Learn about ONTAP tools for VMware vSphere 10 RBAC
Suggest changes
PDFs
Role-based access control (RBAC) is a security framework for controlling access to resources within an organization. RBAC simplifies administration by defining roles with specific levels of authority to perform actions, instead of assigning authorization to individual users. The defined roles are assigned to users, which helps reduce risk of error and simplifies management of access control across your organization.
The RBAC standard model consists of several implementation technologies or phases of increasing complexity. The result is that actual RBAC deployments, based on the needs of the software vendors and their customers, can differ and range from relatively simple to very complex.
RBAC components
At a high level, there are several components which are generally included with every RBAC implementation. These components are bound together in different ways as part of defining the authorization processes.
A privilege is an action or capability that can be allowed or denied. It might be something simple such as the ability to read a file or it could be a more abstract operation specific to a given software system. Privileges can also be defined to restrict access to REST API endpoints and CLI commands. Every RBAC implementation includes pre-defined privileges and may also allow administrators to create custom privileges.
A role is a container that includes one or more privileges. Roles are generally defined based on particular tasks or job functions. When a role is assigned to a user, the user is granted all the privileges contained in the role. And as with privileges, implementations include pre-defined roles and generally allow custom roles to be created.
An object represents a real or abstract resource identified within the RBAC environment. The actions defined through the privileges are performed on or with the associated objects. Depending on the implementation, privileges can be granted to an object type or a specific object instance.
Users are assigned or associated with a role applied after authentication. Some RBAC implementations allow only one role to be assigned to a user while others allow multiple roles per user, perhaps with only one role active at a time. Assigning roles to groups can further simplify security administration.
A permission is a definition that binds a user or group along with a role to an object. Permissions can be useful with a hierarchical object model where they can optionally be inherited by the children in the hierarchy.
Two RBAC environments
There are two distinct RBAC environments you need to consider when working with ONTAP tools for VMware vSphere 10.
The RBAC implementation in VMware vCenter Server is used to restrict access to objects exposed through the vSphere Client user interface. As part of installing ONTAP tools for VMware vSphere 10, the RBAC environment is extended to include additional objects representing the capabilities of ONTAP tools. Access to these objects is provided through the remote plug-in. See vCenter Server RBAC environment for more information.
ONTAP tools for VMware vSphere 10 connects to an ONTAP cluster through the ONTAP REST API to perform storage related operations. Access to the storage resources is controlled through an ONTAP role associated with the ONTAP user provided during authentication. See ONTAP RBAC environment for more information.