Skip to main content
ONTAP tools for VMware vSphere 10.2

Configure ONTAP user roles and privileges

Contributors netapp-jani

You can configure new user roles and privileges for managing storage backends using the JSON file provided with ONTAP tools for VMware vSphere and ONTAP System Manager.

What you'll need

  • You should have downloaded the ONTAP privileges file from ONTAP tools for VMware vSphere using https://<loadbalancerIP>:8443/virtualization/user-privileges/users_roles.zip.

  • You should have downloaded the ONTAP Privileges file from ONTAP tools using https://<loadbalancerIP>:8443/virtualization/user-privileges/users_roles.zip.

    Note You can create users at cluster or directly at storage virtual machines (SVMs) level. You can also create users without using the user_roles.json file and if done so, you need to have a minimum set of privileges at SVM level.
  • You should have logged in with administrator privileges for the storage backend.

Steps

  1. Extract the downloaded https://<loadbalancerIP>:8443/virtualization/user-privileges/users_roles.zip file.

  2. Access ONTAP System Manager using the cluster management IP address of the cluster.

  3. Login to cluster with admin privileges. To configure a user, perform the following steps:

    1. To configure cluster ONTAP tools user, select Cluster > Settings > Users and Roles pane.

    2. To configure SVM ONTAP tools user, select Storage SVM > Settings > Users and Roles pane.

    3. Select Add under Users.

    4. In the Add User dialog box, select Virtualization products.

    5. Browse to select and upload the ONTAP Privileges JSON file.

      The Product field is auto populated.

    6. Select the required capability from the product capability drop-down menu.

      The Role field is auto populated based on the product capability selected.

    7. Enter the required username and password.

    8. Select the privileges (Discovery, Create Storage, Modify Storage, Destroy Storage, NAS/SAN Role) required for the user, and then click Add.

The new role and user are added, and you can see the detailed privileges under the role that you have configured.

Note The uninstall operation does not remove ONTAP tool roles but removes the localized names for the ONTAP tool specific privileges and appends the prefix XXX missing privilege to them. When you reinstall ONTAP tools for VMware vSphere or upgrade to a newer version, all the standard ONTAP tools for VMware vSphere roles and ONTAP tools-specific privileges are restored.

SVM aggregate mapping requirements

To use SVM user credentials for provisioning datastores, internally ONTAP tools for VMware vSphere creates volumes on the aggregate specified in the datastores POST API. The ONTAP does not allow the creation of volumes on unmapped aggregates on an SVM using SVM user credentials. To resolve this, you need to map the SVMs with the aggregates using the ONTAP REST API or CLI as described here.

REST API:

PATCH "/api/svm/svms/f16f0935-5281-11e8-b94d-005056b46485" '{"aggregates":{"name":["aggr1","aggr2","aggr3"]}}'

ONTAP CLI:

sti115_vsim_ucs630f_aggr1 vserver show-aggregates                                        AvailableVserver        Aggregate      State         Size Type    SnapLock Type-------------- -------------- ------- ---------- ------- --------------svm_test       sti115_vsim_ucs630f_aggr1                               online     10.11GB vmdisk  non-snaplock

Create ONTAP user and role manually

Follow the instructions in this section to create the user and roles manually without using the JSON file.

  1. Access ONTAP System Manager using the cluster management IP address of the cluster.

  2. Login to cluster with admin privileges.

    1. To configure cluster ONTAP tools roles, select Cluster > Settings > Users and Roles pane.

    2. To configure cluster SVM ONTAP tools roles, select Storage SVM > Settings > Users and Roles pane

  3. Create Roles:

    1. Select Add under Roles table.

    2. Enter the Role name and Role Attributes details.

      Add the REST API Path and the respective access from the drop down.

    3. Add all the needed APIs and save the changes.

  4. Create Users:

    1. Select Add under Users table.

    2. In the Add User dialog box, select System Manager.

    3. Enter the Username.

    4. Select Role from the options created in the Create Roles step above.

    5. Enter the applications to give access to and the authentication method. ONTAPI and HTTP are the required applications, and the authentication type is Password.

    6. Set the Password for the User and Save the user.

List of minimum privileges required for non-admin global scoped cluster user

The minimum privileges required for non-admin global scoped cluster user created without using the users JSON file are listed in this section. If a cluster is added in local scope, it is recommended to use the JSON file to create the users, as ONTAP tools for VMware vSphere requires more than just the Read privileges for provisioning on ONTAP.

Using APIs:

API

Access level

Used for

/api/cluster

Read-Only

Cluster Configuration Discovery

/api/cluster/licensing/licenses

Read-Only

License Check for Protocol specific licenses

/api/cluster/nodes

Read-Only

Platform type discovery

/api/storage/aggregates

Read-Only

Aggregate space check during Datastore/Volume provisioning

/api/storage/cluster

Read-Only

To get the Cluster level Space and Efficiency Data

/api/storage/disks

Read-Only

To get the Disks associated in an Aggregate

/api/storage/qos/policies

Read/Create/Modify

QoS and VM Policy management

/api/svm/svms

Read-Only

To get SVM configuration in the case the Cluster is added locally.

/api/network/ip/interfaces

Read-Only

Add Storage Backend - To identify the management LIF scope is Cluster/SVM

/api

Read-Only

Cluster users should have this privilege to get the correct storage backend status. Otherwise, ONTAP tools Manager shows "unknown" storage backend status.

Upgrade ONTAP tools for VMware vSphere 10.1 user to 10.2 user

If the ONTAP tools for VMware vSphere 10.1 user is a cluster scoped user created using the json file, then run the following commands on the ONTAP CLI using the admin user to upgrade to 10.2 release.

For product capabilities:

  • VSC

  • VSC and VASA Provider

  • VSC and SRA

  • VSC, VASA Provider, and SRA.

Cluster privileges:

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map show" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme show-interface" -access read

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host add" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map add" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace delete" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem delete" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host remove" -access all

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map remove" -access all

If the ONTAP tools for VMware vSphere 10.1 user is a SVM scoped user created using the json file, then run the following commands on the ONTAP CLI using the admin user to upgrade to 10.2 release.

SVM privileges:

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map show" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme show-interface" -access read -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host add" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map add" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme namespace delete" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem delete" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem host remove" -access all -vserver <vserver-name>

security login role create -role <existing-role-name> -cmddirname "vserver nvme subsystem map remove" -access all -vserver <vserver-name>

Adding command vserver nvme namespace show and vserver nvme subsystem show to the existing role adds the following commands.

vserver nvme namespace create

vserver nvme namespace modify

vserver nvme subsystem create

vserver nvme subsystem modify