Skip to main content

External role mapping

Contributors netapp-dbagwell dmp-netapp

An external role is defined at an identify provider configured for use by ONTAP. You can create and administer mapping relationships between these external roles and the ONTAP roles using the ONTAP CLI.

Note You can also configure the external role mapping feature using the ONTAP REST API. Learn more in the ONTAP automation documentation.
Related information

External roles in an access token

Here's a fragment of a JSON access token containing two external roles.

  ...
  "appidacr": "1",
  "family_name": "User",
  "name": "Test User 1",
  "oid": "4c2215c7-6d52-40a7-ce71-096fa41379ba",
  "roles": [
    "Global Administrator",
    "Application Administrator"
  ],
  "ver": "1.0",
  ...

Configuration

You can use the ONTAP command line interface to administer the external role mapping feature.

Create

You can define a role mapping configuration with the security login external-role-mapping create command. You need to be at the ONTAP admin privilege level to issue this command as well as the related options.

Parameters

The parameters used to create a group mapping are described below.

Parameter Description

external-role

The name of the role defined at the external identity provider.

provider

The name of the identity provider. This should be the identifier for the system.

ontap-role

Indicates the existing ONTAP role the external role is mapped to.

Example
security login external-role-mapping create -external-role "Global Administrator" -provider entra -ontap-role admin

Additional CLI operations

The command supports several additional operations, including:

  • Show

  • Modify

  • Delete

Refer to the ONTAP commands reference documentation or ONTAP CLI man pages for more information.