REST API reference
Create a new cluster-scoped or SVM-scoped role
Suggest changes
-
PDF of this doc site
Collection of separate PDF docs
Creating your file...
POST /security/roles
Introduced In: 9.6
Creates a new cluster-scoped role or an SVM-scoped role. For an SVM-scoped role, specify either the SVM name as the owner.name or SVM UUID as the owner.uuid in the request body along with other parameters for the role. The owner.uuid or owner.name are not required to be specified for a cluster-scoped role.
Required parameters
-
name- Name of the role to be created. -
privileges- Array of privilege tuples. Each tuple consists of a REST API or command/command directory path and its desired access level. If the tuple refers to a command/command directory path, it could optionally contain a query.
Optional parameters
-
owner.nameorowner.uuid- Name or UUID of the SVM for an SVM-scoped role.
Related ONTAP commands
-
security login rest-role create -
security login role create
Learn more
Parameters
| Name | Type | In | Required | Description |
|---|---|---|---|---|
return_records |
boolean |
query |
False |
The default is false. If set to true, the records are returned.
|
Request Body
| Name | Type | Description |
|---|---|---|
_links |
||
builtin |
boolean |
Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted. |
comment |
string |
Comment |
name |
string |
Role name |
owner |
Owner name and UUID that uniquely identifies the role. |
|
privileges |
array[role_privilege] |
The list of privileges that this role has been granted. |
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
Example request
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"comment": "string",
"name": "admin",
"owner": {
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"name": "svm1",
"uuid": "02c9e252-41be-11e9-81d5-00a0986138f7"
},
"privileges": [
{
"_links": {
"self": {
"href": "/api/resourcelink"
}
},
"access": "all",
"path": "volume move start",
"query": "-vserver vs1|vs2|vs3 -destination-aggregate aggr1|aggr2"
}
],
"scope": "string"
}Response
Status: 201, CreatedHeaders
| Name | Description | Type |
|---|---|---|
Location |
Useful for tracking the resource location |
string |
Error
Status: DefaultONTAP Error Response Codes
| Error Code | Description |
|---|---|
1263347 |
Cannot modify pre-defined roles |
2621462 |
The supplied SVM does not exist. |
5636129 |
Role with given name has not been defined. |
5636143 |
Vserver admin cannot use the API with this access level. |
5636144 |
Invalid value specified for access level. |
5636168 |
This role is mapped to a rest-role and cannot be modified directly. Modifications must be done with rest-role. |
5636169 |
Invalid character in URI. |
5636170 |
URI does not exist. |
5636171 |
Role already exists in legacy role table. |
5636184 |
Expanded REST roles for granular resource control feature is currently disabled. |
5636185 |
The specified UUID was not found. |
5636186 |
Expanded REST roles for granular resource control requires an effective cluster version of 9.10.1 or later. |
5636191 |
The "path" parameter in a "privileges" tuple can contain only API endpoint entries or only command and command directory entries. |
5636192 |
The query parameter cannot be specified for the privileges tuple with API endpoint entries. |
5636200 |
The specified value of the access parameter is invalid, if a command or command directory is specified in the path parameter. |
13434890 |
Vserver-ID failed for Vserver roles. |
13434891 |
UUID lookup failed for Vserver roles. |
13434892 |
Roles is a required field. |
Also see the table of common errors in the Response body overview section of this documentation.
| Name | Type | Description |
|---|---|---|
error |
Example error
{
"error": {
"arguments": [
{
"code": "string",
"message": "string"
}
],
"code": "4",
"message": "entry doesn't exist",
"target": "uuid"
}
}Definitions
See Definitions
href
| Name | Type | Description |
|---|---|---|
href |
string |
_links
| Name | Type | Description |
|---|---|---|
self |
owner
Owner name and UUID that uniquely identifies the role.
| Name | Type | Description |
|---|---|---|
_links |
||
name |
string |
The name of the SVM. This field cannot be specified in a PATCH method. |
uuid |
string |
The unique identifier of the SVM. This field cannot be specified in a PATCH method. |
role_privilege
A tuple containing a REST endpoint or a command/command directory path and the access level assigned to that endpoint or command/command directory. If the "path" attribute refers to a command/command directory path, the tuple could additionally contain an optional query. The REST endpoint can be a resource-qualified endpoint. At present, the only supported resource-qualified endpoints are the following
Snapshots APIs
-
/api/storage/volumes/{volume.uuid}/snapshots
File System Analytics APIs
-
/api/storage/volumes/{volume.uuid}/files
-
/api/storage/volumes/{volume.uuid}/top-metrics/clients
-
/api/storage/volumes/{volume.uuid}/top-metrics/directories
-
/api/storage/volumes/{volume.uuid}/top-metrics/files
-
/api/storage/volumes/{volume.uuid}/top-metrics/users
-
/api/svm/svms/{svm.uuid}/top-metrics/clients
-
/api/svm/svms/{svm.uuid}/top-metrics/directories
-
/api/svm/svms/{svm.uuid}/top-metrics/files
-
/api/svm/svms/{svm.uuid}/top-metrics/users
-
/api/protocols/s3/services/{svm.uuid}/users
In the above APIs, wildcard character * could be used in place of {volume.uuid} or {svm.uuid} to denote all volumes or all SVMs, depending upon whether the REST endpoint references volumes or SVMs. The {volume.uuid} refers to the -instance-uuid field value in the "volume show" command output at diagnostic privilege level. It can also be fetched through REST endpoint /api/storage/volumes.
| Name | Type | Description |
|---|---|---|
_links |
||
access |
string |
Access level for the REST endpoint or command/command directory path. If it denotes the access level for a command/command directory path, the only supported enum values are 'none','readonly' and 'all'. |
path |
string |
Either of REST URI/endpoint OR command/command directory path. |
query |
string |
Optional attribute that can be specified only if the "path" attribute refers to a command/command directory path. The privilege tuple implicitly defines a set of objects the role can or cannot access at the specified access level. The query further reduces this set of objects to a subset of objects that the role is allowed to access. The query attribute must be applicable to the command/command directory specified by the "path" attribute. It is defined using one or more parameters of the command/command directory path specified by the "path" attribute. |
role
A named set of privileges that defines the rights an account has when it is assigned the role.
| Name | Type | Description |
|---|---|---|
_links |
||
builtin |
boolean |
Indicates if this is a built-in (pre-defined) role which cannot be modified or deleted. |
comment |
string |
Comment |
name |
string |
Role name |
owner |
Owner name and UUID that uniquely identifies the role. |
|
privileges |
array[role_privilege] |
The list of privileges that this role has been granted. |
scope |
string |
Scope of the entity. Set to "cluster" for cluster owned objects and to "svm" for SVM owned objects. |
error_arguments
| Name | Type | Description |
|---|---|---|
code |
string |
Argument code |
message |
string |
Message argument |
returned_error
| Name | Type | Description |
|---|---|---|
arguments |
array[error_arguments] |
Message arguments |
code |
string |
Error code |
message |
string |
Error message |
target |
string |
The target parameter that caused the error. |