To create new user roles, you should log in as an administrator of the storage systems running ONTAP. You can create ONTAP roles using ONTAP System Manager 9.8P1 or later.

Each ONTAP role has an associated username and password pair, which constitute the credentials of the role. If you do not log in by using these credentials, you cannot access the storage operations that are associated with the role.

As a security measure, ONTAP tools for VMware vSphere specific ONTAP roles are ordered hierarchically. This means the first role is the most restrictive and has only the privileges associated with the most basic set of ONTAP tools for VMware vSphere storage operations. The next role includes its own privileges and all the privileges associated with the previous role. Each additional role is less restrictive regarding the supported storage operations.

The following are some of the recommended ONTAP RBAC roles when using ONTAP tools for VMware vSphere. After you create these roles, you can assign them to users who must perform tasks related to storage, such as provisioning virtual machines.

If you are using ONTAP tools for VMware vSphere, you should also set up a policy-based management (PBM) role. This role enables you to manage storage by using storage policies. This role requires that you also set up the “Discovery” role.