Skip to main content
BlueXP setup and administration

Predefined BlueXP IAM roles and permissions

Contributors netapp-tonias netapp-bcammett

BlueXP identity and access management (IAM) includes several predefined roles that you can assign to the members of your organization across different levels of your resource hierarchy. Before you assign these roles, you should understand the permissions that each role includes. Roles fall into two categories: platform, and data service.

Platform roles

Platform roles are the broadest roles you can assign to users and allow broad permissions for BlueXP administration, including assigning roles and adding users, as well as being able to perform all BlueXP functions. BlueXP IAM includes two platform roles: Organization admin and Folder or Project admin. The main difference between the two BlueXP IAM platform roles is scope.

Organization admin

Allows a user unrestricted access to all projects and folders within an organization, add members to any project or folder, as well as perform any BlueXP task and use any data service.

Folder or project admin

Allows a user unrestricted access to specific projects and folders to which they are assigned. Can add members to projects or folders they manage, as well as perform any BlueXP task and use any data service within the folder or project they are assigned.

The Folder or Project admin role cannot create connectors.

Platform role comparison table

Task Organization admin Folder or Project admin

Create connectors

Yes

No

Create, modify or delete working environments (add or discover new resources using the BlueXP canvas)

Yes

Yes

Create projects/folders, including deleting

Yes

No

Rename existing projects/folders

Yes

Yes

Assign roles and add users

Yes

Yes

Associate resources with folders and projects

Yes

Yes

Associate connectors with folders and projects

Yes

No

Remove connectors from a folders and projects

Yes

No

Manage connectors (edit certificates, settings, and so on)

Yes

No

Manage credentials from Settings > Credentials

Yes

Yes

View the BlueXP timeline

Yes

Yes

Use BlueXP services

Yes

Yes

Register BlueXP for support and submit cases

Yes

Yes
Example for organization roles in BlueXP for a large multi-national organization

XYZ Corporation, a multinational company, aims to segregate access to data storage resources based on geographic regions: North America, Europe, and Asia-Pacific. They want each region to have exclusive control over their resources while maintaining centralized oversight.

To achieve this, a person assigned the Organization admin role in XYZ Corporation's BlueXP creates an initial working environment and then creates separate folders in BlueXP for each region. Each region's folder contains projects (with associated resources) related to that region. The Organization Admin assigns a BlueXP user in each respective region the Folder/project admin role.

Once the initial setup is complete, regional admins with the Folder or Project admin role can create new working environments and add users within their regions. These regional admins could also add/remove/rename folders and projects to which they are assigned. The Organization admin inherits permissions for any new working environments or resources, maintaining visibility of storage usage across the entire organization.

Data services roles

Data services roles provide users permission to use to data services within the organization, project or folder to which they have access.

SnapCenter admin

Provides the ability to back up snapshots from on-premises ONTAP clusters using BlueXP backup and recovery for applications.

Permissions

A member who has this role can complete the following actions in BlueXP:

  • Complete any action from Backup and recovery > Applications

  • Manage all working environments in the projects and folders for which they have permissions

  • Use all BlueXP services

Classification viewer

Provides the ability view BlueXP classification scan results.

Permissions

View compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas.

No other actions are available to a member who has this role.