NetApp Console access roles

05/19/2026 Contributors

Identity and access management (IAM) in the NetApp Console provides predefined roles that you can assign to the members of your organization across different levels of your resource hierarchy. Before you assign these roles, you should understand the permissions that each role includes. Roles fall into the following categories: platform, application, and data service. The tables also include each role’s API name for customers who manage role assignments using the API.

Platform roles

Platform roles grant NetApp Console administration permissions, including role assignment and user management. The Console has several platform roles.

*API name is the role identifier used in APIs. Copy the value exactly as shown (including capitalization and underscores).

Platform role	API name*	Responsibilities
Organization admin	ORGANIZATION_ADMIN	Allows a user unrestricted access to all projects and folders within an organization. Can add members to any project or folder, as well as perform any task and use any data service that does not have an explicit role associated with it. Users with this role manage your organization by creating folders and projects, assigning roles, adding users, and managing systems if they have the proper credentials. This is the only access role that can create Console agents.
Folder or project admin	FOLDER_OR_PROJECT_ADMIN	Allows a user unrestricted access to assigned projects and folders. Can add members to folders or projects they manage, as well as perform any task and use any data service or application on resources within the folder or project they are assigned. Folder or project admins cannot create Console agents.
Federation admin	FEDERATION_ADMIN	Allows a user to create and manage federations with the Console, which enables single-sign on (SSO).
Federation viewer	FEDERATION_VIEWER	Allows a user to view existing federations with the Console. Cannot create or manage federations.
Partnership admin	PARTNERSHIP_ADMIN	Allows a user to create and manage partnerships.
Partnership viewer	PARTNERSHIP_VIEWER	Allows a user to view existing partnerships. Cannot create or manage partnerships.
Super admin	SUPER_ADMIN	Gives the user a subset of admin roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.
Super viewer	SUPER_VIEWER	Gives the user a subset of viewer roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Platform role

API name*

Responsibilities

Organization admin

ORGANIZATION_ADMIN

Allows a user unrestricted access to all projects and folders within an organization. Can add members to any project or folder, as well as perform any task and use any data service that does not have an explicit role associated with it.

Users with this role manage your organization by creating folders and projects, assigning roles, adding users, and managing systems if they have the proper credentials.

This is the only access role that can create Console agents.

Folder or project admin

FOLDER_OR_PROJECT_ADMIN

Allows a user unrestricted access to assigned projects and folders. Can add members to folders or projects they manage, as well as perform any task and use any data service or application on resources within the folder or project they are assigned.

Folder or project admins cannot create Console agents.

Federation admin

FEDERATION_ADMIN

Allows a user to create and manage federations with the Console, which enables single-sign on (SSO).

Federation viewer

FEDERATION_VIEWER

Allows a user to view existing federations with the Console. Cannot create or manage federations.

Partnership admin

PARTNERSHIP_ADMIN

Allows a user to create and manage partnerships.

Partnership viewer

PARTNERSHIP_VIEWER

Allows a user to view existing partnerships. Cannot create or manage partnerships.

Super admin

SUPER_ADMIN

Gives the user a subset of admin roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Super viewer

SUPER_VIEWER

Gives the user a subset of viewer roles. This role is designed for smaller organizations that may not need to distribute Console responsibilities across multiple users.

Application roles

The following is a list of roles in the application category. Each role grants specific permissions within its designated scope. Users without the required application or platform role cannot access the respective application.

Application role	API name*	Responsibilities
Google Cloud NetApp Volumes admin	GCNV_ADMIN	Users with the Google Cloud NetApp Volumes role can discover and manage Google Cloud NetApp Volumes.
Google Cloud NetApp Volumes viewer	GCNV_VIEWER	Users with the Google Cloud NetApp Volumes user role can view Google Cloud NetApp Volumes.
Keystone admin	KEYSTONE_ADMIN	Users with the Keystone admin role can create service requests. Allows users to monitor and view usage, resources, and admin details within the Keystone tenant they are accessing.
Keystone viewer	KEYSTONE_VIEWER	Users with the Keystone viewer role CANNOT create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.
License and subscription admin		Users with the License and subscription admin role can create, update, and delete direct licenses and marketplace subscriptions for the NetApp Console and affiliated data services.
License and subscription viewer		Users with the License and subscription viewer role can view direct licenses and marketplace subscriptions for the NetApp Console and affiliated data services.
ONTAP Mediator setup role	ONTAP_MEDIATOR_SETUP	Service accounts with the ONTAP Mediator setup role can create service requests. This role is required in a service account to configure an instance of the ONTAP Cloud Mediator.
Operations support analyst	OPERATIONS_SUPPORT_ANALYST	Provides access to alerts and monitoring tools and ability to enter and manage support cases.
Storage admin	STORAGE_ADMIN	Administer storage health and governance functions, discover storage resources, as well as modify and delete existing systems.
Storage viewer	STORAGE_VIEWER	View storage health and governance functions, as well as view previously discovered storage resources. Cannot discover, modify, or delete existing storage systems.
System health specialist	SYSTEM_HEALTH_SPECIALIST	Administer storage and health and governance functions, all permissions of the Storage admin except cannot modify or delete existing systems.

Application role

API name*

Responsibilities

Google Cloud NetApp Volumes admin

GCNV_ADMIN

Users with the Google Cloud NetApp Volumes role can discover and manage Google Cloud NetApp Volumes.

Google Cloud NetApp Volumes viewer

GCNV_VIEWER

Users with the Google Cloud NetApp Volumes user role can view Google Cloud NetApp Volumes.

Keystone admin

KEYSTONE_ADMIN

Users with the Keystone admin role can create service requests. Allows users to monitor and view usage, resources, and admin details within the Keystone tenant they are accessing.

Keystone viewer

KEYSTONE_VIEWER

Users with the Keystone viewer role CANNOT create service requests. Allows users to monitor and view consumption, assets, and administrative information within the Keystone tenant they are accessing.

License and subscription admin

Users with the License and subscription admin role can create, update, and delete direct licenses and marketplace subscriptions for the NetApp Console and affiliated data services.

License and subscription viewer

Users with the License and subscription viewer role can view direct licenses and marketplace subscriptions for the NetApp Console and affiliated data services.

ONTAP Mediator setup role

ONTAP_MEDIATOR_SETUP

Service accounts with the ONTAP Mediator setup role can create service requests. This role is required in a service account to configure an instance of the ONTAP Cloud Mediator.

Operations support analyst

OPERATIONS_SUPPORT_ANALYST

Provides access to alerts and monitoring tools and ability to enter and manage support cases.

Storage admin

STORAGE_ADMIN

Administer storage health and governance functions, discover storage resources, as well as modify and delete existing systems.

Storage viewer

STORAGE_VIEWER

View storage health and governance functions, as well as view previously discovered storage resources. Cannot discover, modify, or delete existing storage systems.

System health specialist

SYSTEM_HEALTH_SPECIALIST

Administer storage and health and governance functions, all permissions of the Storage admin except cannot modify or delete existing systems.

Data service roles

The following is a list of roles in the data service category. Each role grants specific permissions within its designated scope. Users who do not have the required data service role or a platform role will be unable to access the data service.

Data service role	API name*	Responsibilities
Backup and Recovery super admin	BACKUP_SUPER_ADMIN	Perform any actions in NetApp Backup and Recovery.
Backup and Recovery admin	BACKUP_ADMIN	Perform backups to local snapshots, replicate to secondary storage, and back up to object storage.
Backup and Recovery restore admin	RESTORE_ADMIN	Restore workloads in Backup and Recovery.
Backup and Recovery clone admin	CLONE_ADMIN	Clone applications and data in Backup and Recovery.
Backup and Recovery viewer	BACKUP_VIEWER	View Backup and Recovery information.
Disaster Recovery admin	DISASTER_RECOVERY_ADMIN	Perform any actions in NetApp Disaster Recovery service.
Disaster Recovery failover admin	DISASTER_RECOVERY_FAILOVER_ADMIN	Perform failover and migrations.
Disaster Recovery application admin	DISASTER_RECOVERY_APPLICATION_ADMIN	Create replication plans, change replication plans, and start test failovers.
Disaster Recovery viewer	DISASTER_RECOVERY_VIEWER	View information only.
Compliance admin		Required for installing Data Classification and for associating organization-level permissions in Data Classification.
Classification viewer	CLASSIFICATION_VIEWER	Allows users to view NetApp Data Classification scan results. Users with this role can view compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas.
Ransomware Resilience admin	RANSOMWARE_PROTECTION_ADMIN	Manage actions on the Protect, Alerts, Recover, Settings, and Reports tabs of NetApp Ransomware Resilience.
Ransomware Resilience viewer	RANSOMWARE_PROTECTION_VIEWER	View workload data, view alert data, download recovery data, and download reports in Ransomware Resilience.
Ransomware Resilience user behavior admin	RANSOMWARE_RESILIENCE_USER_BEHAVIOR_ADMIN	Configure, manage, and view suspicious user behavior detection, alerts, and monitoring in Ransomware Resilience.
Ransomware Resilience user behavior viewer	RANSOMWARE_RESILIENCE_USER_BEHAVIOR_VIEWER	View suspicious user behavior alerts and insights in Ransomware Resilience.
SnapCenter admin	SNAPCENTER_ADMIN	Provides the ability to back up snapshots from on-premises ONTAP clusters using NetApp Backup and Recovery for applications. A member who has this role can complete the following actions: * Complete any action from Backup and Recovery > Applications * Manage all systems in the projects and folders for which they have permissions * Use all NetApp Console services SnapCenter does not have a viewer role.

Data service role

API name*

Responsibilities

Backup and Recovery super admin

BACKUP_SUPER_ADMIN

Perform any actions in NetApp Backup and Recovery.

Backup and Recovery admin

BACKUP_ADMIN

Perform backups to local snapshots, replicate to secondary storage, and back up to object storage.

Backup and Recovery restore admin

RESTORE_ADMIN

Restore workloads in Backup and Recovery.

Backup and Recovery clone admin

CLONE_ADMIN

Clone applications and data in Backup and Recovery.

Backup and Recovery viewer

BACKUP_VIEWER

View Backup and Recovery information.

Disaster Recovery admin

DISASTER_RECOVERY_ADMIN

Perform any actions in NetApp Disaster Recovery service.

Disaster Recovery failover admin

DISASTER_RECOVERY_FAILOVER_ADMIN

Perform failover and migrations.

Disaster Recovery application admin

DISASTER_RECOVERY_APPLICATION_ADMIN

Create replication plans, change replication plans, and start test failovers.

Disaster Recovery viewer

DISASTER_RECOVERY_VIEWER

View information only.

Compliance admin

Required for installing Data Classification and for associating organization-level permissions in Data Classification.

Classification viewer

CLASSIFICATION_VIEWER

Allows users to view NetApp Data Classification scan results. Users with this role can view compliance information and generate reports for resources that they have permission to access. These users can't enable or disable scanning of volumes, buckets, or database schemas.

Ransomware Resilience admin

RANSOMWARE_PROTECTION_ADMIN

Manage actions on the Protect, Alerts, Recover, Settings, and Reports tabs of NetApp Ransomware Resilience.

Ransomware Resilience viewer

RANSOMWARE_PROTECTION_VIEWER

View workload data, view alert data, download recovery data, and download reports in Ransomware Resilience.

Ransomware Resilience user behavior admin

RANSOMWARE_RESILIENCE_USER_BEHAVIOR_ADMIN

Configure, manage, and view suspicious user behavior detection, alerts, and monitoring in Ransomware Resilience.

Ransomware Resilience user behavior viewer

RANSOMWARE_RESILIENCE_USER_BEHAVIOR_VIEWER

View suspicious user behavior alerts and insights in Ransomware Resilience.

SnapCenter admin

SNAPCENTER_ADMIN

Provides the ability to back up snapshots from on-premises ONTAP clusters using NetApp Backup and Recovery for applications. A member who has this role can complete the following actions:

* Complete any action from Backup and Recovery > Applications
* Manage all systems in the projects and folders for which they have permissions
* Use all NetApp Console services

SnapCenter does not have a viewer role.

NetApp Console access roles

Creating your file...

Platform roles

Application roles

Data service roles

Related links