Learn about NetApp Console identity and access management
Identity and access management (IAM) within the NetApp Console enables you to organize and control access to your NetApp resources. You can organize your resources according to your organization's hierarchy. For example, you can organize resources by geographical location, site, or business unit. You can then assign IAM roles to members at specific parts of the hierarchy, which prevents access to resources in other parts of the hierarchy.
How IAM works
IAM lets you grant resource access by assigning users access roles to specific parts of the hierarchy. For example, a member can be assigned the Folder or project admin role for a project with five resources.
When using IAM, you manage the following components:
-
The organization
-
Folders
-
Projects
-
Resources
-
Members
-
Roles and permissions
-
Console agents
Resources are organized hierarchically:
-
The organization is the top of the hierarchy.
-
Folders are children of the organization or of another folder.
-
Projects are children of the organization or of a folder.
-
Resources are associated with one or more folders or projects.
The following image illustrates this hierarchy at a basic level.
Organization
An organization is the top level of the Console IAM system and typically represents your company. Your organization consists of folders, projects, members, roles, and resources. Agents are associated with specific projects in the organization.
Folders
A folder enables you to group related projects together and separate them from other projects in your organization. For example, a folder might represent a geographical location (EU or US East), a site (London or Toronto), or a business unit (engineering or marketing).
You can organize folders to contain projects, other folders, or both. They are optional.
Projects
A project represents a workspace in the Console that organization members access from the Systems page in order to manage resources. For example, a project can include a Cloud Volumes ONTAP system, an on-premises ONTAP cluster, or an FSx for ONTAP file system.
An organization can have one or many projects. A project can reside directly underneath the organization or within a folder.
Resources
A resource is a system that you created or discovered in the Console.
When you create or discover a resource, the resource is associated with the currently selected project. That might be the only project that you want to associate this resource with. But you can choose to associate the resource with additional projects in your organization.
For example, you might associate a Cloud Volumes ONTAP system with one additional project or with all projects in your organization. How you associate a resource depends on your organization's needs.
|
Agents can also be associated with more than one project. Learn more about using agents with IAM. |
When to associate a resource with a folder
You also have the option to associate a resource with a folder, but this is optional and meets the needs of a specific use case.
An Organization administrator can associate a resource with a folder so a Folder or project administrator can link it to the appropriate projects in the folder.
For example, let's say you have a folder that contains two projects:
The Organization admin can associate a resource with the folder:
Associating a resource with a folder does not make it accessible to all projects; only the folder or project admin can see it. The Folder or project admin decides which projects can access it and associates the resource with the appropriate projects.
In this example, the admin associates the resource with Project A:
Members who have permissions for project A can now access the resource.
Members
Members of your organization are user accounts or service accounts. A service account is typically used by an application to complete specified tasks without human intervention.
Each organization includes at least one user with the Organization admin role (the Console automatically assigns this role to the user who creates the organization). You can add other members to the organization and assign different permissions across different levels of the resource hierarchy.
Roles and permissions
You don't grant permissions directly to organization members. Instead, you grant each member a role. A role contains a set of permissions that enables a member to perform specific actions at a specific level of the resource hierarchy.
Granting roles at a hierarchy level restricts access to the resources and services a member needs.
Where you can assign roles in the hierarchy
When you associate a member with a role, you need to select the entire organization, a specific folder, or a specific project. The role that you select gives a member permissions to the resources in the selected part of the hierarchy.
Role inheritance
When you assign a role, the role is inherited down the organization hierarchy:
- Organization
-
Granting a member an access role at the organization level gives them permissions to all folders, projects, and resources.
- Folders
-
When you grant an access role at the folder level, all folders, projects, and resources in the folder inherit that role.
For example, if you assign a role at the folder level and that folder has three projects, the member will have permissions to those three projects and any associated resources.
- Projects
-
When you grant an access role at the project level, all resources associated with that project inherit that role.
Multiple roles
You can assign each organization member a role at different levels of the organization hierarchy. It can be the same role or a different role. For example, you can assign a member role A for project 1 and project 2. Or you can assign a member role A for project 1 and role B for project 2.
Access roles
The Console provides access roles that you can assign to the members of your organization.
Console agents
When an Organization admin creates a Console agent, the Console automatically associates that agent with the organization and the currently selected project. The Organization admin automatically has access to that agent from anywhere in the organization. But if you have other members in your organization with different roles, those members can only access that agent from the project in which it was created, unless you associate that agent with other projects.
You make a Console agent available for another project in these cases:
-
You want to allow members in your organization to use an existing agent to create or discover additional systems in another project
-
You associated an existing resource with another project and that resource is managed by a Console agent
If a resource that you associate with an additional project is discovered using a Console agent then you also need to associate the agent with the project that the resource is now associated with.Otherwise, the agent and its associated resource aren't accessible from the Systems page by members who don't have the Organization admin role.
You can create an association from the Agents page within the Console IAM:
-
Associate a Console agent with a project
When you associate a Console agent with a project, that agent is accessible from the Systems page when viewing the project.
-
Associate a Console agent with a folder
Associating a Console agent with a folder doesn't automatically make that agent accessible from all projects in the folder. Organization members can't access a Console agent from a project until you associate the agent with that specific project.
An Organization admin might associate a Console agent with a folder so that the Folder or project admin can make the decision to associate that agent with the appropriate projects that reside in the folder.
IAM examples
These examples demonstrate how you might set up your organization.
Simple organization
The following diagram shows a simple example of an organization that uses the default project and no folders. A single member manages the entire organization.
Advanced organization
The following diagram shows an organization that uses folders to organize the projects for each geographic location in the business. Each project has its own set of associated resources. The members include an organization admin and an admin for each folder in the organization.
What you can do with IAM
The following examples describe how you might use IAM to manage your Console organization:
-
Grant specific roles to specific members so that they can only complete the required tasks.
-
Modify member permissions because they moved departments or because they have additional responsibilities.
-
Remove a user who left the company.
-
Add folders or projects to your hierarchy because a new business unit has added NetApp storage.
-
Associate a resource with another project because that resource has capacity that another team can utilize.
-
View the resources that a member can access.
-
View the members and resources associated with a specific project.