application commands
security login rest-role create
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
Add a REST access control role
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The security login rest-role create command creates a Representational State Transfer (REST) access-control role. A REST access-control role consists of a role name and an Application Programming Interface (API) to which the role has access. It optionally includes an access level (none , readonly , read_create , read_modify , read_create_modify or all ) for the API. After you create a REST access-control role, you can apply it to a management-utility login account by using the security login modify or security login create commands.
Parameters
-vserver <vserver name>- Vserver-
This optionally specifies the Vserver name associated with the REST role.
-role <text>- Role Name-
This specifies the REST role that is to be created.
-api <text>- API Path-
This specifies the API to which the REST role has access. This API can be a private CLI API or a resource-qualified endpoint. Currently, the only supported resource-qualified endpoints are the following:
-
Snapshots APIs
-
/api/storage/volumes/{volume.uuid}/snapshots -
File System Analytics APIs
-
/api/storage/volumes/{volume.uuid}/files -
/api/storage/volumes/{volume.uuid}/top-metrics/clients -
/api/storage/volumes/{volume.uuid}/top-metrics/directories -
/api/storage/volumes/{volume.uuid}/top-metrics/files -
/api/storage/volumes/{volume.uuid}/top-metrics/users -
/api/svm/svms/{svm.uuid}/top-metrics/clients -
/api/svm/svms/{svm.uuid}/top-metrics/directories -
/api/svm/svms/{svm.uuid}/top-metrics/files -
/api/svm/svms/{svm.uuid}/top-metrics/users -
Ontap S3 APIs
-
/api/protocols/s3/services/{svm.uuid}/users
In the above APIs, wildcard character
*could be used in place of{volume.uuid}or{svm.uuid}to denoteallvolumes orallSVMs, depending upon whether the REST endpoint references volumes or SVMs. -
-access {none|readonly|read_create|read_modify|read_create_modify|all}- Access Level-
This optionally specifies an access level for the REST role. Possible access level settings are
none,readonly,read_create,read_modify,read_create_modifyandall.
Examples
The following command creates a REST access-control role named admin for the vs1.example.com Vserver. This REST role has an access-level of all for the /api/storage/volumes API.
cluster1::> security login rest-role create -role admin -api "/api/storage/volumes" -access all -vserver vs1.example.com cluster1::>
The following command creates a REST access-control role named rest_role1 for the cluster1.example.com administrative Vserver. This REST role has an access-level of read_create_modify for the /api/snapmirror/policies API.
cluster1::> security login rest-role create -role rest_role1 -api "/api/snapmirror/policies" -access read_create_modify -vserver cluster1.example.com cluster1::>
The following command creates a REST access-control role named vs1_role for the vs1.example.com Vserver. This REST role has an access level of readonly for all snapshots on the volume with UUID f8a541b5-b68c-11ea-9581-005056bbabe6 . The volume UUID refers to the -instance-uuid field value in the volume show command output at diagnostic privilege level.
cluster1::> security login rest-role create -role vs1_role -api "/api/storage/volumes/f8a541b5-b68c-11ea-9581-005056bbabe6/snapshots" -access readonly -vserver vs1.example.com
Warning: Operating on an alias operates on the target of the specified alias:
"volume snapshot"
cluster1::>
The following command creates a REST access-control role named vs2_role for the vs2.example.com Vserver. This REST role has an access level of readonly for all files on the volume with UUID 15d489b5-1d40-11ec-992e-005056bba268 .The volume UUID refers to the -instance-uuid field value in the volume show command output at diagnostic privilege level.
cluster1::> security login rest-role create -role vs2_role -api "/api/storage/volumes/15d489b5-1d40-11ec-992e-005056bba268/files" -access readonly -vserver vs2.example.com cluster1::>
The following command creates a REST access-control role named vs3_role for the vs3.example.com Vserver. This REST role has an access level of read_create_modify for all top-metrics directories on the SVM with UUID 881764b5-9ea1-11ec-8771-005056bb1a7c .
cluster1::> security login rest-role create -role vs3_role -api "/api/svm/svms/881764b5-9ea1-11ec-8771-005056bb1a7c/top-metrics/directories" -access read_create_modify -vserver vs3.example.com cluster1::>
The following command creates a REST access-control role named vs4_role for the vs4.example.com Vserver. This REST role has an access level of all for command directory cluster .
cluster1::> security login rest-role create -role vs4_role -api "/api/private/cli/cluster" -access all -vserver vs4.example.com cluster1::>