Overview of RBAC security
Suggest changes
PDFs
ONTAP includes a robust and extensible role-based access control (RBAC) capability. You can assign each account a different role to control the user's access to the resources exposed through the REST API and CLI. The roles define different levels of administrative access for the various ONTAP users.
|
The ONTAP RBAC capability has continued to expand and was significantly enhanced with ONTAP 9.11.1 (and subsequent releases). See Summary of RBAC evolution and What’s new with the ONTAP REST API for more information. |
ONTAP roles
A role is a set of privileges that collectively define what actions the user can take. Each privilege identifies a specific access path and the associated access level. Roles are assigned to user accounts and applied by ONTAP when making access control decisions.
Types of roles
There are two types of roles. They were introduced and tailored to different environments as ONTAP has evolved.
|
|
There are advantages and disadvantages when using each type of role. See Comparing the role types for more information. |
| Type | Description |
|---|---|
REST |
The REST roles were introduced with ONTAP 9.6 and are generally applied to users accessing ONTAP through the REST API. Creating a REST role automatically creates a traditional mapping role. |
Traditional |
These are the legacy roles included prior to ONTAP 9.6. They were introduced for the ONTAP CLI environment and continue to be fundamental to RBAC security. |
Scope
Every role has a scope or context within which it is defined and applied. The scope determines where and how a specific role is used.
|
|
ONTAP user accounts also have a similar scope that determines how a user is defined and used. |
| Scope | Description |
|---|---|
Cluster |
Roles with a cluster scope are defined at the ONTAP cluster level. They are associated with cluster-level user accounts. |
SVM |
Roles with an SVM scope are defined for a specific data SVM. They are assigned to user accounts in the same SVM. |
Source of the role definitions
There are two ways an ONTAP role can be defined.
| Role source | Description |
|---|---|
Custom |
The ONTAP administrator can create custom roles. These roles can be tailored to a specific environment and security requirements. |
Built-in |
While custom roles provide more flexibility, there is also a set of built-in roles available at both the cluster and SVM level. These roles are pre-defined and can be used for many common administrative tasks. |
Role mapping and ONTAP processing
Depending on the ONTAP release you are using, all or nearly all the REST API calls map to one or more CLI commands. When you create a REST role, a traditional or legacy role is also created. This mapped traditional role is based on the corresponding CLI commands and cannot be manipulated or changed.
|
|
Reverse role mapping is not supported. That is, creating a traditional role does not create a corresponding REST role. |
Summary of RBAC evolution
The traditional roles are included with all ONTAP 9 releases. The REST roles were introduced later and have evolved as described below.
The REST API was introduced with ONTAP 9.6. The REST roles were included with this release as well. Also, when you create a REST role, a corresponding traditional role is also created.
Each ONTAP release from 9.7 through 9.10.1 includes enhancements to the REST API. For example, additional REST endpoints have been added with each release. However, the creation and management of the two roles types remained separate. Also, ONTAP 9.10.1 added REST RBAC support for the snapshots REST endpoint /api/storage/volumes/{vol.uuid}/snapshots which is a resource-qualified endpoint.
The ability to configure and manage traditional roles using the REST API was added with this release. Additional access levels for the REST roles were also added.