Release notes
Role-based access control with File System Analytics in ONTAP
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
Beginning with ONTAP 9.12.1, ONTAP includes a predefined role-based access control (RBAC) role called admin-no-fsa. The admin-no-fsa role grants administrator-level privileges but prevents the user from performing operations related to the files endpoint (i.e. File System Analytics) in the ONTAP CLI, REST API, and in System Manager.
For more information on the admin-no-fsa role, refer to Predefined roles for cluster administrators.
If you are using a version of ONTAP released prior to ONTAP 9.12.1, you will need to create a dedicated role to control access to File System Analytics. In versions of ONTAP prior to ONTAP 9.12.1, you must configure RBAC permissions through the ONTAP CLI or ONTAP REST API.
Beginning with ONTAP 9.12.1, you can configure RBAC permissions for File System Analytics using System Manager.
-
Select Cluster > Settings. Under Security, navigate to Users and Roles and select
. -
Under Roles, select
. -
Provide a name for the role. Under Role Attributes, configure the access or restrictions for the user role by providing the appropriate API endpoints. See the table below for primary paths and secondary paths to configure File System Analytics access or restrictions.
Restriction Primary Path Secondary Path Activity Tracking on volumes
/api/storage/volumes-
/:uuid/top-metrics/directories -
/:uuid/top-metrics/files -
/:uuid/top-metrics/clients -
/:uuid/top-metrics/users
Activity Tracking on SVMs
/api/svm/svms-
/:uuid/top-metrics/directories -
/:uuid/top-metrics/files -
/:uuid/top-metrics/clients -
/:uuid/top-metrics/users
All File System Analytics operations
/api/storage/volumes/:uuid/filesYou can use
/*/instead of an UUID to set the policy for all volumes or SVMs at the endpoint.Choose the access privileges for each endpoint.
-
-
Select Save.
-
To assign the role to a user or users, see Control administrator access.
If you are using a version of ONTAP released prior to ONTAP 9.12.1, use the ONTAP CLI to create a custom-role.
-
Create a default role to have access to all features.
This needs to be done before creating the restrictive role to ensure the role is only restrictive on the Activity Tracking:
security login role create -cmddirname DEFAULT -access all -role storageAdmin -
Create the restrictive role:
security login role create -cmddirname "volume file show-disk-usage" -access none -role storageAdmin -
Authorize roles to access the SVM's web services:
-
restfor REST API calls -
securityfor password protection -
sysmgrfor System Manager accessvserver services web access create -vserver svm-name -name_ -name rest -role storageAdminvserver services web access create -vserver svm-name -name security -role storageAdminvserver services web access create -vserver svm-name -name sysmgr -role storageAdmin
-
-
Create a user.
You must issue a distinct create command for each application you would like to apply to the user. Calling create multiple times on the same user simply applies all the applications to that one user and does not create a new user each time. The
httpparameter for application type applies for the ONTAP REST API and System Manager.security login create -user-or-group-name storageUser -authentication-method password -application http -role storageAdmin -
With the new user credentials, you can now log in to System Manager or use the ONTAP REST API to access File Systems Analytics data.
