REST API reference
Add a privilege tuple to an existing role
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
POST /security/roles/{owner.uuid}/{name}/privileges
Introduced In: 9.6
Adds a privilege tuple (of REST URI or command/command directory path, its access level and an optional query, if the "path" refers to a command/command directory path) to an existing role or creates a new role with the provided tuple.
Required parameters
-
owner.uuid- UUID of the SVM that houses this role. -
name- Name of the role to be updated. -
path- REST URI path (example: /api/storage/volumes) or command/command directory path (example: snaplock compliance-clock). Can be a resource-qualified endpoint (example: /api/storage/volumes/43256a71-be02-474d-a2a9-9642e12a6a2c/snapshots). Currently, resource-qualified endpoints are limited to the following:
Snapshots APIs
– /api/storage/volumes/{volume.uuid}/snapshots
File System Analytics APIs
– /api/storage/volumes/{volume.uuid}/files
– /api/storage/volumes/{volume.uuid}/top-metrics/clients
– /api/storage/volumes/{volume.uuid}/top-metrics/directories
– /api/storage/volumes/{volume.uuid}/top-metrics/files
– /api/storage/volumes/{volume.uuid}/top-metrics/users
– /api/svm/svms/{svm.uuid}/top-metrics/clients
– /api/svm/svms/{svm.uuid}/top-metrics/directories
– /api/svm/svms/{svm.uuid}/top-metrics/files
– /api/svm/svms/{svm.uuid}/top-metrics/users
In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs. The {volume.uuid} refers to the -instance-uuid field value in the "volume show" command output at diagnostic privilege level. It can also be fetched through REST endpoint /api/storage/volumes.
-
access- Desired access level for the REST URI path or command/command directory.
Related ONTAP commands
-
security login rest-role create -
security login role create
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
owner.uuid |
string |
path |
True |
Role owner UUID |
name |
string |
path |
True |
Role name |
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
access |
string |
Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'. |
path |
string |
Either of REST URI/endpoint OR command/command directory path. |
query |
string |
Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"access": "all",
"path": "volume move start",
"query": "-vserver vs1|vs2|vs3 -destination-aggregate aggr1|aggr2"
}Response
Status: 201, CreatedHeaders
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
1263347 |
Cannot modify pre-defined roles. |
5636129 |
A role with given name has not been defined. |
5636143 |
A Vserver admin cannot use the API with this access level. |
5636144 |
The value specified for the access level is not valid. |
5636168 |
This role is mapped to a rest-role and cannot be modified directly. Modifications must be done with rest-role. |
5636169 |
A character in the URI is not valid. |
5636170 |
The URI does not exist. |
5636173 |
This feature requires an effective cluster version of 9.6 or later. |
5636175 |
Vserver admin cannot have access to given API. |
5636184 |
The expanded REST roles for granular resource control feature is currently disabled. |
5636185 |
The specified UUID was not found. |
5636186 |
Expanded REST roles for granular resource control requires an effective cluster version of 9.10.1 or later. |
5636192 |
The query parameter cannot be specified for the privileges tuple with API endpoint entries. |
5636200 |
The specified value of the access parameter is invalid, if a command or command directory is specified in the path parameter. |
13434890 |
Vserver-ID failed for Vserver roles. |
13434891 |
UUID LookUp failed for Vserver roles. |
13434892 |
Roles is a required field. |
13434893 |
The SVM does not exist. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
role_privilege
A tuple containing a REST endpoint or a command/command directory path and the access level assigned to that endpoint or command/command directory. If the "path" attribute refers to a command/command directory path, the tuple could additionally contain an optional query. The REST endpoint can be a resource-qualified endpoint. At present, the only supported resource-qualified endpoints are the following
Snapshots APIs
-
/api/storage/volumes/{volume.uuid}/snapshots
File System Analytics APIs
-
/api/storage/volumes/{volume.uuid}/files
-
/api/storage/volumes/{volume.uuid}/top-metrics/clients
-
/api/storage/volumes/{volume.uuid}/top-metrics/directories
-
/api/storage/volumes/{volume.uuid}/top-metrics/files
-
/api/storage/volumes/{volume.uuid}/top-metrics/users
-
/api/svm/svms/{svm.uuid}/top-metrics/clients
-
/api/svm/svms/{svm.uuid}/top-metrics/directories
-
/api/svm/svms/{svm.uuid}/top-metrics/files
-
/api/svm/svms/{svm.uuid}/top-metrics/users
-
/api/protocols/s3/services/{svm.uuid}/users
In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs. The {volume.uuid} refers to the -instance-uuid field value in the "volume show" command output at diagnostic privilege level. It can also be fetched through REST endpoint /api/storage/volumes.
| Name | Type | Description |
|---|---|---|
_links |
||
access |
string |
Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'. |
path |
string |
Either of REST URI/endpoint OR command/command directory path. |
query |
string |
Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |