Learn about NetApp Console identity and access management

01/12/2026 Contributors

Use NetApp Console's Identity and Access Management (IAM) to organize your NetApp resources and control access according to your business structure—by location, department, or project.

Resources are arranged hierarchically: the organization is at the top, followed by folders (which can contain other folders or projects), and then projects, which contain storage systems, workloads, and agents.

Assign role-based access control (RBAC) permissions to members at the organization, folder, or project level to ensure users have the appropriate access to resources.

You must have the Super admin, Organization admin , or Folder or project admin roles to manage IAM in NetApp Console.

The following image illustrates this hierarchy at a basic level.

A conceptual diagram that shows the components of resource management ]

Identity and access management components

Within NetApp Console, you organize your storage resources using three main components: organizational components, resource components, and user access components.

Projects and folders within your organization

Within your IAM structure, you work with three organizational components are organizations, projects, and folders. You can grant users access by assigning them roles at any of these levels.

Organization: An organization is the top level of the Console IAM system and typically represents your company. Your organization consists of folders, projects, members, roles, and resources. Agents are associated with specific projects in the organization.
Projects: A project is used to provide access to a storage resource. You must assign a resources to project before anyone can access them. You can assign multiple resources to a single project and you can also have multiple projects. You then assign users permissions to the project to give them access to the resources within it.

For example, you can associate an on-premises ONTAP system with a single project or with all projects in your organization, depending on your needs.

Learn how to add projects to your organization.
Folders: Group related projects in folders to organize them by location, site, or business unit. You can't associate resources directly with folders, but assigning a user a role at the folder level gives them access to all projects in that folder.

Learn how to add folders to your organization.

Resources

Resources include storage systems, Keystone subscriptions, as well as Console agents.

+
You must associate a resource with a project before anyone can access it.

For example, you might associate a Cloud Volumes ONTAP system with one project or with all projects in your organization. How you associate a resource depends on your organization's needs.

Learn how to associate resources to projects.

Storage systems and Keystone subscriptions: Storage systems are the primary resources that you manage in NetApp Console. NetApp Console supports management of both on-premises and cloud storage systems. You must add a storage system to a project before anyone can access it.

Storage systems are automatically associated with the project where they are added, but you can also associate them with other projects or folders from the Resources page.

Keystone subscriptions are also resources that you can associate with projects in order to grant users access to the subscription in NetApp Console.

Console agents: Organization admins create Console agents to manage storage systems and enable NetApp data services. Agents are initially tied to the project where they are created, but admins can add them to other projects or folders from the Agents page.

Associating an agent with a project enables management of resources in that project, while associating an agent with a folder lets folder or project admins decide which projects should use the agent. Agents must be linked to specific projects to provide management capabilities.

Learn how to associate agents with projects.

Members and roles

Members: Members of your organization are user accounts or service accounts. A service account is typically used by an application to complete specified tasks without human intervention.

You need to add members to your organization after they sign up for NetApp Console. Once added, you can assign them roles to provide access to resources. You can manually add service accounts from within the Console or automate their creation and management through the NetApp Console IAM API.

Learn how to add members to your organization.
Access roles: The Console provides access roles that you can assign to the members of your organization.

When you associate a member with a role, you can grant that role for the entire organization, a specific folder, or a specific project. The role that you select gives a member permissions to the resources in the selected part of the hierarchy.

NetApp Console provides granular roles that adhere to the principles of "least privilege" which means access roles are designed to give users access to only that that they need

This means users may have multiple roles assigned to them as their duties expand.

Learn about access roles.

IAM strategy examples

Small organization strategy

For organizations with fewer than 50 users and centralized storage management, consider a simplified approach using Super admin and Super viewer roles.

Example: ABC Corporation (5-person team)

Structure: Single organization with 3 projects (Production, Development, Backup)
Roles:
- 2 senior members: Super admin role for full administrative access
- 3 team members: Super viewer role for monitoring without modification rights
Agent strategy: Single agent associated with all projects for shared resource access
Benefits: Simplified administration, reduced role complexity, suitable for teams requiring broad access

Multi-regional enterprise strategy

For large organizations with regional operations and specialized teams, implement a hierarchical approach with folders representing geographical or business unit boundaries.

Example: XYZ Corporation (multinational company)

Structure: Organization > Regional folders (North America, Europe, Asia-Pacific) > Project folders per region
Platform roles:
- 1 Organization admin: Global oversight and policy management
- 3 Folder or project admins: Regional control (one per region)
- 1 Federation admin: Corporate identity provider integration
Storage roles by region:
- 9 Storage admin: Discover and manage storage systems in assigned regions
- 2 Storage viewer: Monitor storage resources across regions
- 1 System health specialist: Manage storage health without system modifications
Data service roles:
- Backup and Recovery admin: Per-project based on backup responsibilities
- Ransomware Resilience admin: Security team monitoring across projects
Agent strategy: Regional agents associated with appropriate geographical projects
Benefits: Enhanced security through role segregation, regional autonomy, and compliance with local regulations

Departmental specialization strategy

For organizations with specialized teams requiring specific data service access, use targeted role assignments based on functional responsibilities.

Example: TechCorp (mid-size technology company)

Structure: Organization > Department folders (IT, Security, Development) > Project-specific resources
Specialized roles:
- Security team: Ransomware Resilience admin and Classification viewer roles
- Backup team: Backup and Recovery super admin for comprehensive backup operations
- Development team: Storage admin for test environment management
- Compliance team: Operation support analyst for monitoring and support case management
Agent strategy: Agents linked to departmental projects based on resource ownership
Benefits: Tailored access control, improved operational efficiency, and clear accountability for specialized tasks