# ONTAP roles and users
<a name="roles-and-users"></a>

NetApp ONTAP includes a robust and extensible role-based access control (RBAC) capability. ONTAP roles define user capabilities and privileges when using the ONTAP CLI and REST API. Each role defines a different level of administrative capabilities and privileges. You assign roles to users for the purpose of controlling their access to FSx for ONTAP resources when using the ONTAP REST API and CLI. There are ONTAP roles available separately for FSx for ONTAP file system users and storage virtual machine (SVM) users.

When you create an FSx for ONTAP file system, a default ONTAP user is created at the file system level and at the SVM level. You can create additional file system and SVM users, and you can create additional SVM roles to meet the needs of your organization. This chapters explains ONTAP users and roles, and provides detailed procedures for creating additional users and SVM roles.

## File system administrator roles and users
<a name="file-system-admin-roles"></a>

The default ONTAP file system user is `fsxadmin`, which has the `fsxadmin` role assigned to it. There are two predefined roles that you can assign to file system users, listed as follows:
+ **`fsxadmin`**—Administrators with this role have unrestricted rights in the ONTAP system. They can configure all file system and SVM-level resources available on FSx for ONTAP file systems.
+ **`fsxadmin-readonly`**—Administrators with this role can view everything at the file system level but can't make any changes.

  This role is well-suited for use with monitoring applications such as NetApp Harvest because it has read-only access to all available resources and their properties, but cannot make any changes to them.

You can create additional file system users and assign them either the `fsxadmin` or `fsxadmin-readonly` role. You can't create new roles or modify the existing roles. For more information, see [Creating new ONTAP users for file system and SVM administration](#file-system-roles-and-users).

The following table describes the level of access that file system administrator roles have for ONTAP CLI and REST API commands and command directories.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)

## SVM administrator roles and users
<a name="svm-admin-roles"></a>

Each SVM has a separate authentication domain and can be managed independently by its own administrators. For each SVM on your file system, the default user is *vsadmin*, which has the `vsadmin` role assigned by default. In addition to the `vsadmin` role, there are other predefined SVM roles that provide scoped down permissions that you can assign to SVM users. You can also create custom roles that provide the level of access control that meet your organization's needs.

The predefined roles for SVM administrators and their capabilities are as follows:


| Role name | Capabilities | 
| --- | --- | 
|  `vsadmin`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 
|  `vsadmin-volume`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 
|  `vsadmin-protocol`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 
|  `vsadmin-backup`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 
|  `vsadmin-snaplock`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 
|  `vsadmin-readonly`  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/ONTAPGuide/roles-and-users.html)  | 

For more information on how to create a new SVM role, see [Creating SVM roles](creating-new-svm-roles.md).

## Using Active Directory to authenticate ONTAP users
<a name="ad-tunneling"></a>

You can authenticate Windows Active Directory domain users' access to an FSx for ONTAP file system and SVM. You must do the following tasks before Active Directory accounts can access your file system:
+ You need configure Active Directory domain controller access to the SVM.

  The SVM you use to configure as a gateway or tunnel for Active Directory domain controller access must either have CIFS enabled, be joined to an Active Directory, or both. If you are not enabling CIFS and only joining the tunnel SVM to an Active Directory, ensure that the SVM is joined to your Active Directory. For more information, see [How joining SVMs to Microsoft Active Directory works](self-managed-AD-join.md).
+ You need to enable an Active Directory domain user account to access the file system.

  You can use either password authentication or SSH public key authentication for Windows domain users accessing the ONTAP CLI or REST API.

For procedures describing how to use for configuring Active Directory authentication for file system and SVM administrators, see [Configuring Active Directory authentication for ONTAP users](set-up-ad-auth.md).

## Creating new ONTAP users for file system and SVM administration
<a name="file-system-roles-and-users"></a>

Each ONTAP user is associated with an SVM or the file system. File system users with the `fsxadmin` role can create new SVM roles and users by using the [https:/docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html](https:/docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) ONTAP CLI command.

The `security login create` command creates a login method for the management utility. A login method consists of a user name, an application (access method), and an authentication method. A user name can be associated with multiple applications. It can optionally include an access-control role name. If an Active Directory, LDAP, or NIS group name is used, then the login method gives access to users belonging to the specified group. If the user is a member of multiple groups provisioned in the security login table, then the user will get access to a combined list of the commands authorized for the individual groups.

For information describing how to create a new ONTAP user, see [Creating ONTAP users](create-new-ontap-users.md).

**Topics**
+ [File system administrator roles and users](#file-system-admin-roles)
+ [SVM administrator roles and users](#svm-admin-roles)
+ [Using Active Directory to authenticate ONTAP users](#ad-tunneling)
+ [Creating new ONTAP users for file system and SVM administration](#file-system-roles-and-users)
+ [Creating ONTAP users](create-new-ontap-users.md)
+ [Creating SVM roles](creating-new-svm-roles.md)
+ [Configuring Active Directory authentication for ONTAP users](set-up-ad-auth.md)
+ [Configuring public key authentication](public-key-auth.md)
+ [Updating password requirements for file system and SVM roles](update-password-requirements.md)
+ [Updating the `fsxadmin` account password fails](updating-admin-password.md)

# Creating ONTAP users
<a name="create-new-ontap-users"></a>

**To create a new SVM or file system user (ONTAP CLI)**

Only file system users with the `fsxadmin` role can create new SVM and file system users.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Use the `security login create` ONTAP CLI command to create a new user account on your FSx for ONTAP file system or SVM.

   Insert your data for the placeholders in the example to define the following required properties:
   + `-vserver` – Specifies the name of the SVM where you want to create the new SVM role or user. If you are creating a file system role or user, don't specify an SVM.
   + `-user-or-group-name` – Specifies the username or Active Directory group name of the login method. The Active Directory group name can be specified only with the `domain` authentication method and the `ontapi` and `ssh` applications.
   + `-application` – Specifies the application of the login method. Possible values include http, ontapi, and ssh.
   + `-authentication-method` – Specifies the authentication method for login. Possible values include the following:
     + domain – Use for Active Directory authentication
     + password – Use for password authentication
     + publickey – User for public-key authentication
   + `-role` – Specifies the access-control role name for the login method. At the file system-level, the only role that can be specified is `fsxadmin`.

   (Optional) You can also use one or more of the following parameters with the command:
   + `[-comment]` – Use to include a notation or comment for the user account. For example, **Guest account**. The maximum length is 128 characters.
   + `[-second-authentication-method {none|publickey|password|nsswitch}]` – Specifies the second factor authentication method. You can specify the following methods:
     + password – Use for password authentication
     + publickey – Use for Public-key authentication
     + nsswitch – Use for NIS or LDAP authentication
     + none – The default value if you don't specify one

   ```
   Fsx0123456::> security login create -vserver vserver_name -user-or-group-name user_or_group_name -application login_application -authentication-method auth_method -role role_or_account_name
   ```

   The following command creates a new file system user `new_fsxadmin` with the `fsxadmin-readonly` role assigned, using SSH with a password for logging in. When prompted, provide a password for the user.

   ```
   Fsx0123456::> security login create -user-or-group-name new_fsxadmin -application ssh -authentication-method password -role fsxadmin-readonly
   
   Please enter a password for user 'new_fsxadmin':
   Please enter it again: 
   
   Fsx0123456::>
   ```

1. The following command creates a new SVM user `new_vsadmin` on the `fsx` SVM with the `vsadmin_readonly` role, configured to use SSH with a password to login. When prompted, provide a password for the user.

   ```
   Fsx0123456::> security login create -vserver fsx  -user-or-group-name new_vsadmin -application ssh -authentication-method password -role vsadmin-readonly
   
   Please enter a password for user 'new_vsadmin': 
   Please enter it again:
   
   Fsx0123456::>
   ```

1. The following command creates a new read-only file system user `harvest2-user` that is to be used by the NetApp Harvest application to collect performance and capacity metrics. For more information, see [Monitoring FSx for ONTAP file systems using Harvest and Grafana](monitoring-harvest-grafana.md).

   ```
   Fsx0123456::> security login create -user-or-group-name harvest2-user -application ssh -role fsxadmin-readonly -authentication-method password
   ```

**To view information for all file system and SVM users**
+ Use the following command to view all login information for your file system and SVMs.

  ```
  Fsx0123456::> security login show
  
  Vserver: Fsx0123456
                                                                   Second
  User/Group                 Authentication                 Acct   Authentication
  Name           Application Method        Role Name        Locked Method
  -------------- ----------- ------------- ---------------- ------ --------------
  autosupport    console     password      autosupport      no     none
  fsxadmin       http        password      fsxadmin         no     none
  fsxadmin       ontapi      password      fsxadmin         no     none
  fsxadmin       ssh         password      fsxadmin         no     none
  fsxadmin       ssh         publickey     fsxadmin         -      none
  new_fsxadmin   ssh         password      fsxadmin-readonly 
                                                            no     none
  
  Vserver: fsx
                                                                   Second
  User/Group                 Authentication                 Acct   Authentication
  Name           Application Method        Role Name        Locked Method
  -------------- ----------- ------------- ---------------- ------ --------------
  new_vsadmin    ssh         password      vsadmin-readonly no     none
  vsadmin        http        password      vsadmin          yes    none
  vsadmin        ontapi      password      vsadmin          yes    none
  vsadmin        ssh         password      vsadmin          yes    none
  10 entries were displayed.
  
  Fsx0123456::>
  ```

# Creating SVM roles
<a name="creating-new-svm-roles"></a>

 Each SVM that you create has a default SVM administrator that's assigned the predefined `vsadmin` role. In addition to the set of [predefined SVM roles](roles-and-users.md#svm-admin-roles), you can create new SVM roles. If you need to create new roles for your SVM, use the `security login role create` ONTAP CLI command. This command is available for file system administrators with the `fsxadmin` role.

**To create a new SVM role (ONTAP CLI)**

1. You can create a new SVM role using the [https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-create.html](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-create.html) ONTAP CLI command:

   ```
   Fsx0123456::> security login role create -vserver vs1.example.com -role vol_role -cmddirname volume
   ```

1. Specify the following required parameters in the command:
   + `-vserver` the name of the SVM
   + `-role` – The name of the role.
   + `-cmddirname` – The command or command directory to which the role gives access. Enclose command subdirectory names in double quotation marks. For example, `"volume snapshot"`. Enter `DEFAULT` to specify all command directories.

1. (Optional) You can also add any of the following parameters to the command:
   + `-vserver` – The name of the SVM that's associated with the role.
   + `-access` – The access level for the role. For command directories, this includes:
     + `none` – Denies access to commands in the command directory. This is the default value for custom roles.
     + `readonly` – Grants access to the show commands in the command directory and its subdirectories.
     + `all` – Grants access to all of the commands in the command directory and its subdirectories. To grant or deny access to intrinsic commands, you must specify the command directory.

     For non-intrinsic commands (commands that don't end in `create`, `modify`, `delete`, or `show`):
     + `none` – Denies access to commands in the command directory. This is the default value for custom roles.
     + `readonly` – Not applicable. Don't use.
     + `all` – Grants access to the command.
   + `-query` – The query object that's used to filter the access level, which is specified in the form of a valid option for the command, or for a command in the command directory. Enclose the query object in double quotation marks.

1. Run the `security login role create` command.

   The following command creates an access-control role named "admin" for the vs1.example.com Vserver. The role has all access to the "volume" command but only within the "aggr0" aggregate.

   ```
   Fsx0123456::>security login role create -role admin -cmddirname volume -query "-aggr aggr0" -access all -vserver vs1.example.com
   ```

# Configuring Active Directory authentication for ONTAP users
<a name="set-up-ad-auth"></a>

Use the ONTAP CLI to configure the use of Active Directory authentication for ONTAP file system and SVM users.

You must be a file system administrator with the `fsxadmin` role to use the commands in this procedure.

**To set up Active Directory authentication for ONTAP users (ONTAP CLI)**

The commands in this procedure are available to file system users with the `fsxadmin` role.

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. Use the [https://docs.netapp.com/us-en/ontap-cli-9141/security-login-domain-tunnel-create.html](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-domain-tunnel-create.html) command as shown to establish a domain tunnel for authenticating Windows Active Directory users. Replace *svm\$1name* with the name of the SVM you are using for the domain tunnel.

   ```
   FsxId0123456::> security login domain-tunnel create -vserver svm_name
   ```

1. Use the [https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-create.html) command to create Active Directory domain user accounts that will access the file system.

   Specify the following required parameters in the command:
   + `-vserver` – The name of the SVM configured with CIFS and is joined to your Active Directory. It will be used as the tunnel for authenticating Active Directory domain users' to the file system. which the new role or user will be created.
   + `-user-or-group-name` – The username or Active Directory group name of the login method. The Active Directory group name can be specified only with the `domain` authentication method and `ontapi` and `ssh` application.
   + `-application` – The application of the login method. Possible values include http, ontapi, and ssh.
   + `-authentication-method` – The authentication method used for login. Possible values include the following:
     + domain – for Active Directory authentication
     + password – for password authentication
     + publickey – for public-key authentication
   + `-role` – The access-control role name for the login method. At the file system-level, the only role that can be specified is `-role fsxadmin`.

   The following example creates an Active Directory domain user account `CORP\Admin` for the `filesystem1` file system.

   ```
   FSxId012345::> security login create -vserver filesystem1 -username CORP\Admin -application ssh -authmethod domain -role fsxadmin
   ```

   The following example creates the `CORP\Admin` user account with public key authentication.

   ```
   FsxId0123456ab::> security login create -user-or-group-name "CORP\Admin" -application ssh -authentication-method publickey -role fsxadmin
   Warning: To use public-key authentication, you must create a public key for user "CORP\Admin".
   ```

   Create a public key for the `CORP\Admin` user using the following command:

   ```
   FsxId0123456ab::> security login publickey create -username "CORP\Admin" -publickey "ecdsa-sha2-nistp256 SECRET_STRING_HERE_IS_REDACTED= cwaltham@b0be837a91bf.ant.amazon.com"
   ```

**To log in to file system using SSH with Active Directory credentials**
+ The following example demonstrates how to SSH into your file system with your Active Directory credentials if you choose `ssh` for the `-application` type. The `username` is in the format `"domain-name\user-name"`, which is the domain name and the username that you provided when creating the account, separated by a backslash and enclosed in quotations.

  ```
  Fsx0123456::> ssh "CORP\user"@management.fs-abcdef01234567892.fsx.us-east-2.aws.com
  ```

  When prompted to enter a password, use the Active Directory user's password.

# Configuring public key authentication
<a name="public-key-auth"></a>

 To enable SSH public key authentication, you must first generate an SSH key and associate it with an administrator account by using the `security login publickey create` command. This allows the account to access the SVM. The `security login publickey create` command accepts the following parameters. 


| Parameter | Description | 
| --- | --- | 
|  `-vserver` (Optional)  |  The name of the SVM that the account accesses. If you are configuring SSH public key authentication for file system users, don't include `-versver`.  | 
|  `-username`  |  The username of the account. The default value, `admin`, is the default name of the cluster administrator.  | 
|  `-index`  |  The index number of the public key. The default value is 0 if the key is the first key that's created for the account. Otherwise, the default value is one more than the highest existing index number for the account.  | 
|  `-publickey`  |  The OpenSSH public key. Enclose the key in double quotation marks.  | 
|  `-role`  |  The access control role that's assigned to the account.  | 
|  `-comment` (Optional)  |  Descriptive text for the public key. Enclose the text in double quotation marks.  | 

 The following example associates a public key with the SVM administrator account `svmadmin` for the SVM `svm01`. The public key is assigned index number `5`. 

```
Fsx0123456::> security login publickey create -vserver svm01 -username svmadmin -index 5 -publickey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAspH64CYbUsDQCdW22JnK6J/vU9upnKzd2zAk9C1f7YaWRUAFNs2Qe5lUmQ3ldi8AD0Vfbr5T6HZPCixNAIzaFciDy7hgnmdj9eNGedGr/JNrftQbLD1hZybX+72DpQB0tYWBhe6eDJ1oPLobZBGfMlPXh8VjeU44i7W4+s0hG0E=tsmith@publickey.example.com"
```

**Important**  
 You must be an SVM or file system administrator to perform this task. 

# Updating password requirements for file system and SVM roles
<a name="update-password-requirements"></a>

You can update the password requirements for a file system or SVM role using the [https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-config-modify.html#description](https://docs.netapp.com/us-en/ontap-cli-9141/security-login-role-config-modify.html#description) ONTAP CLI command. This command is only available to file system administrator accounts with the `fsxadmin` role. When modifying password requirements, the system will warn if there are any existing users with that role that will be impacted by the change.

The following example modifies the minimum length password requirement to 12 characters for users with the `vsadmin-readonly` role on the `fsx` SVM. In this example, there are existing users with this role.

```
FsxId0123456::> security login role config modify -role vsadmin-readonly -vserver fsx -passwd-minlength 12
```

The system displays the following warning because of existing users:

```
Warning: User accounts with this role exist. Modifications to the username/password restrictions on this role could result in non-compliant user
         accounts.
Do you want to continue? {y|n}: 

FsxId0123456::>
```

# Updating the `fsxadmin` account password fails
<a name="updating-admin-password"></a>

When you update the password for the `fsxadmin` user, you may receive an error if it doesn't meet the password requirements set on the file system. You can view the password requirements by using the `security login role config show` ONTAP CLI or REST API command.

**To view the password requirements for a file system or SVM role**

1. To access the ONTAP CLI, establish an SSH session on the management port of the Amazon FSx for NetApp ONTAP file system or SVM by running the following command. Replace `management_endpoint_ip` with the IP address of the file system's management port.

   ```
   [~]$ ssh fsxadmin@management_endpoint_ip
   ```

   For more information, see [Managing file systems with the ONTAP CLI](managing-resources-ontap-apps.md#fsxadmin-ontap-cli). 

1. The `security login role config show` command returns the password requirements for a file system or SVM role.

   ```
   FsxId0123456::> security login role config show -role fsxadmin -fields password_requirement_fields
   ```

   For the `-fields` parameter, specify any or all of the following:
   + `passwd-minlength` – The minimum length of the password.
   + `passwd-min-special-chars` – The minimum number of special characters in the password.
   + `passwd-min-lowercase-chars` – The minimum number of lowercase characters in the password.
   + `passwd-min-uppercase-chars` – The minimum number of uppercase characters in the password.
   + `passwd-min-digits` – The minimum number of digits in the password.
   + `passwd-alphanum` – Information about the inclusion or exclusion of alphanumeric characters.
   + `passwd-expiry-time` – The password expiration time.
   + `passwd-expiry-warn-time` – The password expiration warning time.

1. Run the following command to see all password requirements:

   ```
   FsxId0123456::> security login role config show -role fsxadmin -fields passwd-minlength, passwd-min-special-chars, passwd-min-lowercase-chars, passwd-min-digits, passwd-alphanum, passwd-expiry-time, passwd-expiry-warn-time, passwd-min-uppercase-chars                
   
   vserver                role     passwd-minlength passwd-alphanum passwd-min-special-chars passwd-expiry-time passwd-min-lowercase-chars passwd-min-uppercase-chars passwd-min-digits passwd-expiry-warn-time 
   ---------------------- -------- ---------------- --------------- ------------------------ ------------------ -------------------------- -------------------------- ----------------- ----------------------- 
   FsxId0123456           fsxadmin 3                enabled         0                        unlimited          0                          0                          0                 unlimited
   ```