SnapCenter has predefined roles and you can assign users or groups to these roles.

When you assign a role to a user, SnapCenter displays the jobs that are relevant to that user on the Jobs page, unless the user has the SnapCenterAdmin role.

You can also create new roles and manage permissions and users. You can assign permissions to users or groups to access SnapCenter objects such as hosts, storage connections, and resource groups.

You can assign RBAC permissions to users and groups within the same forest and to users belonging to different forests. You cannot assign RBAC permissions to users belonging to nested groups across forests.

Users must authenticate when logging in through the user interface or PowerShell cmdlets. If users have multiple roles, they select a role after logging in. Authentication is also required to run APIs.

SnapCenter uses credentials to verify that authorized SnapCenter users also have application-level permissions.

For example, to perform data protection operations in a SQL Server environment, set the right Windows or SQL credentials. If you want to perform data protection operations in a Windows file system environment on ONTAP storage, the SnapCenter admin role must have admin privileges on the Windows host.

Similarly, if you want to perform data protection operations on an Oracle database and if the operating system (OS) authentication is disabled on the database host, you must set credentials with the Oracle database or Oracle ASM credentials. The SnapCenter Server authenticates the credentials set using one of these methods depending on the operation.

If you are using the SnapCenter VMware plug-in for VM-consistent data protection, the vCenter Server provides an additional level of RBAC. The SnapCenter VMware plug-in supports both vCenter Server RBAC and ONTAP RBAC. Learn More

NOTE:NetApp recommends that you create one ONTAP role for SnapCenter Plug-in for VMware vSphere operations and assign it all the required privileges.

You should create vsadmin account with the required permissions to access the storage system. Learn More

The SnapCenter Admin role has all permissions enabled. You cannot modify the permissions for this role. You can add users and groups to the role or remove them.

The App Backup and Clone Admin role has the permissions required to perform administrative actions for application backups and clone-related tasks. This role does not have permissions for host management, provisioning, storage connection management, or remote installation.

The Backup and Clone Viewer role has the read-only view of all permissions. This role also has permissions enabled for discovery, reporting, and access to the Dashboard.

The Infrastructure Admin role has permissions enabled for host management, storage management, provisioning, resource groups, remote installation reports, and access to the Dashboard.