Skip to main content
BlueXP setup and administration

Predefined BlueXP IAM roles and permissions

Contributors netapp-bcammett netapp-tonias
PDFs

BlueXP identity and access management (IAM) includes several predefined roles that you can assign to the members of your organization across different levels of your resource hierarchy. Before you assign these roles, you should understand the permissions that each role includes.

Platform roles

BlueXP IAM includes two platform roles: Organization admin and Folder or Project admin. The main difference between the two BlueXP IAM platform roles is scope. The Organization admin role has permissions in all folders and projects; while the Folder or project admin only has permissions in the folder or project to which they have been assigned.

The Folder or Project admin role cannot create connectors.

Permissions
Task Organization admin Folder or Project admin

Create connectors

Yes

No

Create, modify or delete working environments (add or discover new resources using the BlueXP canvas)

Yes

Yes

Create projects/folders, including renaming, deleting, and editing

Yes

Yes

Assign roles and add users

Yes

Yes

Associate resources and connectors with folders and projects

Yes

Yes

Manage credentials from Settings > Credentials

Yes

Yes

View the BlueXP timeline

Yes

Yes

Use BlueXP services

Yes

Yes

Register BlueXP for support and submit cases

Yes

Yes
Example for organization roles in BlueXP for a large multi-national organization

XYZ Corporation, a multinational company, aims to segregate access to data storage resources based on geographic regions: North America, Europe, and Asia-Pacific. They want each region to have exclusive control over their resources while maintaining centralized oversight.

To achieve this, a person assigned the Organization admin role in XYZ Corporation's BlueXP creates an initial working environment and then creates separate folders in BlueXP for each region. Each region's folder contains projects (with associated resources) related to that region. The Organization Admin assigns a BlueXP user in each respective region the Folder/project admin role.

Once the initial setup is complete, regional admins with the Folder or Project admin role can create new working environments and add users within their regions. These regional admins could also add/remove/rename folders and projects to which they are assigned. The Organization admin inherits permissions for any new working environments or resources, maintaining visibility of storage usage across the entire organization.

Data services roles

Data services roles can complete their tasks in any project or folder.

SnapCenter admin

Description

Provides the ability to back up snapshots from on-premises ONTAP clusters using BlueXP backup and recovery for applications.

Permissions

A member who has this role can complete the following actions in BlueXP:

  • Complete any action from Backup and recovery > Applications

  • Manage all working environments in the projects and folders for which they have permissions

  • Use all BlueXP services

Classification viewer

Description

Provides the ability view BlueXP classification scan results.

Permissions

View compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas.

No other actions are available to a member who has this role.