Create a new user account
POST /security/accounts
Introduced In: 9.6
Creates a new user account.
Required parameters
-
name
- Account name to be created. -
applications
- Array of one or more application tuples (of application and authentication methods).
Optional parameters
-
owner.name
orowner.uuid
- Name or UUID of the SVM for an SVM-scoped user account. If not supplied, a cluster-scoped user account is created. -
role
- RBAC role for the user account. Defaulted toadmin
for cluster user account and tovsadmin
for SVM-scoped account. -
password
- Password for the user account (if the authentication method is opted as password for one or more of applications). -
second_authentication_method
- Needed for MFA and only supported for ssh application. Defaults tonone
if not supplied. -
comment
- Comment for the user account (e.g purpose of this account). -
locked
- Locks the account after creation. Defaults tofalse
if not supplied. -
ldap_fastbind
- Needed for LDAP Fastbind Authentication and only supported for applications SSH, ONTAPI, and HTTP with authentication method "nsswitch" only. Defaults to false if not supplied.
Related ONTAP commands
-
security login create
Learn more
Parameters
Name | Type | In | Required | Description |
---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
Name | Type | Description |
---|---|---|
_links |
||
applications |
array[account_application] |
|
comment |
string |
Optional comment for the user account. |
ldap_fastbind |
boolean |
Optional property that specifies the mode of authentication is LDAP Fastbind. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Optional property that specifies the password hash algorithm used to generate a hash of the user's password for password matching. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"applications": [
{
"application": "string",
"authentication_methods": [
"string"
],
"second_authentication_method": "string"
}
],
"comment": "string",
"name": "joe.smith",
"owner": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"password": "string",
"password_hash_algorithm": "sha512",
"role": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "admin"
},
"scope": "string"
}
Response
Status: 201, Created
Headers
Name | Description | Type |
---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: Default
ONTAP Error Response Codes
Error Code | Description |
---|---|
1261215 |
The role was not found. |
1263343 |
Cannot lock user with password not set or non-password authentication method. |
5636099 |
User creation with a non-admin role is not supported for service-processor application. |
5636121 |
The user account name is reserved for use by the system. |
5636126 |
Cannot create a user with the username or role as AutoSupport because it is reserved by the system. |
5636140 |
Creating a login with application console for a data Vserver is not supported. |
5636141 |
Creating a login with application service-processor for a data Vserver is not supported. |
5636154 |
The second-authentication-method parameter is supported for ssh application. |
5636155 |
The second-authentication-method parameter can be specified only if the authentication-method password or public key nsswitch. |
5636156 |
The same value cannot be specified for the second-authentication-method and the authentication-method. |
5636164 |
If the value for either the authentication-method second-authentication-method is nsswitch or password, the other parameter must differ. |
5636197 |
LDAP fastbind combination for application and authentication method is not supported. |
5636198 |
LDAP fastbind authentication is supported only for nsswitch. |
5636206 |
Non-domain user cannot have a backslash in the username. |
5636207 |
If the value for either the authentication-method or second-authentication-method parameters is domain, the other parameter must be publickey or none. |
5636212 |
TOTP is supported only when the primary authentication method is password or public key. |
5636214 |
Configuring the user with TOTP as secondary authentication method requires an effective cluster version of 9.13.1 or later |
7077897 |
Invalid character in username. |
7077898 |
The username must contain both letters and numbers. |
7077899 |
The username does not meet length requirements. |
7077906 |
A role with that name has not been defined for the Vserver. |
7077918 |
The password cannot contain the username. |
7077919 |
The minimum length for new password does not meet the policy. |
7077920 |
A new password must have both letters and numbers. |
7077921 |
The minimum number of special characters required do not meet the policy. |
7077929 |
Cannot lock user with password not set or non-password authentication method. |
7077940 |
The password exceeds the maximum supported length. |
7077941 |
The defined password composition exceeds the maximum password length of 128 characters. |
7078900 |
An admin password is not set. Set the password by including it in the request. |
Name | Type | Description |
---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}
Definitions
See Definitions
href
Name | Type | Description |
---|---|---|
href |
string |
_links
Name | Type | Description |
---|---|---|
self |
account_application
Name | Type | Description |
---|---|---|
application |
string |
Applications |
authentication_methods |
array[string] |
|
second_authentication_method |
string |
An optional additional authentication method for multifactor authentication (MFA). This is only supported with SSH as the application. Time-based One-Time Passwords (TOTPs) are only supported with the authentication method password or public key. It is ignored for all other applications. |
owner
Owner name and UUID that uniquely identifies the user account.
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
The name of the SVM. |
uuid |
string |
The unique identifier of the SVM. |
role
Name | Type | Description |
---|---|---|
_links |
||
name |
string |
Role name |
account
Name | Type | Description |
---|---|---|
_links |
||
applications |
array[account_application] |
|
comment |
string |
Optional comment for the user account. |
ldap_fastbind |
boolean |
Optional property that specifies the mode of authentication is LDAP Fastbind. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Optional property that specifies the password hash algorithm used to generate a hash of the user's password for password matching. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
error_arguments
Name | Type | Description |
---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
error
Name | Type | Description |
---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |