Worksheets for administrator authentication and RBAC configuration

Before creating login accounts and setting up role-based access control (RBAC), you should gather information for each item in the configuration worksheets.

Creating or modifying login accounts

You provide these values with the security login create command when you enable login accounts to access a storage virtual machine (SVM). You provide the same values with the security login modify command when you modify how an account accesses an SVM.

Field Description Your value
-vserver The name of the SVM that the account accesses. The default value is the name of the admin SVM for the cluster.  
-user-or-group-name The user name or group name of the account. Specifying a group name enables access to each user in the group.

You can associate a user name or group name with multiple applications.

 
-application The application that is used to access the SVM:
  • http
  • ontapi
  • snmp
  • ssh
 
-authmethod The method that is used to authenticate the account:
  • cert for SSL certificate authentication
  • domain for Active Directory authentication
  • nsswitch for LDAP or NIS authentication
  • password for user password authentication
  • publickey for public key authentication
  • community for SNMP community strings
  • usm for SNMP user security model
  • saml for Security Assertion Markup Language (SAML) authentication
 
-remote-switch-ipaddress The IP address of the remote switch. The remote switch can be a cluster switch monitored by the cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by the MetroCluster health monitor (MCC-HM). This option is applicable only when the application is snmp and the authentication method is usm.  
-role The access control role that is assigned to the account:
  • For the cluster (the admin SVM), the default value is admin.
  • For a data SVM, the default value is vsadmin.
 
-comment Optional. Descriptive text for the account. You should enclose the text in double quotation marks (""").  
-is-ns-switch-group Whether the account is an LDAP group account or NIS group account (yes or no).  
-second-authentication-method Second authentication method in case of multifactor authentication in ONTAP 9.3:
  • none if not using multifactor authentication, default value
  • publickey for public key authentication when the authmethod is password or nsswitch
  • password for user password authentication when the authmethod is public key
  • nsswitch for user password authentication when the authmethod is publickey
    Note: Support for nsswitch is available from ONTAP 9.4

The order of authentication is always public key followed by password.

 

Defining custom roles

You provide these values with the security login role create command when you define a custom role.

Field Description Your value
-vserver Optional. The name of the SVM that is associated with the role.  
-role The name of the role.  
-cmddirname The command or command directory to which the role gives access. You should enclose command subdirectory names in double quotation marks ("""). For example, "volume snapshot".

You must enter DEFAULT to specify all command directories.

 
-access Optional. The access level for the role.

For command directories:

  • none (the default value for custom roles) denies access to commands in the command directory
  • readonly grants access to the show commands in the command directory and its subdirectories
  • all grants access to all of the commands in the command directory and its subdirectories

For nonintrinsic commands (commands that do not end in create, modify, delete, or show):

  • none (the default value for custom roles) denies access to the command
  • readonly is not applicable
  • all grants access to the command

To grant or deny access to intrinsic commands, you must specify the command directory.

 
-query Optional. The query object that is used to filter the access level, which is specified in the form of a valid option for the command or for a command in the command directory. You should enclose the query object in double quotation marks ("""). For example, if the command directory is volume, the query object "-aggr aggr0" would enable access for the aggr0 aggregate only.  

Associating a public key with a user account

You provide these values with the security login publickey create command when you associate an SSH public key with a user account.

Field Description Your value
-vserver Optional. The name of the SVM that the account accesses.  
-username The user name of the account. The default value, admin, which is the default name of the cluster administrator.  
-index The index number of the public key. The default value is 0 if the key is the first key that is created for the account; otherwise, the default value is one more than the highest existing index number for the account.  
-publickey The OpenSSH public key. You should enclose the key in double quotation marks (""").  
-role The access control role that is assigned to the account.  
-comment Optional. Descriptive text for the public key. You should enclose the text in double quotation marks (""").  

Installing a CA-signed server digital certificate

You provide these values with the security certificate generate-csr command when you generate a digital certificate signing request (CSR) for use in authenticating an SVM as an SSL server.

Field Description Your value
-common-name The name of the certificate, which is either a fully qualified domain name (FQDN) or a custom common name.  
-size The number of bits in the private key. The higher the value, the more secure the key. The default value is 2048. Possible values are 512, 1024, 1536, and 2048.  
-country The country of the SVM, in a two-letter code. The default value is US. See the man pages for a list of codes.  
-state The state or province of the SVM.  
-locality The locality of the SVM.  
-organization The organization of the SVM.  
-unit The unit in the organization of the SVM.  
-email-addr The email address of the contact administrator for the SVM.  
-hash-function The cryptographic hashing function for signing the certificate. The default value is SHA256. Possible values are SHA1, SHA256, and MD5.  

You provide these values with the security certificate install command when you install a CA-signed digital certificate for use in authenticating the cluster or SVM as an SSL server. Only the options that are relevant to this guide are shown in the following table.

Field Description Your value
-vserver The name of the SVM on which the certificate is to be installed.  
-type The certificate type:
  • server for server certificates and intermediate certificates
  • client-ca for the public key certificate of the root CA of the SSL client
  • server-ca for the public key certificate of the root CA of the SSL server of which ONTAP is a client
  • client for a self-signed or CA-signed digital certificate and private key for ONTAP as an SSL client
 

Configuring Active Directory domain controller access

You provide these values with the security login domain-tunnel create command when you have already configured a CIFS server for a data SVM and you want to configure the SVM as a gateway or tunnel for Active Directory domain controller access to the cluster.

Field Description Your value
-vserver The name of the SVM for which the CIFS server has been configured.  

You provide these values with the vserver active-directory create command when you have not configured a CIFS server and you want to create an SVM computer account on the Active Directory domain.

Field Description Your value
-vserver The name of the SVM for which you want to create an Active Directory computer account.  
-account-name The NetBIOS name of the computer account.  
-domain The fully qualified domain name (FQDN).  
-ou The organizational unit in the domain. The default value is CN=Computers. ONTAP appends this value to the domain name to produce the Active Directory distinguished name.  

Configuring LDAP or NIS server access

You provide these values with the vserver services name-service ldap client create command when you create an LDAP client configuration for the SVM.

Note: Starting with ONTAP 9.2, the -ldap-servers field replaces the -servers field. This new field can take either a host name or an IP address as the value for the LDAP server.

Only the options that are relevant to this guide are shown in the following table:

Field Description Your value
-vserver The name of the SVM for the client configuration.  
-client-config The name of the client configuration.  
-servers ONTAP 9.0, 9.1: A comma-separated list of IP addresses for the LDAP servers to which the client connects.  
-ldap-servers ONTAP 9.2: A comma-separated list of IP addresses and host names for the LDAP servers to which the client connects.  
-schema The schema that the client uses to make LDAP queries.  
-use-start-tls Whether the client uses Start TLS to encrypt communication with the LDAP server (true or false).
Note: Start TLS is supported for access to data SVMs only. It is not supported for access to admin SVMs.
 

You provide these values with the vserver services name-service ldap create command when you associate an LDAP client configuration with the SVM.

Field Description Your value
-vserver The name of the SVM with which the client configuration is to be associated.  
-client-config The name of the client configuration.  
-client-enabled Whether the SVM can use the LDAP client configuration (true or false).  

You provide these values with the vserver services name-service nis-domain create command when you create an NIS domain configuration on an SVM.

Note: Starting with ONTAP 9.2, the -nis-servers field replaces the -servers field. This new field can take either a host name or an IP address as the value for the NIS server.
Field Description Your value
-vserver The name of the SVM on which the domain configuration is to be created.  
-domain The name of the domain.  
-active Whether the domain is active (true or false).  
-servers ONTAP 9.0, 9.1: A comma-separated list of IP addresses for the NIS servers that are used by the domain configuration.  
-nis-servers ONTAP 9.2: A comma-separated list of IP addresses and host names for the NIS servers that are used by the domain configuration.  

You provide these values with the vserver services name-service ns-switch create command when you specify the look-up order for name service sources.

Field Description Your value
-vserver The name of the SVM on which the name service look-up order is to be configured  
-database The name service database:
  • hosts for files and DNS name services
  • group for files, LDAP, and NIS name services
  • passwd for files, LDAP, and NIS name services
  • netgroup for files, LDAP, and NIS name services
  • namemap for files and LDAP name services
 
-sources The order in which to look up name service sources (in a comma-separated list):
  • files
  • dns
  • ldap
  • nis
 

Configuring SAML access

Starting with ONTAP 9.3, you provide these values with the security saml-sp create command to configure SAML authentication.

Field Description Your value
-idp-uri The FTP address or HTTP address of the Identity Provider (IdP) host from where the IdP metadata can be downloaded.  
-sp-host The host name or IP address of the SAML service provider host (ONTAP system). By default, the IP address of the cluster-management LIF is used.  

{[-cert-ca] and -cert-serial] or [-cert-common-name]

The server certificate details of the service provider host (ONTAP system).  
-verify-metadata-server Whether the identity of the IdP metadata server must be validated (true or false). The best practice is to always set this value to true.