Skip to main content
BlueXP setup and administration

Learn about BlueXP access roles

Contributors netapp-tonias netapp-bcammett netapp-ahibbard
PDFs

BlueXP identity and access management (IAM) includes predefined roles that you can assign to the members of your organization across different levels of your resource hierarchy. Before you assign these roles, you should understand the permissions that each role includes. Roles fall into the following categories: platform, application, and data service.

Platform roles

Platform roles grant all BlueXP administration permissions, including assigning roles and adding users. Platform roles provide access to all BlueXP data services and applications. BlueXP IAM includes two platform roles: Organization admin and Folder or project admin. The main difference between the two BlueXP IAM platform roles is scope.

Platform role Responsibilities

Organization admin

Allows a user unrestricted access to all projects and folders within an organization, add members to any project or folder, as well as perform any BlueXP task and use any data service that does not have an explicit role associated with it.

Users with this role organize and manage your BlueXP organization. They create folders and projects, assign roles, add users, and can manage all working environments, if they have the credentials to do so.

This is the only access role that can create Connectors.

Folder or project admin

Allows a user unrestricted access to specific projects and folders to which they are assigned. Can add members to folders or projects they manage, as well as perform any BlueXP task and use any data service or application on resources within the folder or project they are assigned.

Folder or project admins cannot create Connectors.

Federation admin

Allows a user create and manage federations with BlueXP, which enables single-sign on (SSO).

Federation viewer

Allows a user to view existing federations with BlueXP. Cannot create or manage federations

Application roles

The following is a list of roles in the application category. Each role grants specific permissions within its designated scope. Users who do not have the required application role or a platform role will be unable to access the application.

Application role Responsibilities

Google Cloud NetApp Volumes admin

Users with the Google Cloud NetApp Volumes role can discover and manage Google Cloud NetApp Volumes.

Keystone admin

Users with the Keystone admin role can create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.

Keystone viewer

Users with the Keystone viewer role CANNOT create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.

ONTAP Mediator setup role

Service accounts with the ONTAP Mediator setup role can create service requests. This role is required in a service account to configure an instance of the ONTAP Cloud Mediator.

Operation support analyst

Provides access to alerts and montioring tools and ability to enter and manage support cases.

Storage admin

Administer storage health and governance functions, discover storage resources, as well as modify and delete existing working environments.

Storage viewer

View storage health and governance functions, as well as view previously discovered storage resources. Cannot discover, modify, or delete existing storage working environments.

System health specialist

Administer storage and health and governance functions, all permissions of the Storage admin except cannot modify or delete existing working environments.

Data service roles

The following is a list of roles in the data service category. Each role grants specific permissions within its designated scope. Users who do not have the required data service role or a platform role will be unable to access the data service.

Data service role Responsibilities

Backup and recovery super admin

Perform any actions in the Backup and recovery service.

Backup and recovery admin

Perform backups to local snapshots, replicate to secondary storage, and back up to object storage.

Backup and recovery restore admin

Restore workloads in the Backup and recovery service.

Backup and recovery clone admin

Clone applications and data in the Backup and recovery service.

Backup and recovery viewer

View Backup and recovery information.

Disaster recovery admin

Perform any actions in the Disaster recovery service.

Disaster recovery failover admin

Perform failover and migrations.

Disaster recovery application admin

Create replication plans, modify replication plans, and start test failovers.

Disaster recovery viewer

View information only.

Classification viewer

Provides the ability to view BlueXP classification scan results.

Users with this role can view compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas. Classification does not have a viewer role.

Ransomware protection admin

Manage actions on the Protect, Alerts, Recover, Settings, and Reports tabs of the Ransomware protection service.

Ransomware protection viewer

View workload data, view alert data, download recovery data, and download reports in the Ransomware protection service.

SnapCenter admin

Provides the ability to back up snapshots from on-premises ONTAP clusters using BlueXP backup and recovery for applications. A member who has this role can complete the following actions in BlueXP:

* Complete any action from Backup and recovery > Applications
* Manage all working environments in the projects and folders for which they have permissions
* Use all BlueXP services

SnapCenter does not have a viewer role.