Skip to main content

Working with groups

Contributors dmp-netapp netapp-dbagwell

ONTAP provides several options for configuring groups based on your authorization server. The groups can then be mapped to roles which are used by ONTAP to determine access.

How groups are identified

When you configure a group at an authorization server, it's identified and carried in an OAuth 2.0 access token using either a name or UUID. You need to be aware of how your authorization server handles groups before configuring ONTAP.

Note If multiple groups are included in an access token, ONTAP will attempt to use each one until there is a match.

Group names

Many authorization servers identify and represent groups using a name. Here's a fragment of a JSON access token generated by Active Directory Federation Service (ADFS) containing several groups. See Manage groups with names for more information.

  ...
  "sub": "User1_TestDev@NICAD5.COM",
  "group": [
    "NICAD5\\Domain Users",
    "NICAD5\\Development Group",
    "NICAD5\\Production Group"
  ],
  "apptype": "Confidential",
  "appid": "3bff3b2b-8e40-44ba-7c11-d73c3b76e3e8",
  ...

Group UUIDs

Some authorization servers identify and represent groups using a UUID. Here's a fragment of a JSON access token generated by Microsoft Entra ID containing several groups. See Manage groups with UUIDs for more information.

  ...
  "appid": "4aff4b4b-8e40-44ba-7c11-d73c3b76e3d7",
  "appidacr": "1",
  "groups": [
    "8ea4c5b0-bcad-4e66-8f1e-cd395474a448",
    "a8558fc2-a1b2-4cb7-cc41-59bd831840cc"],
  "name": "admin007 with group membership",
  ...

Manage groups with names

If your authorization server uses names to identify groups, you need to make sure each group is defined to ONTAP. Depending on your security environment, you might already have the group defined.

Here's an example CLI command defining a group to ONTAP. Notice it's using a named group from the sample access token. You need to be at the ONTAP admin privilege level to issue the command.

Example
security login create -user-or-group-name "NICAD5\\Domain Users" -application http -authentication-method domain -role admin
Note You can also configure this feature using the ONTAP REST API. Learn more in the ONTAP automation documentation.

Manage groups with UUIDs

If your authorization server represents groups using UUID values, you need to perform a two-step configuration before using a group. Beginning with ONTAP 9.16.1, two mapping features are available and have been tested with Microsoft Entra ID. You need to be at the ONTAP admin privilege level to issue the CLI commands.

Note You can also configure these features using the ONTAP REST API. Learn more in the ONTAP automation documentation.
Related information

Map a group UUID to a group name

If you're using an authorization server that represents groups using UUID values, you need to map the group UUIDs to group names. The primary ONTAP CLI operations are described below.

Create

You can define a new group mapping configuration with the security login group create command. The group UUID and name should match the configuration at the authorization server.

Parameters

The parameters used to create a group mapping are described below.

Parameter Description

vserver

Optionally specifies the name of the SVM (vserver) the group is associated with. If omitted, the group is associated with the ONTAP cluster.

name

The unique name of the group that ONTAP will use.

type

This value indicates the identity provider the group originates from.

uuid

Specifies the universally unique identifier of the group as provided by the authorization server.

Here's an example CLI command defining a group to ONTAP. Notice it's using a UUID group from the sample access token.

Example
security login group create -vserver ontap-cls-1 -name IAM_Dev -type entra -uuid 8ea4c5b0-bcad-4e66-8f1e-cd395474a448

After creating the group, a unique read-only integer identifier is generated for the group.

Additional CLI operations

The command supports several additional operations, including:

  • Show

  • Modify

  • Delete

You can use the show option to retrieve the unique group ID generated for a group. Refer to the ONTAP commands reference documentation for more information.

Map a group UUID to a role

If you're using an authorization server that represents groups using UUID values, you can map the group to a role. The primary ONTAP CLI operations are described below. Also, you need to be at the ONTAP admin privilege level to issue the commands.

Note You need to first Map a group UUID to a group name and retrieve the unique integer ID generated for the group. You'll need the ID to map the group to a role.

Create

You can define a new role mapping with the security login group role-mapping create command.

Parameters

The parameters used to map a group to a role are described below.

Parameter Description

group-id

Specifies the unique ID generated for the group using the command security login group create.

role

The name of the ONTAP role the group is mapped to.

Example
security login group role-mapping create -group-id 1 -role admin

Additional CLI operations

The command supports several additional operations, including:

  • Show

  • Modify

  • Delete

Refer to the ONTAP commands reference documentation for more information.