External role mapping
An external role is defined at an identify provider configured for use by ONTAP. You can create and administer mapping relationships between these external roles and the ONTAP roles using the ONTAP CLI.
You can also configure the external role mapping feature using the ONTAP REST API. Learn more in the ONTAP automation documentation. |
External roles in an access token
Here's a fragment of a JSON access token containing two external roles.
... "appidacr": "1", "family_name": "User", "name": "Test User 1", "oid": "4c2215c7-6d52-40a7-ce71-096fa41379ba", "roles": [ "Global Administrator", "Application Administrator" ], "ver": "1.0", ...
Configuration
You can use the ONTAP command line interface to administer the external role mapping feature.
Create
You can define a role mapping configuration with the security login external-role-mapping create
command. You need to be at the ONTAP admin privilege level to issue this command as well as the related options.
The parameters used to create a group mapping are described below.
Parameter | Description |
---|---|
|
The name of the role defined at the external identity provider. |
|
The name of the identity provider. This should be the identifier for the system. |
|
Indicates the existing ONTAP role the external role is mapped to. |
security login external-role-mapping create -external-role "Global Administrator" -provider entra -ontap-role admin
Additional CLI operations
The command supports several additional operations, including:
-
Show
-
Modify
-
Delete
Refer to the ONTAP commands reference documentation or ONTAP CLI man pages for more information.