Skip to main content

Client authentication and authorization

Contributors netapp-mwallis dmp-netapp

ONTAP uses standard methods to secure client and administrator access to storage and to protect against viruses. Advanced technologies are available for encryption of data at rest and for WORM storage.

ONTAP authenticates a client machine and user by verifying their identities with a trusted source. ONTAP authorizes a user to access a file or directory by comparing the user's credentials with the permissions configured on the file or directory.

Authentication

You can create local or remote user accounts:

  • A local account is one in which the account information resides on the storage system.

  • A remote account is one in which account information is stored on an Active Directory domain controller, an LDAP server, or a NIS server.

ONTAP uses local or external name services to look up host name, user, group, netgroup, and name mapping information. ONTAP supports the following name services:

  • Local users

  • DNS

  • External NIS domains

  • External LDAP domains

A name service switch table specifies the sources to search for network information and the order in which to search them (providing the equivalent functionality of the /etc/nsswitch.conf file on UNIX systems). When a NAS client connects to the SVM, ONTAP checks the specified name services to obtain the required information.

Kerberos support Kerberos is a network authentication protocol that provides “strong authentication” by encrypting user passwords in client-server implementations. ONTAP supports Kerberos 5 authentication with integrity checking (krb5i) and Kerberos 5 authentication with privacy checking (krb5p).

Authorization

ONTAP evaluates three levels of security to determine whether an entity is authorized to perform a requested action on files and directories residing on an SVM. Access is determined by the effective permissions after evaluation of the security levels:

  • Export (NFS) and share (SMB) security

    Export and share security applies to client access to a given NFS export or SMB share. Users with administrative privileges can manage export and share-level security from SMB and NFS clients.

  • Storage-Level Access Guard file and directory security

    Storage-Level Access Guard security applies to SMB and NFS client access to SVM volumes. Only NTFS access permissions are supported. For ONTAP to perform security checks on UNIX users for access to data on volumes for which Storage-Level Access Guard has been applied, the UNIX user must map to a Windows user on the SVM that owns the volume.

  • NTFS, UNIX, and NFSv4 native file-level security

    Native file-level security exists on the file or directory that represents the storage object. You can set file-level security from a client. File permissions are effective regardless of whether SMB or NFS is used to access the data.

Authentication with SAML

ONTAP supports Security Assertion Markup Language (SAML) for authentication of remote users. Several popular identity providers (IdPs) are supported. For more information on supported IdPs and instructions for enabling SAML authentication, refer to Configure SAML authentication.

OAuth 2.0 with ONTAP REST API clients

Support for the Open Authorization (OAuth 2.0) framework is available beginning with ONTAP 9.14. You can only use OAuth 2.0 to make authorization and control access decisions when the client uses the REST API to access ONTAP. However, you can configure and enable the feature with any of the ONTAP administrative interfaces, including the CLI, System Manager, and REST API.

The standard OAuth 2.0 capabilities are supported along with several popular authorization servers. You can further enhance ONTAP security by using sender-constrained access tokens based on Mutual TLS. And there is a wide variety of authorization options available, including self-contained scopes as well as integration with the ONTAP REST roles and local user definitions. See Overview of the ONTAP OAuth 2.0 implementation for more information.