Learn about NetApp Console access roles

10/03/2025 Contributors

Identity and access management (IAM) in the NetApp Console provides predefined roles that you can assign to the members of your organization across different levels of your resource hierarchy. Before you assign these roles, you should understand the permissions that each role includes. Roles fall into the following categories: platform, application, and data service.

Platform roles

Platform roles grant NetApp Console administration permissions, including role assignment and user management. The Console has several platform roles.

Platform role	Responsibilities
Organization admin	Allows a user unrestricted access to all projects and folders within an organization, add members to any project or folder, as well as perform any task and use any data service that does not have an explicit role associated with it. Users with this role manage your organization by creating folders and projects, assigning roles, adding users, and managing systems if they have the proper credentials. This is the only access role that can create Console agents.
Folder or project admin	Allows a user unrestricted access to assigned projects and folders. Can add members to folders or projects they manage, as well as perform any task and use any data service or application on resources within the folder or project they are assigned. Folder or project admins cannot create Console agents.
Federation admin	Allows a user to create and manage federations with the Console, which enables single-sign on (SSO).
Federation viewer	Allows a user to view existing federations with the Console. Cannot create or manage federations.
Partnership admin	Allows a user to create and manage partnerships.
Partnership viewer	Allows a user to view existing partnerships. Cannot create or manage partnerships.
Super admin	Gives the user a subset of admin roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.
Super viewer	Gives the user a subset viewer roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Platform role

Responsibilities

Organization admin

Allows a user unrestricted access to all projects and folders within an organization, add members to any project or folder, as well as perform any task and use any data service that does not have an explicit role associated with it.

Users with this role manage your organization by creating folders and projects, assigning roles, adding users, and managing systems if they have the proper credentials.

This is the only access role that can create Console agents.

Folder or project admin

Allows a user unrestricted access to assigned projects and folders. Can add members to folders or projects they manage, as well as perform any task and use any data service or application on resources within the folder or project they are assigned.

Folder or project admins cannot create Console agents.

Federation admin

Allows a user to create and manage federations with the Console, which enables single-sign on (SSO).

Federation viewer

Allows a user to view existing federations with the Console. Cannot create or manage federations.

Partnership admin

Allows a user to create and manage partnerships.

Partnership viewer

Allows a user to view existing partnerships. Cannot create or manage partnerships.

Super admin

Gives the user a subset of admin roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Super viewer

Gives the user a subset viewer roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Application roles

The following is a list of roles in the application category. Each role grants specific permissions within its designated scope. Users without the required application or platform role cannot access the respective application.

Application role	Responsibilities
Google Cloud NetApp Volumes admin	Users with the Google Cloud NetApp Volumes role can discover and manage Google Cloud NetApp Volumes.
Keystone admin	Users with the Keystone admin role can create service requests. Allows users to monitor and view usage, resources, and admin details within the Keystone tenant they are accessing.
Keystone viewer	Users with the Keystone viewer role CANNOT create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.
ONTAP Mediator setup role	Service accounts with the ONTAP Mediator setup role can create service requests. This role is required in a service account to configure an instance of the ONTAP Cloud Mediator.
Operation support analyst	Provides access to alerts and monitoring tools and ability to enter and manage support cases.
Storage admin	Administer storage health and governance functions, discover storage resources, as well as modify and delete existing systems.
Storage viewer	View storage health and governance functions, as well as view previously discovered storage resources. Cannot discover, modify, or delete existing storage systems.
System health specialist	Administer storage and health and governance functions, all permissions of the Storage admin except cannot modify or delete existing systems.

Application role

Responsibilities

Google Cloud NetApp Volumes admin

Users with the Google Cloud NetApp Volumes role can discover and manage Google Cloud NetApp Volumes.

Keystone admin

Users with the Keystone admin role can create service requests. Allows users to monitor and view usage, resources, and admin details within the Keystone tenant they are accessing.

Keystone viewer

Users with the Keystone viewer role CANNOT create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.

ONTAP Mediator setup role

Service accounts with the ONTAP Mediator setup role can create service requests. This role is required in a service account to configure an instance of the ONTAP Cloud Mediator.

Operation support analyst

Provides access to alerts and monitoring tools and ability to enter and manage support cases.

Storage admin

Administer storage health and governance functions, discover storage resources, as well as modify and delete existing systems.

Storage viewer

View storage health and governance functions, as well as view previously discovered storage resources. Cannot discover, modify, or delete existing storage systems.

System health specialist

Administer storage and health and governance functions, all permissions of the Storage admin except cannot modify or delete existing systems.

Data service roles

The following is a list of roles in the data service category. Each role grants specific permissions within its designated scope. Users who do not have the required data service role or a platform role will be unable to access the data service.

Data service role	Responsibilities
Backup and Recovery super admin	Perform any actions in NetApp Backup and Recovery.
Backup and Recovery admin	Perform backups to local snapshots, replicate to secondary storage, and back up to object storage.
Backup and Recovery restore admin	Restore workloads in the Backup and Recovery.
Backup and Recovery clone admin	Clone applications and data in the Backup and Recovery.
Backup and Recovery viewer	View Backup and Recovery information.
Disaster Recovery admin	Perform any actions in NetApp Disaster Recovery service.
Disaster Recovery failover admin	Perform failover and migrations.
Disaster Recovery application admin	Create replication plans, change replication plans, and start test failovers.
Disaster Recovery viewer	View information only.
Classification viewer	Allows users to view NetApp Data Classification scan results. Users with this role can view compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas. Classification does not have a viewer role.
Ransomware Resilience admin	Manage actions on the Protect, Alerts, Recover, Settings, and Reports tabs of NetApp Ransomware Resilience.
Ransomware Resilience viewer	View workload data, view alert data, download recovery data, and download reports in Ransomware Resilience.
Ransomware Resilience user behavior admin	Configure, manage, and view suspicious user behavior detection, alerts, and monitoring in Ransomware Resilience.
Ransomware Resilience user behavior viewer	View suspicious user behavior alerts and insights in Ransomware Resilience.
SnapCenter admin	Provides the ability to back up snapshots from on-premises ONTAP clusters using NetApp Backup and Recovery for applications. A member who has this role can complete the following actions: * Complete any action from Backup and Recovery > Applications * Manage all systems in the projects and folders for which they have permissions * Use all NetApp Console services SnapCenter does not have a viewer role.

Data service role

Responsibilities

Backup and Recovery super admin

Perform any actions in NetApp Backup and Recovery.

Backup and Recovery admin

Perform backups to local snapshots, replicate to secondary storage, and back up to object storage.

Backup and Recovery restore admin

Restore workloads in the Backup and Recovery.

Backup and Recovery clone admin

Clone applications and data in the Backup and Recovery.

Backup and Recovery viewer

View Backup and Recovery information.

Disaster Recovery admin

Perform any actions in NetApp Disaster Recovery service.

Disaster Recovery failover admin

Perform failover and migrations.

Disaster Recovery application admin

Create replication plans, change replication plans, and start test failovers.

Disaster Recovery viewer

View information only.

Classification viewer

Allows users to view NetApp Data Classification scan results.

Users with this role can view compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas. Classification does not have a viewer role.

Ransomware Resilience admin

Manage actions on the Protect, Alerts, Recover, Settings, and Reports tabs of NetApp Ransomware Resilience.

Ransomware Resilience viewer

View workload data, view alert data, download recovery data, and download reports in Ransomware Resilience.

Ransomware Resilience user behavior admin

Configure, manage, and view suspicious user behavior detection, alerts, and monitoring in Ransomware Resilience.

Ransomware Resilience user behavior viewer

View suspicious user behavior alerts and insights in Ransomware Resilience.

SnapCenter admin

Provides the ability to back up snapshots from on-premises ONTAP clusters using NetApp Backup and Recovery for applications. A member who has this role can complete the following actions:

* Complete any action from Backup and Recovery > Applications
* Manage all systems in the projects and folders for which they have permissions
* Use all NetApp Console services

SnapCenter does not have a viewer role.

Learn about NetApp Console access roles

Creating your file...

Platform roles

Application roles

Data service roles

Related links