Types of RBAC for SnapCenter Plug-in for VMware vSphere users
If you are using the SnapCenter Plug-in for VMware vSphere, the vCenter Server provides an additional level of RBAC. The plug-in supports both vCenter Server RBAC and ONTAP RBAC.
vCenter Server RBAC
This security mechanism applies to all jobs performed by the SnapCenter VMware plug-in, which includes VM-consistent, VM crash-consistent, and SnapCenter Server application-consistent (application over VMDK) jobs. This level of RBAC restricts the ability of vSphere users to perform SnapCenter VMware plug-in tasks on vSphere objects, such as virtual machines (VMs) and datastores.
The SnapCenter VMware plug-in deployment creates the following roles for SnapCenter operations on vCenter:
SCV Administrator
SCV Backup
SCV Guest File Restore
SCV Restore
SCV View
The vSphere administrator sets up vCenter Server RBAC by doing the following:
-
Setting the vCenter Server permissions on the root object (also known as the root folder). You can then refine the security by restricting child entities that do not need those permissions.
-
Assigning the SCV roles to Active Directory users.
At a minimum, all users must be able to view vCenter objects. Without this privilege, users cannot access the VMware vSphere web client GUI.
ONTAP RBAC
This security mechanism applies only to SnapCenter Server application-consistent (application over VMDK) jobs. This level restricts the ability of SnapCenter to perform specific storage operations, such as backing up storage for datastores, on a specific storage system.
Use the following workflow to set up ONTAP and SnapCenter RBAC:
-
The storage administrator creates a role on the storage VM with the necessary privileges.
-
Then the storage administrator assigns the role to a storage user.
-
The SnapCenter administrator adds the storage VM to the SnapCenter Server, using that storage username.
-
Then the SnapCenter administrator assigns roles to SnapCenter users.
Validation workflow for RBAC privileges
The following figure provides an overview of the validation workflow for RBAC privileges (both vCenter and ONTAP):