RBAC User Creator tool for VSC, VASA Provider and Storage Replication Adapter 7.0 for VMware vSphere

by Member on ‎2017-08-03 06:43 AM



The RBAC User Creator for ONTAP® tool is a C# application that enables you to create RBAC users within ONTAP.
The list of privileges created are stored in an XML (ontapPrivs.xml) file. The XML file enables you to gather the following information:

1. You can verify the privileges of the new user created by RBAC User Creator tool.
2. You can add privileges or products later without the need to recompile the application.


The RBAC User Creator tool is a framework where all the products and the privileges for those products are listed in the XML file. You can easily add support for another product or product version by updating the information in the XML file.


RBAC User Creator tool for Virtual Storage Console, VASA Provider, and Storage Replication Adapter 7.0

This article describes how to use the RBAC User Creator tool for Virtual Storage Console, VASA Provider, and Storage Replication Adapter 7.0 for VMware vSphere. You can use the tool to create users for the below functionalities:

1. Virtual Storage Console
2. Virtual Storage Console and VASA Provider
3. Virtual Storage Console and Storage Replication Adapter
4. Virtual Storage Console, VASA Provider and Storage Replication Adapter

Please note that VSC, VASA Provider, and SRA 7.0 supports ONTAP versions 9.0 onwards only.

Once you have downloaded and installed the RBAC User Creator tool from the ToolChest, you will need to perform the below steps to provide support for VSC, VASA Provider and SRA 7.0.

Step 1: Replace XML for VSC, VASA Provider and SRA 7.0 support


To enable support for VSC, VASA Provider and SRA 7.0, please perform the following:


1. Download and keep a copy of the ontapPrivs.xml file (attached below).
2. Access the install directory of the RBAC User Creator tool.
This information is provided during installation. For example:- The default path would be: C:\Program Files (x86)\NetApp\RBAC User Creator
3. Replace the existing ontapPrivs.xml file with the downloaded .xml file.
4. Restart the RBAC User Creator tool.

You can start using the RBAC User Creator tool to create new roles and users.


Step 2: Setting up user names and privileges


You can create ONTAP user names with the privileges required for VSC, VASA Provider and SRA.


1. Enter the name of the admin user and IP of the storage system for which you want to create the user.
2. Click LOGIN .
The tool determines the controller type.
3. As the storage system is running ONTAP, the list of SVMs are displayed.
RBAC User Creator supports creating users on the Cluster-Admin SVM as well as on Data SVMs. Select the appropriate SVM from the drop-down list.
4. Select the product and product version depending on your requirements.
• For 7.0, you must select product as “VSC, VASA Provider and SRA”.
• If you wish to use only VSC, you must select product version as “VSC 7.0”.
• If you wish to use VASA Provider along with VSC, then you must select the product version as “VSC and VASA Provider 7.0”.
• If you wish to use SRA along with VSC, then you must select the product version as “VSC and SRA 7.0”.
• If you wish to use all three, VSC, VASA Provider and SRA, then you must select the product version as “VSC, VASA Provider and SRA 7.0”.
5. Select all the ONTAP privilege roles that apply.
RBAC User Creator tool merges all the privileges from the selected roles and combines them in a sorted list.
6. Enter a name for the role, user, and password, and then click Submit.
NOTE: RBAC User Creator requires admin storage credentials for creating new user names.

Step 3: Adding storage systems


1. Log in into your VSC, VASA Provider and SRA plugin from the vCenter.
2. Add the storage system using the new username and password.


Known issues


While providing a role name, do not provide any names that begin with “vsadmin”. This will prevent creating any new roles or users.

Downloading and using RBAC User Creator


Refer to the following link for details regarding download and usage of RBAC User Creator tool:
How to use the RBAC User Creator for ONTAP





When using this XML I've run into issues.  Many invalid commands due to version levels.  As near as i can see the syntax of ::





do not work (v2.7 of the tool).  Is there a more recent version of the tool that allows for this?  I've used


<ontap-dependent value="xxx">




 as a work around.

New Contributor

I receive the error "Command failed: Missing Input: role-query" when I try to create a user via RBAC user creator for VSC and VASA Provider 7.0 for all Data ONTAP privilege roles (Discovery, Create Storage, Modify Storage, Destroy Storage and Policy-Based Mgmt). The XML-file was replaced as described in your article. I am using RBAC tool version 2.7 and Data ONTAP 9.2.

Do you have any ideas what causes this issue?


Thank you in advance and kind regards,





@dhickey : Did you replace the xml with the one attached in this community article? I hope the errors should not be seen after that. The attached xml file is the most recent version of the privileges required for the product.



@skuebart : Looks like the tool is failing to assign certain privileges to the user. You could try running a set of commands directly from the Ontap CLI to create new roles by following the KB article which I have mentioned below:


For creating roles and users at the cluster level, please check https://kb.netapp.com/app/answers/answer_view/a_id/1001058


For creating roles and users at the SVM level, please check https://kb.netapp.com/app/answers/answer_view/a_id/1001056



New Contributor



same like Saschas error in my environment. Error from the LOG was:


2017-11-29 17:25:24,860 DEBUG [ZapiUtils.modifyCModeLoginRole]: <security-login-role-modify>
<command-directory-name>lun mapping create</command-directory-name>

2017-11-29 17:25:25,129 ERROR [ZapiUtils.modifyCModeLoginRole]: Modify entry [lun mapping create(access all)] failed
2017-11-29 17:25:25,129 ERROR [ZapiUtils.modifyCModeLoginRole]: API FAILED: Missing Input: role-query



When I ignore the VSC 7.0 Version and use the old XML for 6.2 the process is working fine


Best regards



This NetApp Community is public and open website that is indexed by search engines such as Google. Participation in the NetApp Community is voluntary. All content posted on the NetApp Community is publicly viewable and available. This includes the rich text editor which is not encrypted for https.

In accordance to our Code of Conduct and Community Terms of Use DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information
  • Copyrighted materials without the permission of the copyright owner

Files and content that do not abide by the Community Terms of Use or Code of Conduct will be removed. Continued non-compliance may result in NetApp Community account restrictions or termination.