topic Re: RBAC over RestRoles in ONTAP Rest API Discussions

RBAC over RestRoles

klmi — Wed, 04 Jun 2025 10:33:47 GMT

HI all,

we are currently in the phase to switchover from ontapi to Rest-API.
For some regulations, we need to use RBAC, so that special AD-Groups/User get reduced API-Access to the vserver.

We need a role for Snapshot-Management (Backup Application), so this user only can create/delete snapshots on the vserver.

So far i can only get it working with giving RestAccess to API /api/storage/volumes, but this would also give rights to create/destroy volumes and more.

I tried to create a more strict role, but it doesnot work.

Ontap_98::> security login rest-role create -vserver <vserver> -role rest_snapadmin -api /api/storage/volumes/{volume.uuid}/snapshots -access all

Error: command failed: Invalid character detected in URI.

Has anybody an Idea, how to restirct the Access to snapshot only operations with REST-API?

Best Regards,

Klaus

Re: RBAC over RestRoles

mbeattie — Thu, 25 Feb 2021 05:17:20 GMT

Hi Klaus,

I don't believe the current ONTAP release supports granular RBAC access to an individual volume via the REST API. I tested this on ONTAP 9.8 and got the same result (replacing '{volume.uuid}' with a volume's UUID)

cluster1::> security login rest-role creat -vserver vserver1 -role rest_snapadmin -api /api/storage/volumes/1c25a5c1-bd20-11ea-8d7a-00a098dea1f0/snapshots -access all Error: command failed: Specified URI path is invalid or not supported. Verify that the URI contains only valid characters. Variable-path URIs are not supported.

I think this may be available in a future ONTAP release however in the meantime you could rehost the volume in another SVM and delegate access to '/api/storage/volumes'

/Matt

Re: RBAC over RestRoles

mbeattie — Fri, 26 Feb 2021 01:32:53 GMT

Hi Klaus,

Whilst it's not currently possible to delegate permissions using the 'security login rest-role create' command you can use the traditional method as follows:

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001" vserver services web access create -name rest -role snapadmin -vserver cluster1 security login create snapadmin -application http -authentication-method password -role snapadmin curl -ku snapadmin:<password> -X GET "https://192.168.100.2/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots" { "records": [ { "uuid": "b43de933-4b7f-4bcd-b51d-b759b0752a4a", "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-16_224256", "_links": { "self": { "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/b43de933-4b7f-4bcd-b51d-b759b0752a4a" } } }, { "uuid": "8c3ace7d-2b99-4dbe-b05c-f954ed37547c", "name": "snapmirror.1b2e97b3-285c-11eb-9660-00505680d956_2150679890.2020-11-19_020943", "_links": { "self": { "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots/8c3ace7d-2b99-4dbe-b05c-f954ed37547c" } } } ], "num_records": 2, "_links": { "self": { "href": "/api/storage/volumes/4a8e36e3-2861-11eb-9071-0050568028c9/snapshots" } }

Note: if you ever renamed the volume you'd also need to update the name in the 'query':

security login role create -role snapadmin -cmddirname "volume snapshot" -access all -query "-vserver vserver1 -volume cifs_data_001"

Hope that helps

/Matt

Re: RBAC over RestRoles

klmi — Fri, 26 Feb 2021 13:17:14 GMT

Hi Mat,

many thanks for that useful info.

After enabling the Web Service for our (ontAPI) Role it worked also well with Rest with all RBAC Features.

Best Regards,

Klaus