionally include an access-control role name. If an Active Directory, LDAP, or NIS group name is used, then the login method gives access to users belonging to the specified group. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

Parameters

-vserver <Vserver Name> - Vserver
This specifies the Vserver name of the login method.
-user-or-group-name <text> - User Name or Group Name
This specifies the user name or Active Directory, LDAP, or NIS group name of the login method. The Active Directory, LDAP, or NIS group name can be specified only with the domain or nsswitch authentication method and ontapi and ssh application. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.
-application <text> - Application
This specifies the application of the login method. Possible values include console, http, ontapi, rsh, snmp, service-processor, ssh, and telnet.

Setting this parameter to service-processor grants the user access to the Service Processor (SP). Because the SP supports only password authentication, when you set this parameter to service-processor, you must also set the -authentication-method parameter to password. Vserver user accounts cannot access the SP. Therefore, you cannot use the -vserver parameter when you set this parameter to service-processor.

-authentication-method <text> - Authentication Method
This specifies the authentication method for login. Possible values include the following:
  • cert - SSL certificate authentication
  • community - SNMP community strings
  • domain - Active Directory authentication
  • nsswitch - LDAP or NIS authentication
  • password - Password
  • publickey - Public-key authentication
  • usm - SNMP user security model
  • saml - SAML authentication
[-remote-switch-ipaddress <IP Address>] - Remote Switch IP Address
This specifies the IP address of the remote switch. The remote switch could be a cluster switch monitored by cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by MetroCluster health monitor (MCC-HM). This parameter is applicable only when the application is snmp and authentication method is usm (SNMP user security model).
-role <text> - Role Name
This specifies an access-control role name for the login method.
[-comment <text>] - Comment Text
This specifies comment text for the user account, for example, "Guest account". The maximum length is 128 characters.
[-is-ns-switch-group {yes|no}] - Whether Ns-switch Group
This specifies whether user-or-group-name is an LDAP or NIS group. Possible values are yes or no. Default value is no.
[-second-authentication-method {none|publickey|password|nsswitch}] - Second Authentication Method2
This specifies the authentication method for the login. It will be used as the second factor for authentication. Possible values include the following:
  • password - Password
  • publickey - Public-key authentication
  • nsswitch - NIS or LDAP authentication
  • none - default value

Examples

The following example illustrates how to create a login that has the user name monitor, the application ssh, the authentication method password, and the access-control role guest for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application ssh -authentication-method password -role guest

The following example illustrates how to create a login that has the user name monitor, the application ontapi, the authentication method password, and the access-control role vsadmin for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application ontapi -authentication-method password -role vsadmin

The following example illustrates how to create a login that has the user name monitor, the application ssh, the authentication method publickey, and the access-control role guest for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application ssh -authentication-method publickey -role guest

The following example illustrates how to create a login that has the user name monitor, the application http, the authentication method cert, and the access-control role admin for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application http -authentication-method cert -role admin

The following example illustrates how to create a login that has the Active Directory group name adgroup in DOMAIN1, the application ssh, the authentication method domain, and the access-control role vsadmin for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name DOMAIN1\adgroup -application ssh -authentication-method domain -role vsadmin

The following example illustrates how to create a login that has a group name nssgroup in the LDAP or NIS server, the application ontapi, the authentication method nsswitch, and the access-control role vsadmin for Vserver vs. Here is-ns-switch-group must be set to yes:

cluster1::> security login create -vserver vs -user-or-group-name nssgroup -application ontapi -authentication-method nsswitch -role vsadmin -is-ns-switch-group yes

The following example illustrates how to create a login that has the user name monitor, the application ssh, the authentication method password, the second authentication method publickey and the access-control role vsadmin for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application ssh -authentication-method password -second-authentication-method publickey -role vsadmin

The following example illustrates how to create a login that has the user name monitor, the application ssh, the authentication method password, the second authentication method none and the access-control role vsadmin for Vserver vs:

cluster1::> security login create -vserver vs -user-or-group-name monitor -application ssh -authentication-method password -second-authentication-method none -role vsadmin