There are several options available when using ONTAP RBAC depending on your environment and goals. An overview of the major administrative decisions is presented below. Also see ONTAP Automation: Overview of RBAC security for more information.

An ONTAP role is required when defining an ONTAP user. There are two types of ONTAP roles:

While the REST roles were introduced more recently, the traditional roles have some advantages. For example, additional query parameters can optionally be included so the privileges more precisely define the objects they are applied to.

ONTAP roles can be defined with one of two different scopes. They can be applied to a specific data SVM (SVM level) or to the entire ONTAP cluster (cluster level).

ONTAP provides a set of pre-defined roles at both the cluster and SVM level. You can also define custom roles.

There are several considerations when using the ONTAP REST roles included with ONTAP tools for VMware vSphere 10.

Whether using a traditional or REST role, all ONTAP access decisions are made based on the underlying CLI command. But because the privileges in a REST role are defined in terms of the REST API endpoints, ONTAP needs to create a mapped traditional role for each of the REST roles. Therefore each REST role maps to an underlying traditional role. This allows ONTAP to make access control decisions in a consistent way regardless of the role type. You cannot modify the parallel mapped roles.

Because ONTAP always uses the CLI commands to determine access at a base level, it's possible to express a REST role using CLI command privileges instead of REST endpoints. One benefit of this approach is the additional granularity available with the traditional roles.

You can create users and roles with the ONTAP CLI and REST API. However, it's more convenient to use the System Manager interface along with the JSON file available through the ONTAP tools Manager. See Use ONTAP RBAC with ONTAP tools for VMware vSphere 10 for more information.