Skip to main content
BlueXP setup and administration

Use roles to manage user access to resources

Contributors netapp-tonias
PDFs

Within BlueXP, you can assign roles to users based on what they need to do and where.

Users with the Organization admin or Folder or project admin role have the responsibility of assigning roles to other users. You can assign access roles on a project or folder basis. For example, you can assign a user the Ransomware protection admin role for one project and the SnapCenter admin role for a different project. Alternatively, if a user needs the Classification admin role for all projects within a specific folder, you can give them this role at the folder level.

Use access roles to assign access to storage resources based on the specific tasks that users need to perform. For example, if a user needs to interact with ransomware protection services, they must be given an access role that includes either viewing or administrative permissions for the ransomware protection service for the project for which the access role is granted.

Assign roles to users based on your IAM strategy for enhanced security. IAM roles ensure users have only the access they need.

Note Remember that you can't directly grant access to resources. Assign resources to projects first. Consider setting up your resource hierarchy before assigning users access. Learn how to organize your resources in BlueXP IAM with folders and projects.

View roles(s) assigned to a member

When you add a member to your organization, you are prompted to assign them a role. You can members to verify which roles they are currently assigned.

If you have the Folder or project admin role, the page displays all members in the organization. However, you can only view and manage member permissions for the folders and projects for which you have permissions. Learn more about the actions that a Folder or project admin can complete.

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

  2. In the table, expand the respective row for organization, folder, or project where you want to view the member's assigned role and select View in the Role column.

Add an access role to a member

You typically assign a role when adding a member to your organization, but you can update it at any time by removing or adding roles.

You can assign a user an access role for your organization, folder, or project.

Members can have multiple roles within the same project and in different projects. For example, smaller organizations may assign all available access roles to the same user, while larger organizations may have users do more specialized tasks. Alternatively, you could also assign one user the Ransomware protection admin role for an organization. In that example, the user would be able to perform ransomware protection tasks on all projects within your organization.

Your access role strategy should align with the way you have organized your NetApp resources.

Tip A member who is assigned the Organization admin role can't be assigned any additional roles. They already have permissions across the entire organization. A member with the Folder or project role can't be assigned any other roles within the folder or project where they have that role already. Both of these roles provide access to all services within the scope that they are assigned.
Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select Add a role.

  2. To add a role, complete the steps in the dialog box:

    • Select an organization, folder, or project: Choose the level of your resource hierarchy that the member should have permissions for.

      If you select the organization or a folder, the member will have permissions to everything that resides within the organization or folder.

    • Select a category: Choose a role category. Learn about access roles.

    • Select a Role: Choose a role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

Learn about access roles.
* Add role: If you want to provide access to additional folders or projects within your organization, select Add role, specify another folder or project or role category, and then select a role category and a corresponding role.

  1. Select Add new roles.

Change a member's assigned role

You can change the assigned roles for a member should you need to adjust the access for a user.

Note Users must have at least one role assigned to them. You can't remove all roles from a user. If you need to remove all roles, you must delete the user from your organization.
Steps

  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

  2. In the table, expand the respective row for organization, folder, or project where you want to change the member's assigned role and select View in the Role column to view the roles assigned to this member.

  3. You can change an existing role for a member or remove a role.

    1. To change a member's role, select Change next to the role you want to change. You can only change this role to a role within the same role category. For example, you can change from one data service role to another. Confirm the change.

    2. To unassign a member's role, select An icon that resembles a trash can next to the role to unassign the member the respective role. You'll be asked to confirm the removal.