Skip to main content
A newer release of this product is available.

Create a new user account

Contributors

POST /security/accounts

Introduced In: 9.6

Creates a new user account.

Required parameters

  • name - Account name to be created.

  • applications - Array of one or more application tuples (of application and authentication methods).

Optional parameters

  • owner.name or owner.uuid - Name or UUID of the SVM for an SVM-scoped user account. If not supplied, a cluster-scoped user account is created.

  • role - RBAC role for the user account. Defaulted to admin for cluster user account and to vsadmin for SVM-scoped account.

  • password - Password for the user account (if the authentication method is opted as password for one or more of applications).

  • second_authentication_method - Needed for MFA and only supported for ssh application. Defaults to none if not supplied.

  • comment - Comment for the user account (e.g purpose of this account).

  • locked - Locks the account after creation. Defaults to false if not supplied.

  • is_ldap_fastbind - Needed for LDAP Fastbind Authentication and only supported for applications SSH, ONTAPI, and HTTP with authentication method "nsswitch" only. Defaults to false if not supplied.

  • security login create

Parameters

Name Type In Required Description

return_records

boolean

query

False

The default is false. If set to true, the records are returned.

  • Default value:

Request Body

Name Type Description

_links

_links

applications

array[account_application]

comment

string

Optional comment for the user account.

locked

boolean

Locked status of the account.

name

string

User or group account name

owner

owner

Owner name and UUID that uniquely identifies the user account.

password

string

Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters.

password_hash_algorithm

string

Password hash algorithm used to generate a hash of the user's password for password matching.To modify "password_hash_algorithm", use REST API "/api/security/authentication/password".

role

role

scope

string

Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects.

Example request
{
  "_links": {
    "self": {
      "href": "/api/resourcelink"
    }
  },
  "applications": [
    {
      "application": "string",
      "authentication_methods": [
        "string"
      ],
      "second_authentication_method": "string"
    }
  ],
  "comment": "string",
  "name": "joe.smith",
  "owner": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "svm1",
    "uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
  },
  "password": "string",
  "password_hash_algorithm": "sha512",
  "role": {
    "_links": {
      "self": {
        "href": "/api/resourcelink"
      }
    },
    "name": "admin"
  },
  "scope": "string"
}

Response

Status: 201, Created

Headers

Name Description Type

Location

Useful for tracking the resource location

string

Error

Status: Default

ONTAP Error Response Codes

Error Code Description

1261215

The role was not found.

1261225

Invalid command directory name.

1263343

Cannot lock user with password not set or non-password authentication method.

2621475

This operation is not supported on a node SVM.

2621601

This operation is not supported on a system SVM.

2621706

The specified owner.uuid and owner.name refer to different SVMs.

5636099

User creation with a non-admin role is not supported for service-processor application.

5636121

The user account name is reserved for use by the system.

5636126

Cannot create a user with the username or role as AutoSupport because it is reserved by the system.

5636140

Creating a login with application console for a data SVM is not supported.

5636141

Creating a login with application service-processor for a data SVM is not supported.

5636154

The second-authentication-method parameter is supported for SSH application.

5636155

The second-authentication-method parameter can be specified only if the authentication-method password or public key nsswitch.

5636156

The same value cannot be specified for the second-authentication-method and the authentication-method.

5636164

If the value for either the authentication-method second-authentication-method is nsswitch or password, the other parameter must differ.

5636176

The application and authentication-method combination is invalid.

5636178

An invalid value is specified for field "application".

5636179

Creating an AMQP application login for a data SVM is not supported.

5636197

LDAP fastbind combination for application and authentication method is not supported.

5636198

LDAP fastbind authentication is supported only for nsswitch.

5636206

Non-domain user cannot have a backslash in the username.

5636207

If the value for either the authentication-method or second-authentication-method parameters is domain, the other parameter must be publickey or none.

5636212

TOTP is supported only when the primary authentication method is password or public key.

5636214

Configuring the user with TOTP as secondary authentication method requires an effective cluster version of 9.13.1 or later

7077897

Invalid character in username.

7077898

The username must contain both letters and numbers.

7077899

The username does not meet length requirements.

7077906

A role with that name has not been defined for the Vserver.

7077918

The password cannot contain the username.

7077919

The minimum length for new password does not meet the policy.

7077920

A new password must have both letters and numbers.

7077921

The minimum number of special characters required do not meet the policy.

7077929

Cannot lock user with password not set or non-password authentication method.

7077940

The password exceeds the maximum supported length.

7077941

The defined password composition exceeds the maximum password length of 128 characters.

7078900

An admin password is not set. Set the password by including it in the request.

Also see the table of common errors in the Response body overview section of this documentation.

Name Type Description

error

returned_error

Example error
{
  "error": {
    "arguments": [
      {
        "code": "string",
        "message": "string"
      }
    ],
    "code": "4",
    "message": "entry doesn't exist",
    "target": "uuid"
  }
}

Definitions

See Definitions

href

Name Type Description

href

string

Name Type Description

self

href

account_application

Name Type Description

application

string

Applications

authentication_methods

array[string]

is_ldap_fastbind

boolean

Optional property that specifies the mode of authentication as LDAP Fastbind.

second_authentication_method

string

An optional additional authentication method for multifactor authentication (MFA). This is only supported with SSH (ssh) as the application. Time-based One-Time Passwords (TOTPs) are only supported with the authentication method password or public key. It is ignored for all other applications.

owner

Owner name and UUID that uniquely identifies the user account.

Name Type Description

_links

_links

name

string

The name of the SVM. This field cannot be specified in a PATCH method.

uuid

string

The unique identifier of the SVM. This field cannot be specified in a PATCH method.

role

Name Type Description

_links

_links

name

string

Role name

account

Name Type Description

_links

_links

applications

array[account_application]

comment

string

Optional comment for the user account.

locked

boolean

Locked status of the account.

name

string

User or group account name

owner

owner

Owner name and UUID that uniquely identifies the user account.

password

string

Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters.

password_hash_algorithm

string

Password hash algorithm used to generate a hash of the user's password for password matching.To modify "password_hash_algorithm", use REST API "/api/security/authentication/password".

role

role

scope

string

Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects.

error_arguments

Name Type Description

code

string

Argument code

message

string

Message argument

returned_error

Name Type Description

arguments

array[error_arguments]

Message arguments

code

string

Error code

message

string

Error message

target

string

The target parameter that caused the error.