Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

VMware Solutions Discussions

VSC 9.6 - Crash when using the privileges from the RBAC User Creator Tool


Hello community,


we are currently using VSC 9.6. If storage systems are added with a vscadmin who has received his privileges from the current RBAC User Creator Tool, the complete VSC will crash and have to be set up again.


The following messages appear - among others - in the VSC.LOG:

2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] WARN (ZAPIInvoker) - invokeZAPI(0): failed OntapConnectionImpl{ipAddress=fas27501.stadtdo.de, userName=vscadmin, port=443, ssl=true} API failed. Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003) null
2019-12-09 06:39:47,930 [qtp557725225-3896 - /vsc/remoting/exoforceRmiExporter?sessionId=40f538d75057f26d857ae13c9113ae69fc380937&serviceUrl=https://vmc_serv.stadtdo.de:443/sdk] ERROR (RMIServiceImpl) - getAllStorageSystems - Error getting controllers -
Unable to load volumes for: AbstractController: id: bbfe3d81-7ae0-11e9-ba14-00a098fbe31aname: SVM_NFS-VMW02ip address: fas27501.stadtdo.de. Caused by: Insufficient privileges: user 'vscadmin' does not have read access to this resource (errno=13003)


Unfortunately I don't know which privileges are missing. It can only be due to the privileges, because it works if I give the vscadmin admin rights.


Any idea?


Many thanks and greetings







You have not mentioned which version of ONTAP Cluster is being used to create user. Hope you are using one of these ONTAP version which are supported for VSC 9.6:

Please follow steps mentioned in this article to create a user for VSC, it should work fine.





Sorry, I forgot to tell you: we use FAS systems with ontap 9.5.

We've been using VSC for a long time (since version 2.1). Since the RBAC User Creator Tool existed, we have also used it to create the corresponding roles, without any problems so far. This time it doesn't work.

The hint from mjdalton1 on: https://docs.netapp.com/vapp-96/index.jsp?topic=%2Fcom.netapp.doc.vsc-dsg%2FGUID-999F3BFE-4005-42EC-9CF5-127DD6699297.html&lang=en refers to the roles "Discovery, Create Storage, Modify Storage and Destroy Storage" - but what content/commands do these roles have?  The roles themselves don't exit - do they?


I only know "FAQ: VSC, VASA, and SRA 7.0 ONTAP RBAC Configuration" ( https://kb.netapp.com/app/answers/answer_view/a_id/1001058). - Well, then I seem to have to rummage through here.


Best regards



Hi Micheal,


Please follow this link and download latest ontapPrivs.xml and replace it in your RBAC Tool.

Select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' for version. Select role in checkbox and create a user for your SVM and add it to VSC. It should work fine or please share error \logs in case of  a failure.


The RBAC User Creator for Data ONTAP tool enables you to quickly and easily set up role-based access control (RBAC) for NetApp storage systems. It supports multiple NetApp products and both clustered Data ONTAP and Data ONTAP operating in 7-mode environments.  


This tool, privileges XML file and instructions for using it are available on the NetApp ToolChest:


Because this tool stores privileges in an XML file (ontapPrivs.xml), NetApp can update it with new information without having to recompile it. Also, the XML file allows you to clearly see the privileges being used.



I'm sorry, but I can't select 'VSC, VASA Provider and SRA' for Product and 'VSC, VASA Provider and SRA 9.6' - it doesn't exist.


Unfortunately I cannot find any "9.6" ontapPriv.xml under the given link. The file contains the previous data that I have used before. Here are the first lines of this ontapPriv.xml:


<?xml version="1.0" encoding="utf-8"?><privs>
<product id="vsc70" label="VSC, VASA Provider and SRA" description="VSC, VASA Provider and SRA">
<vsc70 id="vsc70" label="VSC 7.x">
<role id="discovery" label="Discovery"
description="This role allows for the discovery of all the connected storage controllers.">


Any idea? What am I doing wrong?

Best regards





Regret inconvenience caused. 


Please replace ontapPrivs.xml with following file:




Roopeshwari U



NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner