Skip to main content

Role-based access control with File System Analytics

Contributors netapp-ahibbard
PDFs

Beginning in ONTAP 9.12.1, ONTAP includes a predefined role-based access control (RBAC) role called admin-no-fsa. The admin-no-fsa role grants administrator-level privileges but prevents the user from performing operations related to the files endpoint (i.e. File System Analytics) in the ONTAP CLI, REST API, and in System Manager.

For more information on the admin-no-fsa role, refer to Predefined roles for cluster administrators.

If you are using a version of ONTAP released prior to ONTAP 9.12.1, you will need to create a dedicated role to control access to File System Analytics. In versions of ONTAP prior to ONTAP 9.12.1, you must configure RBAC permissions through the ONTAP CLI or ONTAP REST API.

System Manager

Beginning in ONTAP 9.12.1, you can configure RBAC permissions for File System Analytics using System Manager.

Steps

  1. Select Cluster > Settings. Under Security, navigate to Users and Roles and select arrow icon.

  2. Under Roles, select add icon.

  3. Provide a name for the role. Under Role Attributes, configure the access or restrictions for the user role by providing the appropriate API endpoints. See the table below for primary paths and secondary paths to configure File System Analytics access or restrictions.

    Restriction Primary Path Secondary Path

    Activity Tracking on volumes

    /api/storage/volumes

    • /:uuid/top-metrics/directories

    • /:uuid/top-metrics/files

    • /:uuid/top-metrics/clients

    • /:uuid/top-metrics/users

    Activity Tracking on SVMs

    /api/svm/svms

    • /:uuid/top-metrics/directories

    • /:uuid/top-metrics/files

    • /:uuid/top-metrics/clients

    • /:uuid/top-metrics/users

    All File System Analytics operations

    /api/storage/volumes

    /:uuid/files

    You can use /*/ instead of an UUID to set the policy for all volumes or SVMs at the endpoint.

    Choose the access privileges for each endpoint.

  4. Select Save.

  5. To assign the role to a user or users, see Control administrator access.

CLI

If you are using a version of ONTAP released prior to ONTAP 9.12.1, use the ONTAP CLI to create a custom-role.

Steps

  1. Create a default role to have access to all features.

    This needs to be done before creating the restrictive role to ensure the role is only restrictive on the Activity Tracking:

    security login role create -cmddirname DEFAULT -access all -role storageAdmin

  2. Create the restrictive role:

    security login role create -cmddirname "volume file show-disk-usage" -access none -role storageAdmin

  3. Authorize roles to access the SVM's web services:

    • rest for REST API calls

    • security for password protection

    • sysmgr for System Manager access

      vserver services web access create -vserver svm-name -name_ -name rest -role storageAdmin

      vserver services web access create -vserver svm-name -name security -role storageAdmin

      vserver services web access create -vserver svm-name -name sysmgr -role storageAdmin

  4. Create a user.

    You must issue a distinct create command for each application you would like to apply to the user. Calling create multiple times on the same user simply applies all the applications to that one user and does not create a new user each time. The http parameter for application type applies for the ONTAP REST API and System Manager.

    security login create -user-or-group-name storageUser -authentication-method password -application http -role storageAdmin

  5. With the new user credentials, you can now log in to System Manager or use the ONTAP REST API to access File Systems Analytics data.

More information