If you are using SnapCenter Plug-in for VMware vSphere, the vCenter Server provides an additional level of RBAC. SnapCenter Plug-in for VMware vSphere supports both vCenter Server RBAC and ONTAP RBAC.
- vCenter Server RBAC
This security mechanism restricts the ability of vSphere users to perform SnapCenter Plug-in for VMware vSphere tasks on vSphere objects, such as virtual machines (VMs) and datastores. The Plug-in for VMware vSphere installation creates roles for SnapCenter operations on vCenter: SCV Administrator, SCV Backup, SCV Guest File Restore, SCV Restore, and SCV View.
The vSphere administrator sets up vCenter Server RBAC by doing the following:
- Setting the vCenter Server permissions on the root object (also known as the root folder). You can then refine the security by restricting child entities that do not need those permissions.
- Assigning the SCV roles to Active Directory users.
Note: At a minimum, all users must be able to view vCenter objects. Without this privilege, users cannot access the Plug-in for VMware vSphere GUI. - ONTAP RBAC
This security mechanism restricts the ability of SnapCenter to perform specific storage operations, such as backing up storage for datastores, on a specific storage system.
ONTAP and SnapCenter RBAC is set up in the following workflow:
- The storage administrator creates a role on the SVM with the necessary privileges.
- Then the storage administrator assigns the role to a storage user.
- The SnapCenter administrator adds the SVM to the SnapCenter Server, using that storage user name.
- Then the SnapCenter administrator assigns roles to SnapCenter users.
The following diagram provides an overview of the Plug-in for VMware vSphere validation workflow for RBAC privileges (both vCenter and ONTAP):
