NetApp Console platform access roles
Assign platform roles to users to grant permissions to manage the NetApp Console, assign roles, add users, create Console agents, and manage federations.
XYZ Corporation organizes data storage access by region—North America, Europe, and Asia-Pacific—providing regional control with centralized oversight.
The Organization admin in XYZ Corporation's Console creates an initial organization and separate folders for each region. The Folder or project admin for each region organizes projects (with associated resources) within the region's folder.
Regional admins with the Folder or project admin role actively manage their folders by adding resources and users. These regional admins can also add, remove, or rename folders and projects they manage. The Organization admin inherits permissions for any new resources, maintaining visibility of storage usage across the entire organization.
Within the same organization, one user is assigned the Federation admin role to manage the federation of the organization with their corporate IdP. This user can add or remove federated organizations, but cannot manage users or resources within the organization. The Organization admin assigns a user the Federation viewer role to check federation status and view federated organizations.
The following tables indicate the actions that each Console platform role can perform.
Organization administration roles
Task | Organization admin | Folder or project admin |
---|---|---|
Create agents |
Yes |
No |
Create, modify or delete systems from the Console (add or discover systems) |
Yes |
Yes |
Create folders and projects, including deleting |
Yes |
No |
Rename existing folders and projects |
Yes |
Yes |
Assign roles and add users |
Yes |
Yes |
Associate resources with folders and projects |
Yes |
Yes |
Associate agents with folders and projects |
Yes |
No |
Remove agents from folders and projects |
Yes |
No |
Manage agents (edit certificates, settings, and so on) |
Yes |
No |
Manage credentials from Administration > Credentials |
Yes |
Yes |
Create, manage, and view federations |
Yes |
No |
Register for support and submit cases through the Console |
Yes |
Yes |
Use data services that are not associated with an explicit access role |
Yes |
Yes |
View the Audit page and notifications |
Yes |
Yes |
Federation roles
Task | Federation admin | Federation viewer |
---|---|---|
Create a federation |
Yes |
No |
Verify a domain |
Yes |
No |
Add a domain to a federation |
Yes |
No |
Disable and delete federations |
Yes |
No |
Test federations |
Yes |
No |
View federations and their details |
Yes |
Yes |
Partnership roles
Task | Partnership admin | Partnership viewer |
---|---|---|
Can create a partnership |
Yes |
No |
Assign roles to partner members |
Yes |
No |
Can add members to a partnership |
Yes |
No |
Can view organization partnership details |
Yes |
Yes |
Super admin and viewer roles
The Super admin role provides full access to manage Console features, storage, and data services. This role suits those overseeing administration and governance. In contrast, the Super viewer role offers read-only access, ideal for auditors or stakeholders who need visibility without making changes.
Organizations should use Super admin access sparingly to minimize security risks and align with the principle of least privilege. Most organizations should assign fine-grained roles with only the necessary permissions to reduce risk and improve auditability.
ABC Corporation has a small team of five that leverages the NetApp Console for data services and storage management. Instead of distributing multiple roles, they assign the Super admin role to two senior team members who handle all administrative tasks, including user management and resource configuration. The remaining three team members are assigned the Super viewer role, allowing them to monitor storage health and data service status without the ability to modify settings.
Role | Inherited roles |
---|---|
Super admin |
|
Super viewer |
|