Skip to main content
ONTAP tools for VMware vSphere 9.12
A newer release of this product is available.

How to configure ONTAP role-based access control for ONTAP tools for VMware vSphere


You must configure ONTAP role-based access control (RBAC) on the storage system if you want to use role-based access control with ONTAP tools for VMware vSphere. You can create one or more custom user accounts with limited access privileges with the ONTAP RBAC feature.

ONTAP tools and SRA can access storage systems at either the cluster level or the storage virtual machine (SVM)SVM level. If you are adding storage systems at the cluster level, then you must provide the credentials of the admin user to provide all of the required capabilities. If you are adding storage systems by directly adding SVM details, you must be aware that the “vsadmin” user does not have all of the required roles and capabilities to perform certain tasks.

VASA Provider can access storage systems only at the cluster level. If VASA Provider is required for a particular storage controller, then the storage system must be added to ONTAP tools at the cluster level even if you are using ONTAP tools or SRA.

To create a new user and to connect a cluster or an SVM to ONTAP tools, you should perform the following:

  • Create a cluster administrator or an SVM administrator role using ONTAP System Manager 9.8P1 or later. See Configure user roles and privileges for more information.

  • Create users with the role assigned and the appropriate application set using ONTAP

    You require these storage system credentials to configure the storage systems for ONTAP tools. You can configure storage systems for ONTAP tools by entering the credentials in ONTAP tools. Each time you log in to a storage system with these credentials, you will have permissions to the ONTAP tools functions that you had set up in ONTAP while creating the credentials.

  • Add the storage system to ONTAP tools and provide the credentials of the user that you just created

ONTAP tools roles

ONTAP tools classifies the ONTAP privileges into the following set of ONTAP tools roles:

  • Discovery

    Enables the discovery of all of the connected storage controllers

  • Create Storage

    Enables the creation of volumes and logical unit number (LUNs)

  • Modify Storage

    Enables the resizing and deduplication of storage systems

  • Destroy Storage

    Enables the destruction of volumes and LUNs

VASA Provider roles

You can create only Policy Based Management at the cluster level. This role enables policy-based management of storage using storage capabilities profiles.

SRA roles

SRA classifies the ONTAP privileges into a SAN or NAS role at either the cluster level or the SVM level. This enables users to run SRM operations.

ONTAP tools perform an initial privilege validation of ONTAP RBAC roles when you add the cluster to ONTAP tools. If you have added a direct SVM storage IP, then ONTAP tools does not perform the initial validation. ONTAP tools checks and enforces the privileges later in the task workflow.