Skip to main content

security login rest-role create

Contributors
Suggest changes

Add a REST access control role

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The security login rest-role create command creates a Representational State Transfer (REST) access-control role. A REST access-control role consists of a role name and an Application Programming Interface (API) to which the role has access. It optionally includes an access level (none , readonly , read_create , read_modify , read_create_modify or all ) for the API. After you create a REST access-control role, you can apply it to a management-utility login account by using the security login modify or security login create commands.

Parameters

-vserver <vserver name> - Vserver

This optionally specifies the Vserver name associated with the REST role.

-role <text> - Role Name

This specifies the REST role that is to be created.

-api <text> - API Path

This specifies the API to which the REST role has access. This API can be a private CLI API or a resource-qualified endpoint. Currently, the only supported resource-qualified endpoints are the following:

  • Snapshots APIs

  • /api/storage/volumes/{volume.uuid}/snapshots

  • File System Analytics APIs

  • /api/storage/volumes/{volume.uuid}/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/clients

  • /api/storage/volumes/{volume.uuid}/top-metrics/directories

  • /api/storage/volumes/{volume.uuid}/top-metrics/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/users

  • /api/svm/svms/{svm.uuid}/top-metrics/clients

  • /api/svm/svms/{svm.uuid}/top-metrics/directories

  • /api/svm/svms/{svm.uuid}/top-metrics/files

  • /api/svm/svms/{svm.uuid}/top-metrics/users

  • Ontap S3 APIs

  • /api/protocols/s3/services/{svm.uuid}/users

In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs.

-access {none|readonly|read_create|read_modify|read_create_modify|all} - Access Level

This optionally specifies an access level for the REST role. Possible access level settings are none , readonly , read_create , read_modify , read_create_modify and all .

Examples

The following command creates a REST access-control role named admin for the vs1.example.com Vserver. This REST role has an access-level of all for the /api/storage/volumes API.

cluster1::> security login rest-role create -role admin -api "/api/storage/volumes" -access all -vserver vs1.example.com
cluster1::>

The following command creates a REST access-control role named rest_role1 for the cluster1.example.com administrative Vserver. This REST role has an access-level of read_create_modify for the /api/snapmirror/policies API.

cluster1::> security login rest-role create -role rest_role1 -api "/api/snapmirror/policies" -access read_create_modify -vserver cluster1.example.com
cluster1::>

The following command creates a REST access-control role named vs1_role for the vs1.example.com Vserver. This REST role has an access level of readonly for all snapshots on the volume with UUID f8a541b5-b68c-11ea-9581-005056bbabe6 . The volume UUID refers to the -instance-uuid field value in the volume show command output at diagnostic privilege level.

cluster1::> security login rest-role create -role vs1_role -api "/api/storage/volumes/f8a541b5-b68c-11ea-9581-005056bbabe6/snapshots" -access readonly -vserver vs1.example.com
Warning: Operating on an alias operates on the target of the specified alias:
           "volume snapshot"
cluster1::>

The following command creates a REST access-control role named vs2_role for the vs2.example.com Vserver. This REST role has an access level of readonly for all files on the volume with UUID 15d489b5-1d40-11ec-992e-005056bba268 .The volume UUID refers to the -instance-uuid field value in the volume show command output at diagnostic privilege level.

cluster1::> security login rest-role create -role vs2_role -api "/api/storage/volumes/15d489b5-1d40-11ec-992e-005056bba268/files" -access readonly -vserver vs2.example.com
cluster1::>

The following command creates a REST access-control role named vs3_role for the vs3.example.com Vserver. This REST role has an access level of read_create_modify for all top-metrics directories on the SVM with UUID 881764b5-9ea1-11ec-8771-005056bb1a7c .

cluster1::> security login rest-role create -role vs3_role -api "/api/svm/svms/881764b5-9ea1-11ec-8771-005056bb1a7c/top-metrics/directories" -access read_create_modify -vserver vs3.example.com
cluster1::>

The following command creates a REST access-control role named vs4_role for the vs4.example.com Vserver. This REST role has an access level of all for command directory cluster .

cluster1::> security login rest-role create -role vs4_role -api "/api/private/cli/cluster" -access all -vserver vs4.example.com
cluster1::>