Skip to main content
A newer release of this product is available.

Update the access level for a REST API path or command/command directory path

Contributors

PATCH /security/roles/{owner.uuid}/{name}/privileges/{path}

Introduced In: 9.6

Updates the access level for a REST API path or command/command directory path. Optionally updates the query, if 'path' refers to a command/command directory path. The REST API path can be a resource-qualified endpoint. Currently, the only supported resource-qualified endpoints are the following:

Snapshots APIs

/api/storage/volumes/{volume.uuid}/snapshots

File System Analytics APIs

/api/storage/volumes/{volume.uuid}/files

/api/storage/volumes/{volume.uuid}/top-metrics/clients

/api/storage/volumes/{volume.uuid}/top-metrics/directories

/api/storage/volumes/{volume.uuid}/top-metrics/files

/api/storage/volumes/{volume.uuid}/top-metrics/users

/api/svm/svms/{svm.uuid}/top-metrics/clients

/api/svm/svms/{svm.uuid}/top-metrics/directories

/api/svm/svms/{svm.uuid}/top-metrics/files

/api/svm/svms/{svm.uuid}/top-metrics/users

Ontap S3 APIs

/api/protocols/s3/services/{svm.uuid}/users

In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs. The {volume.uuid} refers to the -instance-uuid field value in the "volume show" command output at diagnostic privilege level. It can also be fetched through REST endpoint /api/storage/volumes.

Required parameters

  • owner.uuid - UUID of the SVM that houses this role.

  • name - Name of the role to be updated.

  • path - Constituent REST API path or command/command directory path, whose access level and/or query are/is to be updated. Can be a resource-qualified endpoint (example: /api/storage/volumes/43256a71-be02-474d-a2a9-9642e12a6a2c/snapshots). Currently, resource-qualified endpoints are limited to the Snapshots and File System Analytics endpoints listed above in the description.

Optional parameters

  • access - Access level for the path.

  • query - Optional query, if the path refers to a command/command directory path.

  • security login rest-role modify

  • security login role modify

Parameters

Name Type In Required Description

owner.uuid

string

path

True

Role owner UUID

name

string

path

True

Role name

path

string

path

True

REST API path or command/command directory path

Request Body

Name Type Description

_links

_links

access

string

Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'.

path

string

Either of REST URI/endpoint OR command/command directory path.

query

string

Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "access": "all",
  "path": "volume move start",
  "query": "-vserver vs1|vs2|vs3 -destination-aggregate aggr1|aggr2"
}

Response

Status: 200, Ok

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

5636168

This role is mapped to a rest-role and cannot be modified directly. Modifications must be done with rest-role.

5636192

The query parameter cannot be specified for the privileges tuple with API endpoint entries.

5636200

The specified value of the access parameter is invalid, if a command or command directory is specified in the path parameter.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

role_privilege

A tuple containing a REST endpoint or a command/command directory path and the access level assigned to that endpoint or command/command directory. If the "path" attribute refers to a command/command directory path, the tuple could additionally contain an optional query. The REST endpoint can be a resource-qualified endpoint. At present, the only supported resource-qualified endpoints are the following

Snapshots APIs

  • /api/storage/volumes/{volume.uuid}/snapshots

File System Analytics APIs

  • /api/storage/volumes/{volume.uuid}/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/clients

  • /api/storage/volumes/{volume.uuid}/top-metrics/directories

  • /api/storage/volumes/{volume.uuid}/top-metrics/files

  • /api/storage/volumes/{volume.uuid}/top-metrics/users

  • /api/svm/svms/{svm.uuid}/top-metrics/clients

  • /api/svm/svms/{svm.uuid}/top-metrics/directories

  • /api/svm/svms/{svm.uuid}/top-metrics/files

  • /api/svm/svms/{svm.uuid}/top-metrics/users

  • /api/protocols/s3/services/{svm.uuid}/users

In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs. The {volume.uuid} refers to the -instance-uuid field value in the "volume show" command output at diagnostic privilege level. It can also be fetched through REST endpoint /api/storage/volumes.

Name Type Description

_links

_links

access

string

Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'.

path

string

Either of REST URI/endpoint OR command/command directory path.

query

string

Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.