Overview of RBAC security

Contributors dmp-netapp

ONTAP includes a robust and extensible role-based access control (RBAC) capability. You can assign each account a different role to control the user’s access to the resources exposed through the REST API and CLI. The roles define different levels of administrative access for the various ONTAP users.

Note The ONTAP RBAC capability has continued to expand and was significantly enhanced with ONTAP 9.11.1. See Summary of RBAC evolution and What’s new with the ONTAP REST API and automation for more information.

ONTAP roles

A role is a set of privileges that collectively define what actions the user can take. Each privilege identifies a specific access path and the associated access level. Roles are assigned to user accounts and applied by ONTAP when making access control decisions.

Types of roles

There are two types of roles. They were introduced and tailored to different environments as ONTAP has evolved.

Note There are advantages and disadvantages when using each type of role. See Comparing the role types for more information.
Type Description

REST

The REST roles were introduced with ONTAP 9.6 and are generally applied to users accessing ONTAP through the REST API. Creating a REST role automatically creates a traditional mapping role.

Traditional

These are the legacy roles included prior to ONTAP 9.6. They were introduced for the ONTAP CLI environment and continue to be fundamental to RBAC security.

Scope

Every role has a scope or context within which it is defined and applied. The scope determines where and how a specific role is used.

Note ONTAP user accounts also have a similar scope that determines how a user is defined and used.
Scope Description

Cluster

Roles with a cluster scope are defined at the ONTAP cluster level. They are associated with cluster-level user accounts.

SVM

Roles with an SVM scope are defined for a specific data SVM. They are assigned to user accounts in the same SVM.

Source of the role definitions

There are two ways an ONTAP role can be defined.

Role source Description

Custom

The ONTAP administrator can create custom roles. These roles can be tailored to a specific environment and security requirements.

Built-in

While custom roles provide more flexibility, there is also a set of built-in roles available at both the cluster and SVM level. These roles are pre-defined and can be used for many common administrative tasks.

Role mapping and ONTAP processing

Depending on the ONTAP release you are using, all or nearly all the REST API calls map to one or more CLI commands. When you create a REST role, a traditional or legacy role is also created. This mapped traditional role is based on the corresponding CLI commands and cannot be manipulated or changed.

Note Reverse role mapping is not supported. That is, creating a traditional role does not create a corresponding REST role.

Summary of RBAC evolution

The traditional roles are included with all ONTAP 9 releases. The REST roles were introduced later and have evolved as described below.

ONTAP 9.6

The REST API was introduced with ONTAP 9.6. The REST roles were included with this release as well. Also, when you create a REST role, a corresponding traditional role is also created.

ONTAP 9.7 through 9.10.1

Each ONTAP release from 9.7 through 9.10.1 includes enhancements to the REST API. For example, additional REST endpoints have been added with each release. However, the creation and management of the two roles types remained separate. Also, ONTAP 9.10.1 added REST RBAC support for the snapshots REST endpoint /api/storage/volumes/{vol.uuid}/snapshots which is a resource-qualified endpoint.

ONTAP 9.11.1

The ability to configure and manage traditional roles using the REST API was added with this release. Additional access levels for the REST roles were also added.