REST API reference
Create a new user account
Suggest changes
PDFs
POST /security/accounts
Introduced In: 9.6
Creates a new user account.
Required parameters
-
name- Account name to be created. -
applications- Array of one or more application tuples (of application and authentication methods).
Optional parameters
-
owner.nameorowner.uuid- Name or UUID of the SVM for an SVM-scoped user account. If not supplied, a cluster-scoped user account is created. -
role- RBAC role for the user account. Defaulted toadminfor cluster user account and tovsadminfor SVM-scoped account. -
password- Password for the user account (if the authentication method is opted as password for one or more of applications). -
second_authentication_method- Needed for MFA and only supported for ssh application. Defaults tononeif not supplied. -
comment- Comment for the user account (e.g purpose of this account). -
locked- Locks the account after creation. Defaults tofalseif not supplied. -
ldap_fastbind- Needed for LDAP Fastbind Authentication and only supported for applications SSH, ONTAPI, and HTTP with authentication method "nsswitch" only. Defaults to false if not supplied.
Related ONTAP commands
-
security login create
Learn more
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
applications |
array[account_application] |
|
authentication_methods |
array[string] |
|
comment |
string |
Optional comment for the user account. |
ldap_fastbind |
boolean |
Optional property that specifies the mode of authentication is LDAP Fastbind. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Optional property that specifies the password hash algorithm used to generate a hash of the user's password for password matching. |
public_key |
string |
Public key for SSH. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
ssl_ca_certificate |
string |
SSL certificate for the chain of certificate authorities (CA) that have signed this user's client certificate. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"applications": [
{
"application": "string",
"authentication_methods": [
"string"
],
"second_authentication_method": "string"
}
],
"authentication_methods": [
"string"
],
"comment": "string",
"name": "joe.smith",
"owner": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"password": "string",
"password_hash_algorithm": "sha512",
"public_key": "string",
"role": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "admin"
},
"scope": "string",
"ssl_ca_certificate": "string"
}Response
Status: 201, CreatedHeaders
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
1261215 |
The role was not found. |
1263343 |
Cannot lock user with password not set or non-password authentication method. |
5636099 |
User creation with a non-admin role is not supported for service-processor application. |
5636121 |
The user account name is reserved for use by the system. |
5636126 |
Cannot create a user with the username or role as AutoSupport because it is reserved by the system. |
5636140 |
Creating a login with application console for a data Vserver is not supported. |
5636141 |
Creating a login with application service-processor for a data Vserver is not supported. |
5636154 |
The second-authentication-method parameter is supported for ssh application. |
5636155 |
The second-authentication-method parameter can be specified only if the authentication-method password or public key nsswitch. |
5636156 |
The same value cannot be specified for the second-authentication-method and the authentication-method. |
5636157 |
If the authentication-method is domain, the second-authentication-method cannot be specified. |
5636164 |
If the value for either the authentication-method second-authentication-method is nsswitch or password, the other parameter must differ. |
5636197 |
LDAP fastbind combination for application and authentication method is not supported. |
5636198 |
LDAP fastbind authentication is supported only for nsswitch. |
7077897 |
Invalid character in username. |
7077898 |
The username must contain both letters and numbers. |
7077899 |
The username does not meet length requirements. |
7077906 |
A role with that name has not been defined for the Vserver. |
7077918 |
The password cannot contain the username. |
7077919 |
The minimum length for new password does not meet the policy. |
7077920 |
A new password must have both letters and numbers. |
7077921 |
The minimum number of special characters required do not meet the policy. |
7077929 |
Cannot lock user with password not set or non-password authentication method. |
7077940 |
The password exceeds the maximum supported length. |
7077941 |
The defined password composition exceeds the maximum password length of 128 characters. |
7078900 |
An admin password is not set. Set the password by including it in the request. |
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
account_application
| Name | Type | Description |
|---|---|---|
application |
string |
Applications |
authentication_methods |
array[string] |
|
second_authentication_method |
string |
An optional additional authentication method for MFA. This only works with SSH as the application. It is ignored for all other applications. |
owner
Owner name and UUID that uniquely identifies the user account.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
role
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Role name |
account
| Name | Type | Description |
|---|---|---|
_links |
||
applications |
array[account_application] |
|
authentication_methods |
array[string] |
|
comment |
string |
Optional comment for the user account. |
ldap_fastbind |
boolean |
Optional property that specifies the mode of authentication is LDAP Fastbind. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Optional property that specifies the password hash algorithm used to generate a hash of the user's password for password matching. |
public_key |
string |
Public key for SSH. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
ssl_ca_certificate |
string |
SSL certificate for the chain of certificate authorities (CA) that have signed this user's client certificate. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |