Skip to main content
NetApp Console setup and administration

Learn about NetApp Console identity and access management

Contributors netapp-tonias netapp-ahibbard
PDFs

Use the NetApp Console's Identity and Access Management (IAM) to organize your NetApp resources and control access according to your business structure—by location, department, or project.

You organize resources in a hierarchy: the organization is at the top, then folders (which can have other folders or projects), and then projects, which have storage systems, workloads, and agents.

Assign access roles at the organization, folder, or project level so users have the right access to resources.

Note You must have the Super admin, Organization admin, or Folder or project admin role to manage IAM in the NetApp Console.

The following image illustrates this hierarchy at a basic level.

A conceptual diagram that shows the components of resource management

Identity and access management components

The NetApp Console IAM is built on three types of components: organizational components that define the hierarchy, resources that are assigned within that hierarchy, and members and roles that control who can access what.

NetApp Console organizational components

The organizational components—organization, folders, and projects—form a hierarchy that determines how resources are grouped and how access is delegated.

Organization

An organization is the top level of the Console IAM system and typically represents your company. Your organization consists of folders, projects, members, roles, and resources. Resources are associated with projects, and members are assigned roles at the organization, folder, or project level.

Projects

Projects group storage resources. Assign resources to projects and grant users access at the project level. Resources can belong to multiple projects. Users with project access can use its resources.

For example, you can associate an on-premises ONTAP system with a single project or with all projects in your organization, depending on your needs.

Learn how to add projects to your organization.

Folders

Group related projects in folders to organize them by location, site, or business unit. You can't associate resources directly with folders, but assigning a user a role at the folder level gives them access to all projects in that folder.

Note Users with the Org admin role can add resources to a folder to delegate the task of associating the resource with projects to Folder or project admins of the respective folder. Learn about associating a resource with a folder.

Resources

A resource is an entity that the Console is aware of and that can be assigned to a project. Resources include storage systems, Keystone subscriptions, some Backup and Recovery workloads, as well as Console agents.

Associate a resource with a project so that users with access to the project can use the resource.

For example, you might associate a Cloud Volumes ONTAP system with one project or with all projects in your organization. How you associate a resource depends on your organization's needs.

Learn how to associate resources to projects.

Storage systems

Storage systems are the primary resources that you manage in NetApp Console. NetApp Console supports management of both on-premises and cloud storage systems. Add a storage system to a project so that users with access to the project can access it.

Storage systems are automatically associated with the project where they are added, but you can associate them with other projects or folders from the Resources page. You cannot associate FSx for NetApp ONTAP storage systems with projects or folders, but you can view them on the Systems page or from Workloads.

Keystone subscriptions

Keystone subscriptions are also resources that you can associate with projects to grant users access to the subscription in NetApp Console.

Backup and Recovery workloads (Oracle and Microsoft SQL Server)

Some Backup and Recovery workloads are also considered resources. Assign a Backup and Recovery workload to a project to grant users access.

Console agents

Organization admins create Console agents to manage storage systems and enable NetApp data services. Agents are initially tied to the project where they are created, but admins can add them to other projects from the Agents page.

Learn how to associate agents with projects.

Members and roles

Members are the users and service accounts in your organization. Roles define what actions they can perform and at what level of the hierarchy—organization, folder, or project.

Members

Members of your organization are user accounts or service accounts. A service account is typically used by an application to complete specified tasks without human intervention.

Add members to your organization after they sign up for NetApp Console. After you add them, assign roles to provide access to resources. You can manually add service accounts from within the Console or automate their creation and management through the NetApp Console IAM API.

Learn how to add members to your organization.

Access roles

The Console provides access roles that you can assign to the members of your organization.

When you associate a member with a role, you can grant that role for the entire organization, a specific folder, or a specific project. The role that you select gives a member permission to the resources in the selected part of the hierarchy.

NetApp Console provides granular roles that adhere to the principle of "least privilege", which means access roles are designed to give users access to only what they need.

Users might have multiple roles as their duties expand.

Learn about access roles.

IAM strategy examples

The right IAM structure depends on the size of your organization and how your teams are organized. The following examples show how different organizations can use the IAM hierarchy to manage access effectively.

Small organization strategy

For organizations with fewer than 50 users and centralized storage management, consider a simplified approach using Super admin and Super viewer roles.

Example: ABC Corporation (5-person team)

  • Structure: Single organization with 3 projects (Production, Development, Backup)

  • Roles:

    • 2 senior members: Super admin role for full administrative access

    • 3 team members: Super viewer role for monitoring without modification rights

  • Agent strategy: Single agent associated with all projects for shared resource access

  • Benefits: Simplified administration, reduced role complexity, suitable for teams requiring broad access

Multi-regional enterprise strategy

For large organizations with regional operations and specialized teams, implement a hierarchical approach with folders representing geographical or business unit boundaries.

Example: XYZ Corporation (multinational company)

  • Structure: Organization > Regional folders (North America, Europe, Asia-Pacific) > Project folders per region

  • Platform roles:

    • 1 Organization admin: Global oversight and policy management

    • 3 Folder or project admins: Regional control (one per region)

    • 1 Federation admin: Corporate identity provider integration

  • Storage roles by region:

    • 9 Storage admin: Discover and manage storage systems in assigned regions

    • 2 Storage viewer: Monitor storage resources across regions

    • 1 System health specialist: Manage storage health without system modifications

  • Data service roles:

    • Backup and Recovery admin: Per-project based on backup responsibilities

    • Ransomware Resilience admin: Security team monitoring across projects

  • Agent strategy: Regional agents associated with appropriate geographical projects

  • Benefits: Enhanced security through role segregation, regional autonomy, and compliance with local regulations

Departmental specialization strategy

For organizations with specialized teams requiring specific data service access, use targeted role assignments based on functional responsibilities.

Example: TechCorp (mid-size technology company)

  • Structure: Organization > Department folders (IT, Security, Development) > Project-specific resources

  • Specialized roles:

    • Security team: Ransomware Resilience admin and Classification viewer roles

    • Backup team: Backup and Recovery super admin for comprehensive backup operations

    • Development team: Storage admin for test environment management

    • Compliance team: Operation support analyst for monitoring and support case management

  • Agent strategy: Agents linked to departmental projects based on resource ownership

  • Benefits: Tailored access control, improved operational efficiency, and clear accountability for specialized tasks

Next steps with IAM in NetApp Console