Skip to main content
NetApp Console setup and administration

Add members and service accounts to NetApp Console

Contributors netapp-tonias netapp-ahibbard

Within the Console, you can add users and service accounts to your organization and assign them one or more roles across your resource hierarchy. A role contains a set of permissions that enables a member (user or service account) to perform specific actions at a specific level of the resource hierarchy.

You need one of the following roles to manage users and permissions:

  • Organization admin

    Users with this role can manage all members

  • Folder or project admin

    Users with this role can manage members only of a designated folder or project

    Folder or project admin can view all members on the Members page but manage permissions only for folders and projects they have access to. Learn more about the actions that a Folder or project admin can complete.

Add members to your organization

You can add two types of members to your organization: a user account and a service account. Applications use service accounts to perform API tasks without human intervention. A person typically uses a user account to log in and manage resources.

Users must sign up for the NetApp Console before you can add them to an organization or assign them a role. You create service accounts directly from the Console.

To manage users and their permissions, you must have the Organization admin role or the Folder or project admin role. Remember that users with the Folder or project admin role can only manage members for the folder or projects of which they have admin permissions.

Add a user account

Although users sign up for the NetApp Console on their own, they need to be explicitly added to an organization or to specific folders or projects to access resources in the Console.

Steps
  1. Direct the user to visit NetApp Console to sign up.

    Once users sign up, they complete the Sign up page, check their email, and log in. If the Console prompts users to create an organization, they close it and notify you of their account creation. You can then add the user to your existing organization.

  2. Select Administration > Identity and access.

  3. Select Members.

  4. Select Add a member.

  5. For Member Type, keep User selected.

  6. For User's email, enter the user's email address that is associated with the login that they created.

  7. Use the Select an organization, folder, or project section to choose the level of your resource hierarchy that the member should have permissions for.

    Note the following:

    • You can only select from the folders and projects for which you have permissions.

    • Selecting an organization or folder grants the member permissions to all its contents.

    • You can only assign the Organization admin role at the organization level.

  8. Select a category then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

  9. Optional: Select an additional role or project. If you want to provide access to additional folders or projects within your organization or grant the user additional roles in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.

  10. Select Add.

    The Console sends the user an email with instructions.

Add a service account

You can automate tasks and integrate with Console APIs securely with service accounts. When you create a service account, choose between two authentication methods: using a client ID and secret, or using JWT (JSON Web Token) authentication. The client ID and secret method suits simple setups, while JWT authentication offers stronger security for automated or cloud-native environments. Choose the option that best fits your security needs and how you plan to use the Console.

If you want to use JWT authentication, have your public key or certificate ready to use.

Steps
  1. Select Administration > Identity and access.

  2. Select Members.

  3. Select Add a member.

  4. For Member Type, select Service account.

  5. Enter a name for the service account.

  6. If you want to use JWT authentication, select Use private key JWT authentication and upload your public RSA key or certificate. Skip this step if you want to use a client ID and secret instead.

    Your X.509 certitificate. It must be in PEM, CRT, or CER format.

  7. Use the Select an organization, folder, or project section to choose the level of your resource hierarchy that the member should have permissions for.

    Note the following:

    • You can only select from the folders and projects for which you have permissions.

    • Selecting an organization or folder grants the member permissions to all its contents.

    • You can only assign the Organization admin role at the organization level.

  8. Select a Category then select a Role that provides the member with permissions for the resources that are associated with the organization, folder, or project that you selected.

  9. Optional: Select an additional role or project. If you want to provide access to additional folders or projects within your organization or grant the user additional roles in the selected area, select Add role, specify another folder or project or a different role category and then choose a role.

  10. If you didn't choose to use JWT authentication, download or copy the client ID and client secret.
    The Console shows the client secret only once. Copy it securely; you can recreate it later if needed.

  11. If you chose JWT authentication, download or copy the client ID and JWT audience. This information is shown only once and cannot be retrieved later.

  12. Select Close.

View organization members

To understand which resources and permissions are available to a member, you can view the roles assigned to the member at different levels of your organization's resource hierarchy. Learn how to use roles to control access to Console resources.

You can view both user accounts and service accounts from the Members page.

Note You can also view all of the members associated with a specific folder or project. Learn more.
Steps
  1. Select Administration > Identity and access.

  2. Select Members.

    The Members table lists the members of your organization.

  3. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select View details.

Remove a member from your organization

You might need to remove a member from your organization—​for example, if they leave your company.

The system removes the member's permissions but keeps their Console and NetApp Support Site accounts.

Steps
  1. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots then select Delete user.

  2. Confirm that you want to remove the member from your organization.

Recreate the credentials for a service account

Create new credentials if you lose them or need to update them.

When you recreate the credentials, you delete the existing credentials for the service account and create new ones. You cannot use the previous credentials.

Steps
  1. Select Administration > Identity and access.

  2. Select Members.

  3. In the Members table, navigate to a service account, select An icon that is three side-by-side dots and then select Recreate secrets.

  4. Select Recreate.

  5. Download or copy the client ID and client secret.
    The client secret displays only once. Copy or download it and store it securely.

Manage a user's multi-factor authentication (MFA)

If a user loses access to their MFA device, you can either remove or disable their MFA configuration.

Users must reconfigure MFA at login after removal. If the user has only lost access to their MFA device temporarily, they can use the recovery code that they saved when they set up MFA to log in.

If they do not have their recovery code, temporarily disable MFA to allow login. When you disable MFA for a user, it is disabled for only eight hours and then re-enabled automatically. The user is allowed one login during that time without MFA. After the eight hours, the user must use MFA to log in.

Note To manage a user's multi-factor authentication, you must have an email address in the same domain as the affected user.
Steps
  1. Select Administration > Identity and access.

  2. Select Members.

    The Members table lists the members of your organization.

  3. From the Members page, navigate to a member in the table, select An icon that is three side-by-side dots and then select Manage multi-factor authentication.

  4. Choose whether to remove or to disable the user's MFA configuration.