Security using RBAC

Contributors dmp-netapp

The REST API expands the role-based access control (RBAC) capabilities when using ONTAP. You can create user accounts with custom roles to restrict access to the REST endpoints.

Creating roles for the REST endpoints

A REST role is defined through a set of one or more privileges. Each privilege consists of a path to a REST endpoint and the associated access level. Access to each endpoint is provided in one of three levels and determines the HTTP methods that can be used against the resource. The access levels include:

  • All

    All HTTP methods can be used

  • Read-only

    Only GET can be used

  • None

    No access is allowed

Here is an example of two privileges that can be assigned to a REST role:

  • access="readonly", path="/api/storage/volumes"

  • access="none", path="/api/snapmirror/policies"

Creating a user account with a custom role

At a high level, you can create an account with a custom REST role as follows:

  1. Create a user account with access to the HTTP management protocol.

  2. Create a REST role with the desired privileges.

  3. Associate the user account with the role.