REST API reference
Create a new user account
Suggest changes
PDFs
POST /security/accounts
Introduced In: 9.6
Creates a new user account.
Required parameters
-
name- Account name to be created. -
applications- Array of one or more application tuples (of application and authentication methods).
Optional parameters
-
owner.nameorowner.uuid- Name or UUID of the SVM for an SVM-scoped user account. If not supplied, a cluster-scoped user account is created. -
role- RBAC role for the user account. Defaulted toadminfor cluster user account and tovsadminfor SVM-scoped account. -
password- Password for the user account (if the authentication method is opted as password for one or more of applications). -
second_authentication_method- Needed for MFA and only supported for ssh and service_processor applications. Defaults to none if not supplied. -
comment- Comment for the user account (e.g purpose of this account). -
locked- Locks the account after creation. Defaults tofalseif not supplied. -
is_ldap_fastbind- Needed for LDAP Fastbind Authentication and only supported for applications SSH, ONTAPI, and HTTP with authentication method "nsswitch" only. Defaults to false if not supplied. -
is_ns_switch_group- Specifies whether the user is an LDAP or NIS group and is only supported for SSH, ONTAPI, and HTTP applications with the authentication method "nsswitch". Defaults to false if not supplied.
Related ONTAP commands
-
security login create
Learn more
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
applications |
array[account_application] |
|
authentication_methods |
array[string] |
|
comment |
string |
Optional comment for the user account. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Password hash algorithm used to generate a hash of the user's password for password matching.To modify "password_hash_algorithm", use REST API "/api/security/authentication/password". |
public_key |
string |
Public key for SSH. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
ssl_ca_certificate |
string |
SSL certificate for the chain of certificate authorities (CA) that have signed this user's client certificate. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"applications": [
{
"application": "string",
"authentication_methods": [
"string"
],
"second_authentication_method": "string"
}
],
"authentication_methods": [
"string"
],
"comment": "string",
"name": "joe.smith",
"owner": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"password": "string",
"password_hash_algorithm": "sha512",
"public_key": "string",
"role": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "admin"
},
"scope": "string",
"ssl_ca_certificate": "string"
}Response
Status: 201, CreatedHeaders
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
1261215 |
The role was not found. |
1261225 |
Invalid command directory name. |
1263343 |
Cannot lock user with password not set or non-password authentication method. |
2621475 |
This operation is not supported on a node SVM. |
2621601 |
This operation is not supported on a system SVM. |
2621706 |
The specified owner.uuid and owner.name refer to different SVMs. |
5636099 |
User creation with a non-admin role is not supported for service-processor application. |
5636121 |
The user account name is reserved for use by the system. |
5636126 |
Cannot create a user with the username or role as AutoSupport because it is reserved by the system. |
5636136 |
Specifying "is_ns_switch_group" as "true" is supported only for authentication method "nsswitch". |
5636140 |
Creating a login with application console for a data SVM is not supported. |
5636141 |
Creating a login with application service-processor for a data SVM is not supported. |
5636154 |
The second authentication method parameter is supported for SSH and Service Processor (SP) applications only. |
5636155 |
The second-authentication-method parameter can be specified only if the authentication-method password or public key nsswitch. |
5636156 |
The same value cannot be specified for the second-authentication-method and the authentication-method. |
5636164 |
If the value for either the authentication-method second-authentication-method is nsswitch or password, the other parameter must differ. |
5636165 |
Second authentication method is not supported for NIS or LDAP group based accounts. |
5636176 |
The application and authentication-method combination is invalid. |
5636178 |
An invalid value is specified for field "application". |
5636179 |
Creating an AMQP application login for a data SVM is not supported. |
5636197 |
LDAP fastbind combination for application and authentication method is not supported. |
5636198 |
LDAP fastbind authentication is supported only for nsswitch. |
5636206 |
Non-domain user cannot have a backslash in the username. |
5636207 |
If the value for either the authentication-method or second-authentication-method parameters is domain, the other parameter must be publickey or none. |
5636212 |
TOTP is supported only when the primary authentication method is password or public key. |
5636214 |
Configuring the user with TOTP as secondary authentication method requires an effective cluster version of 9.13.1 or later |
5636223 |
Specifying "is_ns_switch_group" as "true" is supported only for SSH, ONTAPI and HTTP applications. |
5636224 |
Configuring a Service Processor (SP) user with two-factor authentication requires an effective cluster version of 9.15.1 or later. |
5636225 |
For a Service Processor (SP) user, the second factor of authentication must be one of publickey or none. |
5636226 |
Internal error. Failed to check for ONTAP capability. |
7077897 |
Invalid character in username. |
7077898 |
The username must contain both letters and numbers. |
7077899 |
The username does not meet length requirements. |
7077906 |
A role with that name has not been defined for the Vserver. |
7077918 |
The password cannot contain the username. |
7077919 |
The minimum length for new password does not meet the policy. |
7077920 |
A new password must have both letters and numbers. |
7077921 |
The minimum number of special characters required do not meet the policy. |
7077929 |
Cannot lock user with password not set or non-password authentication method. |
7077940 |
The password exceeds the maximum supported length. |
7077941 |
The defined password composition exceeds the maximum password length of 128 characters. |
7078900 |
An admin password is not set. Set the password by including it in the request. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
account_application
| Name | Type | Description |
|---|---|---|
application |
string |
Applications |
authentication_methods |
array[string] |
|
is_ldap_fastbind |
boolean |
Optional property that specifies the mode of authentication as LDAP Fastbind. |
is_ns_switch_group |
boolean |
Optional property that specifies whether the user is an LDAP or NIS group. |
second_authentication_method |
string |
An optional additional authentication method for multifactor authentication (MFA). This property is only supported for SSH (ssh) and Service Processor (service_processor) applications. It is ignored for all other applications. Time-based One-Time Passwords (TOTPs) are only supported with the authentication method password or public key. For the Service Processor (service_processor) application, none and publickey are the only supported enum values. |
owner
Owner name and UUID that uniquely identifies the user account.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
role
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
Role name |
account
| Name | Type | Description |
|---|---|---|
_links |
||
applications |
array[account_application] |
|
authentication_methods |
array[string] |
|
comment |
string |
Optional comment for the user account. |
locked |
boolean |
Locked status of the account. |
name |
string |
User or group account name |
owner |
Owner name and UUID that uniquely identifies the user account. |
|
password |
string |
Password for the account. The password can contain a mix of lower and upper case alphabetic characters, digits, and special characters. |
password_hash_algorithm |
string |
Password hash algorithm used to generate a hash of the user's password for password matching.To modify "password_hash_algorithm", use REST API "/api/security/authentication/password". |
public_key |
string |
Public key for SSH. |
role |
||
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
ssl_ca_certificate |
string |
SSL certificate for the chain of certificate authorities (CA) that have signed this user's client certificate. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |