Adding an ONTAP RBAC role using security login commands

You can use the security login commands to add an ONTAP RBAC role when your storage systems are running clustered ONTAP.

Before you begin

Before you create an ONTAP RBAC role for storage systems running clustered ONTAP, you must identify the following:

The task (or tasks) that you want to perform
The privileges required to perform these tasks

About this task

Configuring an RBAC role requires that you perform the following actions:

Grant privileges to commands and/or command directories.
There are two levels of access for each command/command directory: all-access and read-only.

You must always assign the all-access privileges first.
Assign roles to users.
Vary your configuration depending on whether your SnapCenter plug-ins are connected to the Cluster Administrator IP for the entire cluster or directly connected to a SVM within the cluster.

To simplify configuring these roles on storage systems, you can use the RBAC User Creator for Data ONTAP tool, which is posted on the NetApp Communities Forum.

This tool automatically handles setting up the ONTAP privileges correctly. For example, RBAC User Creator for Data ONTAP tool automatically adds the privileges in the correct order so that the all-access privileges appear first. If you add the read-only privileges first and then add the all-access privileges, ONTAP marks the all-access privileges as duplicates and ignores them.

Note: If you later upgrade SnapCenter or ONTAP, you should re-run the RBAC User Creator for Data ONTAP tool to update the user roles you created previously. User roles created for an earlier version of SnapCenter or ONTAP do not work properly with upgraded versions. When you re-run the tool, it automatically handles the upgrade. You do not need to recreate the roles.

More information about setting up ONTAP RBAC roles is in the ONTAP administration information.

ONTAP 9 SAN Administration Guide

Note: For consistency, the SnapCenter documentation refers to the roles as using privileges. The OnCommand System Manager GUI uses the term “attribute” instead of “privilege.” When setting up ONTAP RBAC roles, both these terms mean the same thing.

Procedure

On the storage system, create a new role by entering the following command: security login role create <role_name> -cmddirname "command" -access all –vserver <svm_name>
svm_name is the name of the SVM. If you leave this blank, it defaults to cluster administrator.

role_name is the name you specify for the role.

command is the ONTAP capability.

Note: You must repeat this command for each permission.

For information about the list of permissions, see ONTAP CLI commands for creating roles and assigning permissions.

Note: Remember that all-access commands must be listed before read-only commands.
Create a user name by entering the following command: security login create -username <user_name> -application ontapi -authmethod <password> -role <name_of_role_in_step_1> –vserver <svm_name> -comment "user_description"
user_name is the name of the user you are creating.

<password> is your password. If you do not specify a password, the system will prompt you for one.

svm_name is the name of the SVM.
Assign the role to the user by entering the following command: security login modify username <user_name> –vserver <svm_name> -role <role_name> -application ontapi -application console -authmethod <password>
<user_name> is the name of the user you created in Step 2. This command lets you modify the user to associate it with the role.

<svm_name> is the name of the SVM.

<role_name> is the name of the role you created in Step 1.

<password> is your password. If you do not specify a password, the system will prompt you for one.
Verify that the user was created correctly by entering the following command: security login show –vserver <svm_name> -user-or-group-name <user_name>
user_name is the name of the user you created in Step 3.

This command displays information about the user and the role.