Create a user with a role

Contributors dmp-netapp

You can use the workflow described below to create a user with an associated REST role. Before reviewing the workflow, you should be familiar with the general preparation steps.

Prepare to create an ONTAP user with an assigned role

Before creating a role and assigning it to an ONTAP user account, you should first prepare by reviewing the major security requirements and options.

What ONTAP release are you using?

The ONTAP release determines what REST endpoints and RBAC features are available.

Identify the protected resources and scope

You need to identify the resources or commands to be protected and the scope (cluster or SVM).

What access should the user have?

After identifying the resources and scope, you need to determine the access level to be granted.

How will the users access ONTAP?

The user can access ONTAP through the REST API or CLI or both.

Is one of the built-in roles sufficient or is a custom role needed?

It is more convenient to use an existing built-in role but you can create a new custom role if needed.

What type of role is needed?

Based on the security requirements and the ONTAP access, you need to choose whether to create a REST or traditional role.

Create a user with a custom role

The workflow described below includes the typical steps needed to create a custom REST role and associate it with a new user account. Both the user and role have an SVM scope and are associated with a specific data SVM.

Note The workflow is meant to illustrate the complete process. Some of the steps may be optional or need to change based on your environment.

1. List the data SVMs in the cluster

Perform the following REST API call to list the SVMs in the cluster. The UUID and name of each SVM is provided in the output.

HTTP method Path

GET

/api/svm/svms

curl example
curl --location -i --request GET 'https://10.222.81.101/api/svm/svms?order_by=name' -u admin:password -k --header 'Accept: */*'
After you finish

Select the desired SVM from the list where you will create the new user and role.

2. List the users defined to the SVM

Perform the following REST API call to list the users defined in the SVM you selected. You can identify the SVM through the owner parameter.

HTTP method Path

GET

/api/security/accounts

curl example
curl --location -i --request GET 'https://10.222.81.101/api/security/accounts/?owner.name=dmp' -u admin:password -k --header 'Accept: */*'
After you finish

Based on the users already defined in the SVM, choose a unique name for the new user.

3. List the REST roles defined to the SVM

Perform the following REST API call to list the roles defined in the SVM you selected. You can identify the SVM through the owner parameter.

HTTP method Path

GET

/api/security/roles

curl example
curl --location -i --request GET 'https://10.222.81.101/api/security/roles/?owner.name=dmp' -u admin:password -k --header 'Accept: */*'
After you finish

Based on the roles already defined in the SVM, choose a unique name for the new role.

4. Create a custom REST role

Perform the following REST API call to a create a custom REST role in the SVM. The role initially has only one privilege which establishes a default access of none so that all access is denied.

HTTP method Path

POST

/api/security/roles

JSON input example
{
  "name": "dprole1",
  "owner": {
    "name": "dmp",
    "uuid": "752d96be-f17c-11ec-9d19-005056bbad91"
  },
  "privileges": [
      {"path": "/api", "access": "none"},
  ]
}
curl example
curl --location -i --request POST 'https://10.222.81.101/api/security/roles' --data @JSONinput -u admin:password -k --header 'Accept: */*'
After you finish

Optionally perform step 3 again to display the new role. You can also display the roles at the ONTAP CLI.

5. Update the role by adding more privileges

Perform the following REST API call to modify the role by adding privileges as needed.

HTTP method Path

POST

/api/security/roles/{owner.uuid}/{name}/privileges

JSON input example
{
  "path": "/api/storage/volumes", "access": "readonly"}
}
curl example
curl --location -i --request POST 'https://10.222.81.101/api/security/roles/752d96be-f17c-11ec-9d19-005056bbad91/dprole1/privileges' --data @JSONinput -u admin:password -k --header 'Accept: */*'
After you finish

Optionally perform step 3 again to display the new role. You can also display the roles at the ONTAP CLI.

6. Create a user

Perform the following REST API call to a create a user account. The role dprole1 created above is associated with the new user.

Tip You can include the user without a role. In this case you’ll need to modify the user to assign a role.
HTTP method Path

POST

/api/security/accounts

JSON input example
{
  "owner": {"uuid":"daf84055-248f-11ed-a23d-005056ac4fe6"},
  "name": "david",
  "applications": [
      {"application":"ssh",
       "authentication_methods":["password"],
       "second_authentication_method":"none"}
  ],
  "role":"dprole1",
  "password":"netapp123"
}
curl example
curl --location -i --request POST 'https://10.222.81.101/api/security/accounts' --data @JSONinput -u admin:password -k --header 'Accept: */*'
After you finish

You can sign in to the SVM management interface using the credentials for the new user.