topic Re: Create a RBAC role user with the new rest process in ONTAP Rest API Discussions

Create a RBAC role user with the new rest process

Sig — Wed, 04 Jun 2025 10:19:51 GMT

Ok I'm a little frustrated with NetApp support. After weeks they just sluffed me off to this group and told me to ask here.

I hope someone here can answer my question.

I have an ONTAP 9.8 system (and older versions as well).

I used to be able to create custom role with read/write on all volume and
snapshots commands but deny the following:
volume delete
snapshot delete

Commands looked like this:

security login role create -vserver lan01 -role lanadmin -cmddirname "volume snapshot delete" -access none
security login role create -vserver lan01 -role lanadmin -cmddirname "volume delete" -access none

I'm told these no longer work and that I have to use the new rest-role commands. I can't figure out the -api string to grant this same level of access. I have tried several iterations.

security login rest-role modify -vserver lan01 -role lanadmin -api
/api/storage/volumes/*/snapshots -access readonly
...
security login rest-role modify -vserver lan01 -role lanadmin

-api /api/storage/volumes/{volume.uuid}/snapshots/{uuid} -access readonly

NetApp support doesn't seem to know how to help with this request. Anyone here able to help?

Thanks

Sig

Re: Create a RBAC role user with the new rest process

Sig — Tue, 06 Jul 2021 04:28:01 GMT

This is the issue I'm trying to work around:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Infrastructure_Management/System_Manager/Custom_user_roles_are_not_honored_in_the_new_experience_of_OnCommand_System_Manager

Re: Create a RBAC role user with the new rest process

Sig — Tue, 06 Jul 2021 04:57:26 GMT

Found this Community conversation that seems to indicate that the rest-role commands don't have the granularity to deny volume delete or snapshot delete commands.

https://community.netapp.com/t5/ONTAP-Rest-API-Discussions/RBAC-over-RestRoles/m-p/164281

Frustrating to loose this functionality before rest-role has feature parity and for NetApp support to not know this info.

Re: Create a RBAC role user with the new rest process

JohnChampion — Tue, 06 Jul 2021 16:30:18 GMT

REST API support is now provided through Slack ... try netapppub.slack.com and post questions in the #api channel. You'll get a fairly quick response (...though NetApp is at minimal manning 5-9 July - company-wide holiday break). To get an invite go to netapp.io and click the Slack icon at the top right.

Here is the ONTAPI to REST mapping information document (https://library.netapp.com/ecm/ecm_download_file/ECMLP2874886)

You can check the status of the mappings and request specific REST mappings that are missing. At the top of the first page is a link ("we want to hear from you").

You could also try using the /private/cli REST method which lets you run CLI commands through a REST call and (in most cases) get JSON formatted results.