Release notes
Define custom roles
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Data protection with the CLI
-
-
Collection of separate PDF docs
Creating your file...
You can use the security login role create command to define a custom role. You can execute the command as many times as necessary to achieve the exact combination of capabilities that you want to associate with the role.
-
A role, whether predefined or custom, grants or denies access to ONTAP commands or command directories.
A command directory (
volume, for example) is a group of related commands and command subdirectories. Except as described in this procedure, granting or denying access to a command directory grants or denies access to each command in the directory and its subdirectories. -
Specific command access or subdirectory access overrides parent directory access.
If a role is defined with a command directory, and then is defined again with a different access level for a specific command or for a subdirectory of the parent directory, the access level that is specified for the command or subdirectory overrides that of the parent.
|
You cannot assign an SVM administrator a role that gives access to a command or command directory that is available only to the admin cluster administrator—for example, the security command directory.
|
You must be a cluster administrator to perform this task.
-
Define a custom role:
security login role create -vserver SVM_name -role role -cmddirname command_or_directory_name -access access_level -query queryFor complete command syntax, see the worksheet.
The following commands grant the
vol_rolerole full access to the commands in thevolumecommand directory and read-only access to the commands in thevolume snapshotsubdirectory.cluster1::>security login role create -role vol_role -cmddirname "volume" -access all cluster1::>security login role create -role vol_role -cmddirname "volume snapshot" -access readonly
The following commands grant the
SVM_storagerole read-only access to the commands in thestoragecommand directory, no access to the commands in thestorage encryptionsubdirectory, and full access to thestorage aggregate plex offlinenonintrinsic command.cluster1::>security login role create -role SVM_storage -cmddirname "storage" -access readonly cluster1::>security login role create -role SVM_storage -cmddirname "storage encryption" -access none cluster1::>security login role create -role SVM_storage -cmddirname "storage aggregate plex offline" -access all