Skip to main content
ONTAP tools for VMware vSphere 10

Configure ONTAP user roles and privileges

Contributors netapp-jani dmp-netapp
PDFs

Configure user roles and privileges for storage backends with the JSON file from ONTAP tools for VMware vSphere and ONTAP System Manager.

Before you begin

  • Download the ONTAP Privileges file from ONTAP tools for VMware vSphere using https://<ONTAPtoolsIP>:8443/virtualization/user-privileges/users_roles.zip. After downloading the zip file, you find two JSON files. Use the ASA r2-specific JSON file when configuring an ASA r2 system.

    Note You can create users at the cluster level or directly at the storage virtual machines (SVMs) level. If you do not use the user_roles.json file, ensure the user has the minimum required SVM permissions.

  • Log in with administrator privileges for the storage backend.

Steps

  1. Extract the https://<ONTAPtoolsIP>:8443/virtualization/user-privileges/users_roles.zip file that you downloaded.

  2. Access ONTAP System Manager using the cluster management IP address of the cluster.

  3. Log in to the cluster with admin privileges. To configure a user:

    1. To configure a cluster ONTAP tools user, select Cluster > Settings > Users and Roles pane.

    2. To configure an SVM ONTAP tools user, select Storage SVM > Settings > Users and Roles pane.

    3. Select Add under Users.

    4. In the Add User dialog box, select Virtualization products.

    5. Browse to select and upload the ONTAP Privileges JSON file. For non-ASA r2 systems, select users_roles.json file and for ASA r2 systems, select users_roles_ASAr2.json file.

      ONTAP tools automatically populates the Product field.

    6. Select the product capability as VSC, VASA Provider and SRA from the drop-down.

      ONTAP tools automatically populates the Role field based on the product capability you select.

    7. Enter the required username and password.

    8. Select the privileges (Discovery, Create Storage, Modify Storage, Destroy Storage, NAS/SAN Role) the user needs, and then select Add.

ONTAP tools adds the new role and user. You can view privileges under the role you configured.

SVM aggregate mapping requirements

When provisioning datastores using SVM user credentials, ONTAP tools for VMware vSphere creates volumes on the aggregate specified in the datastores POST API. ONTAP prevents SVM users from creating volumes on aggregates not mapped to the SVM. Map the SVM to the required aggregates using the ONTAP REST API or CLI before creating volumes.

REST API:

PATCH "/api/svm/svms/f16f0935-5281-11e8-b94d-005056b46485" '{"aggregates":{"name":["aggr1","aggr2","aggr3"]}}'

ONTAP CLI:

sti115_vsim_ucs630f_aggr1 vserver show-aggregates                                        AvailableVserver        Aggregate      State         Size Type    SnapLock Type-------------- -------------- ------- ---------- ------- --------------svm_test       sti115_vsim_ucs630f_aggr1                               online     10.11GB vmdisk  non-snaplock

Create ONTAP user and role manually

Create users and roles manually without the JSON file.

  1. Access ONTAP System Manager using the cluster management IP address of the cluster.

  2. Log in to the cluster with admin privileges.

    1. To configure cluster ONTAP tools roles, select Cluster > Settings > Users and Roles.

    2. To configure cluster SVM ONTAP tools roles, select Storage SVM > Settings > Users and Roles.

  3. Create roles:

    1. Select Add under Roles table.

    2. Enter the Role name and Role Attributes details.

      Add the REST API Path and choose the access from the drop-down list.

    3. Add all the needed APIs and save the changes.

  4. Create users:

    1. Select Add under Users table.

    2. In the Add User dialog box, select System Manager.

    3. Enter the Username.

    4. Select Role from the options created in the Create Roles step above.

    5. Enter the applications to give access to and the authentication method. ONTAPI and HTTP are the required applications, and the authentication type is Password.

    6. Set the Password for the User and Save the user.

List of minimum privileges required for non-admin global scoped cluster user

This section lists the minimum privileges required for a non-admin global-scoped cluster user without a JSON file. If a cluster is in local scope, use the JSON file to create users because ONTAP tools for VMware vSphere needs more than just the Read privileges for provisioning on ONTAP.

You can access functionality by using APIs:

API

Access level

Used for

/api/cluster

Read-Only

Cluster configuration discovery

/api/cluster/licensing/licenses

Read-Only

License Check for protocol specific licenses

/api/cluster/nodes

Read-Only

Platform type discovery

/api/security/accounts

Read-Only

Privilege discovery

/api/security/roles

Read-Only

Privilege discovery

/api/storage/aggregates

Read-Only

Aggregate space check during datastore/volume provisioning

/api/storage/cluster

Read-Only

To get the cluster level space and efficiency data

/api/storage/disks

Read-Only

To get the disks associated in an aggregate

/api/storage/qos/policies

Read/Create/Modify

QoS and VM policy management

/api/svm/svms

Read-Only

To get SVM configuration when the cluster is added locally.

/api/network/ip/interfaces

Read-Only

Add storage backend - To identify the management LIF scope is cluster/SVM

/api/storage/availability-zones

Read-Only

SAZ discovery. Applicable to ONTAP 9.16.1 release onwards and ASA r2 systems.

/api/cluster/metrocluster

Read-Only

Gets MetroCluster status and configuration details.

Create ONTAP tools for VMware vSphere ONTAP API based cluster scoped user

Note Discovery, create, modify, and destroy privileges are required for PATCH operations and automatic rollback on datastores. Missing permissions might cause workflow and cleanup issues.

An ONTAP API-based user with discovery, create, modify, and destroy privileges can manage ONTAP tools workflows.

To create a cluster scoped user with all privileges mentioned above, run the following commands:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all

security login rest-role create -role <role-name> -api /api/storage/volumes -access all

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all

security login rest-role create -role <role-name> -api /api/storage/luns -access all

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all

security login rest-role create -role <role-name> -api /api/storage/qos/policies -access all

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify

security login rest-role create -role <role-name> -api /api/cluster -access readonly

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly

security login rest-role create -role <role-name> -api /api/cluster/licensing/licenses -access readonly

security login rest-role create -role <role-name> -api /api/cluster/nodes -access readonly

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly

security login rest-role create -role <role-name> -api /api/network/fc/ports -access readonly

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly

security login rest-role create -role <role-name> -api /api/security/roles -access readonly

security login rest-role create -role <role-name> -api /api/storage/aggregates -access readonly

security login rest-role create -role <role-name> -api /api/storage/cluster -access readonly

security login rest-role create -role <role-name> -api /api/storage/disks -access readonly

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly

security login rest-role create -role <role-name> -api /api/cluster/metrocluster -access readonly

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all

For ASA r2 systems on ONTAP Versions 9.16.1 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/availability-zones -access readonly

Create ONTAP tools for VMware vSphere ONTAP API based SVM scoped user

Run the following commands to create an SVM scoped user with all privileges:

security login rest-role create -role <role-name> -api /api/application/consistency-groups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/private/cli/snapmirror -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/export-policies -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystem-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/subsystems -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/igroups -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/lun-maps -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/vvol-bindings -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/relationships -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/volumes -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api "/api/storage/volumes/*/snapshots" -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/luns -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/namespaces -access all -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/schedules -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/snapmirror/policies -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/clone -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/file/copy -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/support/ems/application-logs -access read_create -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/services -access read_modify -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/jobs -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/cluster/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/name-services/name-mappings -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ethernet/ports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/fc/logins -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/network/ip/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nfs/kerberos/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/nvme/interfaces -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/fcp/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/protocols/san/iscsi/services -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/accounts -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/security/roles -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/qtrees -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/quota/reports -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/storage/snapshot-policies -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/peers -access readonly -vserver <vserver-name>

security login rest-role create -role <role-name> -api /api/svm/svms -access readonly -vserver <vserver-name>

Additionally, for ONTAP Versions 9.16.0 and above run the following command:

security login rest-role create -role <role-name> -api /api/storage/storage-units -access all -vserver <vserver-name>

To create a new API based user using the above created API based roles, run the following command:

security login create -user-or-group-name <user-name> -application http -authentication-method password -role <role-name> -vserver <cluster-or-vserver-name>

Example:

security login create -user-or-group-name testvpsraall -application http -authentication-method password -role OTV_10_VP_SRA_Discovery_Create_Modify_Destroy -vserver C1_sti160-cluster_

Run the following command to unlock the account and enable management interface access:

security login unlock -user <user-name> -vserver <cluster-or-vserver-name>

Example:

security login unlock -username testvpsraall -vserver C1_sti160-cluster

Upgrade ONTAP tools for VMware vSphere 10.1 user to 10.3 user

For ONTAP tools for VMware vSphere 10.1 users with a cluster-scoped user created using the JSON file, use the following ONTAP CLI commands with user admin privileges to upgrade to the 10.3 release.

For product capabilities:

  • VSC

  • VSC and VASA Provider

  • VSC and SRA

  • VSC, VASA Provider, and SRA.

Cluster privileges:

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme show-interface" -access read

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host add" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map add" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace delete" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem delete" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host remove" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map remove" -access all

For ONTAP tools for VMware vSphere 10.1 user with a SVM scoped user created using the json file, use the ONTAP CLI commands with admin user privileges to upgrade to the 10.3 release.

SVM privileges:

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme show-interface" -access read -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host add" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map add" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace delete" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem delete" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host remove" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map remove" -access all -vserver <vserver-name>

To enable the following commands, add the commands vserver nvme namespace show and vserver nvme subsystem show to the existing role.

vserver nvme namespace create

vserver nvme namespace modify

vserver nvme subsystem create

vserver nvme subsystem modify

Upgrade ONTAP tools for VMware vSphere 10.3 user to 10.4 user

Beginning with ONTAP 9.16.1, upgrade the ONTAP tools for VMware vSphere 10.3 user to 10.4 user.

For ONTAP tools for VMware vSphere 10.3 user with a cluster-scoped user created using the JSON file and ONTAP version 9.16.1 or above, use the ONTAP CLI command with admin user privileges to upgrade to the 10.4 release.

For product capabilities:

  • VSC

  • VSC and VASA Provider

  • VSC and SRA

  • VSC, VASA Provider, and SRA.

Cluster privileges:

security login role create -role <existing-role-name> -cmddirname "storage availability-zone show" -access all