Skip to main content
A newer release of this product is available.

Create a new cluster-scoped or SVM-scoped role

Contributors

POST /security/roles

Introduced In: 9.6

Creates a new cluster-scoped role or an SVM-scoped role. For an SVM-scoped role, specify either the SVM name as the owner.name or SVM UUID as the owner.uuid in the request body along with other parameters for the role. The owner.uuid or owner.name are not required to be specified for a cluster-scoped role.

Required parameters

  • name - Name of the role to be created.

  • privileges - Array of privilege tuples. Each tuple consists of a REST API or command/command directory path and its desired access level. If the tuple refers to a command/command directory path, it could optionally contain a query.

Optional parameters

  • owner.name or owner.uuid - Name or UUID of the SVM for an SVM-scoped role.

  • security login rest-role create

  • security login role create

Learn more

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

builtin

boolean

Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted.

name

string

Role name

owner

owner

Owner name and UUID that uniquely identifies the role.

privileges

array[role_privilege]

The list of privileges that this role has been granted.

scope

string

Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "name": "admin",
  "owner": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "privileges": [
    {
      "_links": {
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "access": "all",
      "path": "volume move start",
      "query": "-vserver vs1|vs2|vs3 -destination-aggregate aggr1|aggr2"
    }
  ],
  "scope": "string"
}

Response

Status: 201, Created

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

2621462

The supplied SVM does not exist.

5636129

Role with given name has not been defined.

5636143

Vserver admin cannot use the API with this access level.

5636144

Invalid value specified for access level.

5636169

Invalid character in URI.

5636170

URI does not exist.

5636171

Role already exists in legacy role table.

5636184

Expanded REST roles for granular resource control feature is currently disabled.

5636185

The specified UUID was not found.

5636186

Expanded REST roles for granular resource control requires an effective cluster version of 9.10.1 or later.

13434890

Vserver-ID failed for Vserver roles.

13434891

UUID lookup failed for Vserver roles.

13434892

Roles is a required field.

Name Type Description

error

error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

owner

Owner name and UUID that uniquely identifies the role.

Name Type Description

_links

_links

name

string

The name of the SVM.

uuid

string

The unique identifier of the SVM.

role_privilege

A tuple containing a REST endpoint or a command/command directory path and the access level assigned to that endpoint or command/command directory. If the "path" attribute refers to a command/command directory path, the tuple could additionally contain an optional query. The REST endpoint can be a resource-qualified endpoint. At present, the only supported resource-qualified endpoints are the following

Snapshots APIs

  • /api/storage/volumes/{volume.uuid}/snapshots

File System Analytics APIs

  • /api/storage/volumes/{volume.uuid}/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/clients

  • /api/storage/volumes/{volume.uuid}/top-metrics/directories

  • /api/storage/volumes/{volume.uuid}/top-metrics/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/users

  • /api/svm/svms/{svm.uuid}/top-metrics/clients

  • /api/svm/svms/{svm.uuid}/top-metrics/directories

  • /api/svm/svms/{svm.uuid}/top-metrics/files

  • /api/svm/svms/{svm.uuid}/top-metrics/users

In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs.

Name Type Description

_links

_links

access

string

Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'.

path

string

Either of REST URI/endpoint OR command/command directory path.

query

string

Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute.

role

A named set of privileges that defines the rights an account has when it is assigned the role.

Name Type Description

_links

_links

builtin

boolean

Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted.

name

string

Role name

owner

owner

Owner name and UUID that uniquely identifies the role.

privileges

array[role_privilege]

The list of privileges that this role has been granted.

scope

string

Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.