Worksheets for administrator authentication and RBAC configuration

09/27/2024 Contributors

PDFs

Before creating login accounts and setting up role-based access control (RBAC), you should gather information for each item in the configuration worksheets.

You provide these values with the security login create command when you enable login accounts to access a storage VM. You provide the same values with the security login modify command when you modify how an account accesses a storage VM.

Field	Description	Your value
`-vserver`	The name of the storage VM that the account accesses. The default value is the name of the admin storage VM for the cluster.
`-user-or-group-name`	The user name or group name of the account. Specifying a group name enables access to each user in the group. You can associate a user name or group name with multiple applications.
`-application`	The application that is used to access the storage VM: `http` `ontapi` `snmp` `ssh`
`-authmethod`	The method that is used to authenticate the account: `cert` for SSL certificate authentication `domain` for Active Directory authentication `nsswitch` for LDAP or NIS authentication `password` for user password authentication `publickey` for public key authentication `community` for SNMP community strings `usm` for SNMP user security model `saml` for Security Assertion Markup Language (SAML) authentication
`-remote-switch-ipaddress`	The IP address of the remote switch. The remote switch can be a cluster switch monitored by the cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by the MetroCluster health monitor (MCC-HM). This option is applicable only when the application is `snmp` and the authentication method is `usm`.
`-role`	The access control role that is assigned to the account: For the cluster (the admin storage VM), the default value is `admin`. For a data storage VM, the default value is `vsadmin`.
`-comment`	(Optional) Descriptive text for the account. You should enclose the text in double quotation marks (").
`-is-ns-switch-group`	Whether the account is an LDAP group account or NIS group account (`yes` or `no`).
`-second-authentication-method`	Second authentication method in case of multifactor authentication: `none` if not using multifactor authentication, default value `publickey` for public key authentication when the `authmethod` is password or nsswitch `password` for user password authentication when the `authmethod` is public key `nsswitch` for user password authentication when the authmethod is publickey The order of authentication is always the public key followed by the password.
`-is-ldap-fastbind`	Beginning with ONTAP 9.11.1, when set to true, enables LDAP fast bind for nsswitch authentication; the default is false. To use LDAP fast bind, the `-authentication-method` value must be set to `nsswitch`. Learn about LDAP fastbind for nsswitch authentication.

Field

Description

Your value

-vserver

The name of the storage VM that the account accesses. The default value is the name of the admin storage VM for the cluster.

-user-or-group-name

The user name or group name of the account. Specifying a group name enables access to each user in the group. You can associate a user name or group name with multiple applications.

-application

The application that is used to access the storage VM:

http
ontapi
snmp
ssh

-authmethod

The method that is used to authenticate the account:

cert for SSL certificate authentication
domain for Active Directory authentication
nsswitch for LDAP or NIS authentication
password for user password authentication
publickey for public key authentication
community for SNMP community strings
usm for SNMP user security model
saml for Security Assertion Markup Language (SAML) authentication

-remote-switch-ipaddress

The IP address of the remote switch. The remote switch can be a cluster switch monitored by the cluster switch health monitor (CSHM) or a Fibre Channel (FC) switch monitored by the MetroCluster health monitor (MCC-HM). This option is applicable only when the application is snmp and the authentication method is usm.

-role

The access control role that is assigned to the account:

For the cluster (the admin storage VM), the default value is admin.
For a data storage VM, the default value is vsadmin.

-comment

(Optional) Descriptive text for the account. You should enclose the text in double quotation marks (").

-is-ns-switch-group

Whether the account is an LDAP group account or NIS group account (yes or no).

-second-authentication-method

Second authentication method in case of multifactor authentication:

none if not using multifactor authentication, default value
publickey for public key authentication when the authmethod is password or nsswitch
password for user password authentication when the authmethod is public key
nsswitch for user password authentication when the authmethod is publickey

The order of authentication is always the public key followed by the password.

-is-ldap-fastbind

Beginning with ONTAP 9.11.1, when set to true, enables LDAP fast bind for nsswitch authentication; the default is false. To use LDAP fast bind, the -authentication-method value must be set to nsswitch. Learn about LDAP fastbind for nsswitch authentication.

Configure Cisco Duo security information

You provide these values with the security login duo create command when you enable Cisco Duo two-factor authentication with SSH logins for a storage VM.

Field	Description	Your value
`-vserver`	The storage VM (referred to as a vserver in the ONTAP CLI) to which the Duo authentication settings apply.
`-integration-key`	Your integration key, obtained when registering your SSH application with Duo.
`-secret-key`	Your secret key, obtained when registering your SSH application with Duo.
`-api-host`	The API hostname, obtained when registering your SSH application with Duo. For example: api-<HOSTNAME>.duosecurity.com
`-fail-mode`	On service or configuration errors that prevent Duo authentication, fail `safe` (allow access) or `secure` (deny access). The default is `safe`, which means that Duo authentication is bypassed if it fails due to errors such as the Duo API server being inaccessible.
`-http-proxy`	Use the specified HTTP proxy. If the HTTP proxy requires authentication, include the credentials in the proxy URL. For example: http-proxy=http://username:password@proxy.example.org:8080
`-autopush`	Either `true` or `false`. Default is `false`. If `true`, Duo automatically sends a push login request to the user's phone, reverting to a phone call if push is unavailable. Note that this effectively disables passcode authentication. If `false`, the user is prompted to choose an authentication method. When configured with `autopush = true`, we recommend setting `max-prompts = 1`.
`-max-prompts`	If a user fails to authenticate with a second factor, Duo prompts the user to authenticate again. This option sets the maximum number of prompts that Duo displays before denying access. Must be `1`, `2`, or `3`. The default value is `1`. For example, when `max-prompts = 1`, the user needs to successfully authenticate on the first prompt, whereas if `max-prompts = 2`, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again. When configured with `autopush = true`, we recommend setting `max-prompts = 1`. For the best experience, a user with only publickey authentication will always have `max-prompts` set to `1`.
`-enabled`	Enable Duo two-factor authentication. Set to `true` by default. When enabled, Duo two-factor authentication is enforced during SSH login according to the configured parameters. When Duo is disabled (set to `false`), Duo authentication is ignored.
`-pushinfo`	This option provides additional information in the push notification, such as the name of the application or service being accessed. This helps users verify that they are logging in to the correct service and provides an additional layer of security.

Field

Description

Your value

-vserver

The storage VM (referred to as a vserver in the ONTAP CLI) to which the Duo authentication settings apply.

-integration-key

Your integration key, obtained when registering your SSH application with Duo.

-secret-key

Your secret key, obtained when registering your SSH application with Duo.

-api-host

The API hostname, obtained when registering your SSH application with Duo. For example:

api-<HOSTNAME>.duosecurity.com

-fail-mode

On service or configuration errors that prevent Duo authentication, fail safe (allow access) or secure (deny access). The default is safe, which means that Duo authentication is bypassed if it fails due to errors such as the Duo API server being inaccessible.

-http-proxy

Use the specified HTTP proxy. If the HTTP proxy requires authentication, include the credentials in the proxy URL. For example:

http-proxy=http://username:password@proxy.example.org:8080

-autopush

Either true or false. Default is false. If true, Duo automatically sends a push login request to the user's phone, reverting to a phone call if push is unavailable. Note that this effectively disables passcode authentication. If false, the user is prompted to choose an authentication method.

When configured with autopush = true, we recommend setting max-prompts = 1.

-max-prompts

If a user fails to authenticate with a second factor, Duo prompts the user to authenticate again. This option sets the maximum number of prompts that Duo displays before denying access. Must be 1, 2, or 3. The default value is 1.

For example, when max-prompts = 1, the user needs to successfully authenticate on the first prompt, whereas if max-prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.

When configured with autopush = true, we recommend setting max-prompts = 1.

For the best experience, a user with only publickey authentication will always have max-prompts set to 1.

-enabled

Enable Duo two-factor authentication. Set to true by default. When enabled, Duo two-factor authentication is enforced during SSH login according to the configured parameters. When Duo is disabled (set to false), Duo authentication is ignored.

-pushinfo

This option provides additional information in the push notification, such as the name of the application or service being accessed. This helps users verify that they are logging in to the correct service and provides an additional layer of security.

Define custom roles

You provide these values with the security login role create command when you define a custom role.

Field	Description	Your value
`-vserver`	(Optional) The name of the storage VM (referred to as a vserver in the ONTAP CLI) that is associated with the role.
`-role`	The name of the role.
`-cmddirname`	The command or command directory to which the role gives access. You should enclose command subdirectory names in double quotation marks ("). For example, `"volume snapshot"`. You must enter `DEFAULT` to specify all command directories.
`-access`	(Optional) The access level for the role. For command directories: `none` (the default value for custom roles) denies access to commands in the command directory `readonly` grants access to the `show` commands in the command directory and its subdirectories `all` grants access to all of the commands in the command directory and its subdirectories For nonintrinsic commands (commands that do not end in `create`, `modify`, `delete`, or `show`): `none` (the default value for custom roles) denies access to the command `readonly` is not applicable `all` grants access to the command To grant or deny access to intrinsic commands, you must specify the command directory.
`-query`	(Optional) The query object that is used to filter the access level, which is specified in the form of a valid option for the command or for a command in the command directory. You should enclose the query object in double quotation marks ("). For example, if the command directory is `volume`, the query object `"-aggr aggr0"` would enable access for the `aggr0` aggregate only.

Field

Description

Your value

-vserver

(Optional) The name of the storage VM (referred to as a vserver in the ONTAP CLI) that is associated with the role.

-role

The name of the role.

-cmddirname

The command or command directory to which the role gives access. You should enclose command subdirectory names in double quotation marks ("). For example, "volume snapshot". You must enter DEFAULT to specify all command directories.

-access

(Optional) The access level for the role. For command directories:

none (the default value for custom roles) denies access to commands in the command directory
readonly grants access to the show commands in the command directory and its subdirectories
all grants access to all of the commands in the command directory and its subdirectories

For nonintrinsic commands (commands that do not end in create, modify, delete, or show):

none (the default value for custom roles) denies access to the command
readonly is not applicable
all grants access to the command

To grant or deny access to intrinsic commands, you must specify the command directory.

-query

(Optional) The query object that is used to filter the access level, which is specified in the form of a valid option for the command or for a command in the command directory. You should enclose the query object in double quotation marks ("). For example, if the command directory is volume, the query object "-aggr aggr0" would enable access for the aggr0 aggregate only.

Associate a public key with a user account

You provide these values with the security login publickey create command when you associate an SSH public key with a user account.

Field	Description	Your value
`-vserver`	(Optional) The name of the storage VM that the account accesses.
`-username`	The user name of the account. The default value, `admin`, which is the default name of the cluster administrator.
`-index`	The index number of the public key. The default value is 0 if the key is the first key that is created for the account; otherwise, the default value is one more than the highest existing index number for the account.
`-publickey`	The OpenSSH public key. You should enclose the key in double quotation marks (").
`-role`	The access control role that is assigned to the account.
`-comment`	(Optional) Descriptive text for the public key. You should enclose the text in double quotation marks (").
`-x509-certificate`	(Optional) Beginning with ONTAP 9.13.1, enables you to manage X.509 certificate association with the SSH public key. When you associate an X.509 certificate with the SSH public key, ONTAP checks upon SSH login to see if this certificate is valid. If it has expired or been revoked, login is disallowed and the associated SSH public key is disabled. Possible values: `install`: Install the specified PEM-encoded X.509 certificate and associate it with the SSH public key. Include the full text for the certificate you want to install. `modify`: Update the existing PEM-encoded X.509 certificate with the specified certificate and associate it with the SSH public key. Include the full text for the new certificate. `delete`: Remove the existing X.509 certificate association with the SSH public key.

Field

Description

Your value

-vserver

(Optional) The name of the storage VM that the account accesses.

-username

The user name of the account. The default value, admin, which is the default name of the cluster administrator.

-index

The index number of the public key. The default value is 0 if the key is the first key that is created for the account; otherwise, the default value is one more than the highest existing index number for the account.

-publickey

The OpenSSH public key. You should enclose the key in double quotation marks (").

-role

The access control role that is assigned to the account.

-comment

(Optional) Descriptive text for the public key. You should enclose the text in double quotation marks (").

-x509-certificate

(Optional) Beginning with ONTAP 9.13.1, enables you to manage X.509 certificate association with the SSH public key.

When you associate an X.509 certificate with the SSH public key, ONTAP checks upon SSH login to see if this certificate is valid. If it has expired or been revoked, login is disallowed and the associated SSH public key is disabled. Possible values:

install: Install the specified PEM-encoded X.509 certificate and associate it with the SSH public key. Include the full text for the certificate you want to install.
modify: Update the existing PEM-encoded X.509 certificate with the specified certificate and associate it with the SSH public key. Include the full text for the new certificate.
delete: Remove the existing X.509 certificate association with the SSH public key.

Configure dynamic authorization global settings

Beginning with ONTAP 9.15.1, you provide these values with the security dynamic-authorization modify command. For more information about dynamic authorization configuration, refer to dynamic authorization overview.

Field	Description	Your value
`-vserver`	The name of the storage VM for which the trust score setting should be modified. If you omit this parameter, the cluster-level setting is used.
`-state`	The dynamic authorization mode. Possible values: `disabled`: (Default) Dynamic authorization is disabled. `visibility`: This mode is useful for testing dynamic authorization. In this mode, the trust score is checked with every restricted activity, but not enforced. However, any activity that would have been denied or subject to additional authentication challenges is logged. `enforced`: Intended for use after you have completed testing with `visibility` mode. In this mode, the trust score is checked with every restricted activity, and activity restrictions are enforced if the restriction conditions are met. The suppression interval is also enforced, preventing additional authentication challenges within the specified interval.
`-suppression-interval`	Prevents additional authentication challenges within the specified interval. The interval is in ISO-8601 format and accepts values from 1 minute to 1 hour inclusive. If set to 0, the suppression interval is disabled and the user is always prompted for an authentication challenge if one is needed.
`-lower-challenge-boundary`	The lower multi-factor authentication (MFA) challenge percentage boundary. The valid range is from 0 to 99. The value 100 is invalid, because this causes all requests to be denied. The default value is 0.
`-upper-challenge-boundary`	The upper MFA challenge percentage boundary. The valid range is from 0 to 100. This must be equal to or greater than the value of the lower boundary. A value of 100 means that every request will either be denied or subject to an additional authentication challenge; there are no requests that are allowed without a challenge. The default value is 90.

Field

Description

Your value

-vserver

The name of the storage VM for which the trust score setting should be modified. If you omit this parameter, the cluster-level setting is used.

-state

The dynamic authorization mode. Possible values:

disabled: (Default) Dynamic authorization is disabled.
visibility: This mode is useful for testing dynamic authorization. In this mode, the trust score is checked with every restricted activity, but not enforced. However, any activity that would have been denied or subject to additional authentication challenges is logged.
enforced: Intended for use after you have completed testing with visibility mode. In this mode, the trust score is checked with every restricted activity, and activity restrictions are enforced if the restriction conditions are met. The suppression interval is also enforced, preventing additional authentication challenges within the specified interval.

-suppression-interval

Prevents additional authentication challenges within the specified interval. The interval is in ISO-8601 format and accepts values from 1 minute to 1 hour inclusive. If set to 0, the suppression interval is disabled and the user is always prompted for an authentication challenge if one is needed.

-lower-challenge-boundary

The lower multi-factor authentication (MFA) challenge percentage boundary. The valid range is from 0 to 99. The value 100 is invalid, because this causes all requests to be denied. The default value is 0.

-upper-challenge-boundary

The upper MFA challenge percentage boundary. The valid range is from 0 to 100. This must be equal to or greater than the value of the lower boundary. A value of 100 means that every request will either be denied or subject to an additional authentication challenge; there are no requests that are allowed without a challenge. The default value is 90.

Install a CA-signed server digital certificate

You provide these values with the security certificate generate-csr command when you generate a digital certificate signing request (CSR) for use in authenticating an storage VM as an SSL server.

Field	Description	Your value
`-common-name`	The name of the certificate, which is either a fully qualified domain name (FQDN) or a custom common name.
`-size`	The number of bits in the private key. The higher the value, the more secure the key. The default value is `2048`. Possible values are `512`, `1024`, `1536`, and `2048`.
`-country`	The country of the storage VM, in a two-letter code. The default value is `US`. See the man pages for a list of codes.
`-state`	The state or province of the storage VM.
`-locality`	The locality of the storage VM.
`-organization`	The organization of the storage VM.
`-unit`	The unit in the organization of the storage VM.
`-email-addr`	The email address of the contact administrator for the storage VM.
`-hash-function`	The cryptographic hashing function for signing the certificate. The default value is `SHA256`. Possible values are `SHA1`, `SHA256`, and `MD5`.

Field

Description

Your value

-common-name

The name of the certificate, which is either a fully qualified domain name (FQDN) or a custom common name.

-size

The number of bits in the private key. The higher the value, the more secure the key. The default value is 2048. Possible values are 512, 1024, 1536, and 2048.

-country

The country of the storage VM, in a two-letter code. The default value is US. See the man pages for a list of codes.

-state

The state or province of the storage VM.

-locality

The locality of the storage VM.

-organization

The organization of the storage VM.

-unit

The unit in the organization of the storage VM.

-email-addr

The email address of the contact administrator for the storage VM.

-hash-function

The cryptographic hashing function for signing the certificate. The default value is SHA256. Possible values are SHA1, SHA256, and MD5.

You provide these values with the security certificate install command when you install a CA-signed digital certificate for use in authenticating the cluster or storage VM as an SSL server. Only the options that are relevant to account configuration are shown in the following table.

Field	Description	Your value
`-vserver`	The name of the storage VM on which the certificate is to be installed.
`-type`	The certificate type: `server` for server certificates and intermediate certificates `client-ca` for the public key certificate of the root CA of the SSL client `server-ca` for the public key certificate of the root CA of the SSL server of which ONTAP is a client `client` for a self-signed or CA-signed digital certificate and private key for ONTAP as an SSL client

Field

Description

Your value

-vserver

The name of the storage VM on which the certificate is to be installed.

-type

The certificate type:

server for server certificates and intermediate certificates
client-ca for the public key certificate of the root CA of the SSL client
server-ca for the public key certificate of the root CA of the SSL server of which ONTAP is a client
client for a self-signed or CA-signed digital certificate and private key for ONTAP as an SSL client

Configure Active Directory domain controller access

You provide these values with the security login domain-tunnel create command when you have already configured a SMB server for a data storage VM and you want to configure the storage VM as a gateway or tunnel for Active Directory domain controller access to the cluster.

Field	Description	Your value
`-vserver`	The name of the storage VM for which the SMB server has been configured.

Field

Description

Your value

-vserver

The name of the storage VM for which the SMB server has been configured.

You provide these values with the vserver active-directory create command when you have not configured a SMB server and you want to create an storage VM computer account on the Active Directory domain.

Field	Description	Your value
`-vserver`	The name of the storage VM for which you want to create an Active Directory computer account.
`-account-name`	The NetBIOS name of the computer account.
`-domain`	The fully qualified domain name (FQDN).
`-ou`	The organizational unit in the domain. The default value is `CN=Computers`. ONTAP appends this value to the domain name to produce the Active Directory distinguished name.

Field

Description

Your value

-vserver

The name of the storage VM for which you want to create an Active Directory computer account.

-account-name

The NetBIOS name of the computer account.

-domain

The fully qualified domain name (FQDN).

-ou

The organizational unit in the domain. The default value is CN=Computers. ONTAP appends this value to the domain name to produce the Active Directory distinguished name.

Configure LDAP or NIS server access

You provide these values with the vserver services name-service ldap client create command when you create an LDAP client configuration for the storage VM.

Only the options that are relevant to account configuration are shown in the following table:

Field

Description

Your value

-vserver

The name of the storage VM for the client configuration.

-client-config

The name of the client configuration.

-ldap-servers

A comma-separated list of IP addresses and host names for the LDAP servers to which the client connects.

-schema

The schema that the client uses to make LDAP queries.

-use-start-tls

Whether the client uses Start TLS to encrypt communication with the LDAP server (true or false).

Start TLS is supported for access to data storage VMs only. It is not supported for access to admin storage VMs.

You provide these values with the vserver services name-service ldap create command when you associate an LDAP client configuration with the storage VM.

Field	Description	Your value
`-vserver`	The name of the storage VM with which the client configuration is to be associated.
`-client-config`	The name of the client configuration.
`-client-enabled`	Whether the storage VM can use the LDAP client configuration (`true` or `false`).

Field

Description

Your value

-vserver

The name of the storage VM with which the client configuration is to be associated.

-client-config

The name of the client configuration.

-client-enabled

Whether the storage VM can use the LDAP client configuration (true or false).

You provide these values with the vserver services name-service nis-domain create command when you create an NIS domain configuration on an storage VM.

Field	Description	Your value
`-vserver`	The name of the storage VM on which the domain configuration is to be created.
`-domain`	The name of the domain.
`-servers`	ONTAP 9.0, 9.1: A comma-separated list of IP addresses for the NIS servers that are used by the domain configuration.
`-nis-servers`	A comma-separated list of IP addresses and host names for the NIS servers that are used by the domain configuration.

Field

Description

Your value

-vserver

The name of the storage VM on which the domain configuration is to be created.

-domain

The name of the domain.

-servers

ONTAP 9.0, 9.1: A comma-separated list of IP addresses for the NIS servers that are used by the domain configuration.

-nis-servers

A comma-separated list of IP addresses and host names for the NIS servers that are used by the domain configuration.

You provide these values with the vserver services name-service ns-switch create command when you specify the look-up order for name service sources.

Field	Description	Your value
`-vserver`	The name of the storage VM on which the name service look-up order is to be configured.
`-database`	The name service database: `hosts` for files and DNS name services `group` for files, LDAP, and NIS name services `passwd` for files, LDAP, and NIS name services `netgroup` for files, LDAP, and NIS name services `namemap` for files and LDAP name services
`-sources`	The order in which to look up name service sources (in a comma-separated list): `files` `dns` `ldap` `nis`

Field

Description

Your value

-vserver

The name of the storage VM on which the name service look-up order is to be configured.

-database

The name service database:

hosts for files and DNS name services
group for files, LDAP, and NIS name services
passwd for files, LDAP, and NIS name services
netgroup for files, LDAP, and NIS name services
namemap for files and LDAP name services

-sources

The order in which to look up name service sources (in a comma-separated list):

files
dns
ldap
nis

Configure SAML access

Beginning with ONTAP 9.3, you provide these values with the security saml-sp create command to configure SAML authentication.

Field	Description	Your value
`-idp-uri`	The FTP address or HTTP address of the Identity Provider (IdP) host from where the IdP metadata can be downloaded.
`-sp-host`	The host name or IP address of the SAML service provider host (ONTAP system). By default, the IP address of the cluster-management LIF is used.
`-cert-ca` and `-cert-serial`, or `-cert-common-name`	The server certificate details of the service provider host (ONTAP system). You can enter either the service provider's certificate issuing certification authority (CA) and the certificate's serial number, or the Server Certificate Common Name.
`-verify-metadata-server`	Whether the identity of the IdP metadata server must be validated (`true` or `false`). The best practice is to always set this value to `true`.

Field

Description

Your value

-idp-uri

The FTP address or HTTP address of the Identity Provider (IdP) host from where the IdP metadata can be downloaded.

-sp-host

The host name or IP address of the SAML service provider host (ONTAP system). By default, the IP address of the cluster-management LIF is used.

-cert-ca and -cert-serial, or -cert-common-name

The server certificate details of the service provider host (ONTAP system). You can enter either the service provider's certificate issuing certification authority (CA) and the certificate's serial number, or the Server Certificate Common Name.

-verify-metadata-server

Whether the identity of the IdP metadata server must be validated (true or false). The best practice is to always set this value to true.

Worksheets for administrator authentication and RBAC configuration

Creating your file...

Create or modify login accounts

Configure Cisco Duo security information

Define custom roles

Associate a public key with a user account

Configure dynamic authorization global settings

Install a CA-signed server digital certificate

Configure Active Directory domain controller access

Configure LDAP or NIS server access

Configure SAML access