REST API reference
Create a new cluster-scoped or SVM-scoped role
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
POST /security/roles
Introduced In: 9.6
Creates a new cluster-scoped role or an SVM-scoped role. For an SVM-scoped role, specify either the SVM name as the owner.name or SVM UUID as the owner.uuid in the request body along with other parameters for the role. The owner.uuid or owner.name are not required to be specified for a cluster-scoped role.
Required parameters
-
name- Name of the role to be created. -
privileges- Array of privilege tuples. Each tuple consists of a REST API or command/command directory path and its desired access level. If the tuple refers to a command/command directory path, it could optionally contain a query.
Optional parameters
-
owner.nameorowner.uuid- Name or UUID of the SVM for an SVM-scoped role.
Related ONTAP commands
-
security login rest-role create -
security login role create
Learn more
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
builtin |
boolean |
Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted. |
comment |
string |
Comment |
name |
string |
Role name |
owner |
Owner name and UUID that uniquely identifies the role. |
|
privileges |
array[role_privilege] |
The list of privileges that this role has been granted. |
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"comment": "string",
"name": "admin",
"owner": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"privileges": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"access": "readonly",
"path": [
"/api/cluster/jobs",
"/api/storage/volumes",
"job schedule interval",
"volume move"
],
"query": [
"-days <1 -hours >12",
"-vserver vs1|vs2|vs3 -destination-aggregate aggr1|aggr2"
]
},
"scope": "cluster"
}Response
Status: 201, CreatedError
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
2621462 |
The supplied SVM does not exist. |
5636129 |
Role with given name has not been defined. |
5636143 |
Vserver admin cannot use the API with this access level. |
5636144 |
Invalid value specified for access level. |
5636169 |
Invalid character in URI. |
5636170 |
URI does not exist. |
5636171 |
Role already exists in legacy role table. |
5636184 |
Expanded REST roles for granular resource control feature is currently disabled. |
5636185 |
The specified UUID was not found. |
5636186 |
Expanded REST roles for granular resource control requires an effective cluster version of 9.10.1 or later. |
13434890 |
Vserver-ID failed for Vserver roles. |
13434891 |
UUID lookup failed for Vserver roles. |
13434892 |
Roles is a required field. |
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": {
"code": "string",
"message": "string"
},
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
owner
Owner name and UUID that uniquely identifies the role.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
role_privilege
A tuple containing a REST endpoint or a command/command directory path and the access level assigned to that endpoint or command/command directory. If the "path" attribute refers to a command/command directory path, the tuple could additionally contain an optional query. The REST endpoint can be a resource-qualified endpoint. At present, the only supported resource-qualified endpoints are /api/storage/volumes/{volume.uuid}/snapshots and /api/storage/volumes//snapshots. "" is a wildcard character denoting "all" volumes.
| Name | Type | Description |
|---|---|---|
_links |
||
access |
string |
Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'. |
path |
string |
Either of REST URI/endpoint OR command/command directory path. |
query |
string |
Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute. |
role
A named set of privileges that defines the rights an account has when it is assigned the role.
| Name | Type | Description |
|---|---|---|
_links |
||
builtin |
boolean |
Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted. |
comment |
string |
Comment |
name |
string |
Role name |
owner |
Owner name and UUID that uniquely identifies the role. |
|
privileges |
array[role_privilege] |
The list of privileges that this role has been granted. |
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |