Virtualization Articles and Resources

How to use the RBAC User Creator for Data ONTAP




The RBAC User Creator forData ONTAP®  tool is a C# application that assists you in creating RBAC usernames within Data ONTAP.This application is used to create usernames in both 7-mode and Clustered Data ONTAP environments. It takes care of the small differences between the Data ONTAP versions as well as the variances with the NetApp products using them.


The lists of privileges being created are stored in XML (ontapPrivs.xml). This was done for two primary reasons: 

     1. You can clearly see the privileges so there is complete transparency with regards to the new user RBAC User Creator is creating

     2. Additional privileges and products can be added later without the need to recompile the application.

NOTE: An important feature of version 2.0 is the ability to add products without needing to recomplie the application


You can think of RBAC User Creator being a framework of sorts.  All the products and privileges for those products are listed in the XML file. Adding support for another product or product version is as simple as adding the information in the XML file.


RBAC User Creator has native support for the following products out of the box


  • Virtual Storage Console for VMware vSphere
  • OnCommand Balance
  • Snap Creator Framework
  • SnapDrive for Windows
  • VASA Provider for VMware vCenter
  • Storage Replication Adapter for VMware Site Recovery Manager
  • Virtual Storage Console for Citrix XenServer   
  • Virtual Storage Console for RHEV 
  • NetApp Recovery Manager for Citrix Sharefile 
  • OnCommand Unified Manager (DFM) 5.1
  • VMTurbo Operations Manager

Step 1: Install Tool

Install the tool by selecting "Run as Administrator".    Standard Installshield rules apply.  If you don't "Run as Administrator", the log file will not be created.


Step 2: Set Up Usernames and Privileges

In just a few short clicks you can create ONTAP usernames with all the required privileges needed by VSC. In order to guide you along, the non-relevant sections are greyed out.


  • Simply enter the root or admin username and IP of the storage system you want to create the user on. 
  • Click the LOGIN button, and it will login and determine the controller type. 
  • If the storage system is running Clustered Data ONTAP, the list of Vservers will be displayed. 
  • RBAC User Creator supports creating users on the Cluster-Admin Vserver as well as on Data Vservers. Simply select the Vserver from the pull-down list.

NOTE: RBAC User Creator requires root/admin storage credentials for creating new usernames.


For more details, please read the User Guide (attached below)





Step 3: Add Roles for Users


RBAC User Creator handles all the differences between 7-mode and Clustered Data ONTAP


  • Simply select your VSC version you're using, and the roles you want the new user to have
  • Choose the product and product version
  • RBAC User Creator will merge all the privileges from the selected roles and combine them in a sorted list
  • Since there is an ONTAP limit in the number to privileges in a role, RBAC User Creator will create iterated roles names in the form of <rolename>.X.
  • In the case of Clustered Data ONTAP, it handles both the read-only and all-access privileges

If you are unsure on what privileges the new user will have, click on the PREVIEW button to preview the list. It will show you the sorted list of all the privileges to be added. If the storage system is running 7-mode, it will create an EMS log detailing the creation of this new username. Hopefully, this funcationalit will be added for Clustered Data ONTAP soon.


Step 4: Add Storage Systems


  • Login into your application
  • add the storage system using the new username



  • Download RBAC User Creator for Data ONTAP
  • Comment below by @mentioning dbkelly (For any issues: include the ONTAPUserCreator.log file in your comment)




Please Note:

All content posted on the NetApp Community is publicly searchable and viewable. Participation in the NetApp Community is voluntary.

In accordance with our Code of Conduct and Community Terms of Use, DO NOT post or attach the following:

  • Software files (compressed or uncompressed)
  • Files that require an End User License Agreement (EULA)
  • Confidential information
  • Personal data you do not want publicly available
  • Another’s personally identifiable information (PII)
  • Copyrighted materials without the permission of the copyright owner

Continued non-compliance may result in NetApp Community account restrictions or termination.


Thanks for this application. Makes life a lot easier.

Will be great to be able to use this also for SRM as well as creating other RBAC username for backup softwares like (NetBackup etc).




Thank you for the kind words.   Version 2 is coming soon.   One of the new features will be the ability to suppor multiple products.    More details to come


Version 2.0 is posted!

What's new?

Changed the application name to RBAC User Creator for Data ONTAP®

Added support for multiple products.   Natively, RBAC User Creator supports VSC, SDW, SRA, Balance, VASA, and Snap Creator.   Additional products can be added to the XML.

Added support for modifying existing DOT username, roles and groups.

Bug fixes


This is just getting better and better. Thank you.

Does the added support to modify existing username, roles &amp; group also has the option to remove them? I haven't tested this yet.


This looks very promising. Unfortunately, I am getting the following error when attempting to Login: API Failed: Api vfiler-list-info requires license for multistore.


This is for a FAS3140 with NetApp Release 8.0.2P5 7-Mode. The progress bar just sits there and doesn't time out.

I googled the error and searched the log file but nothing showed up. Any assistance or direction will be greatly appreciated. If there's any other information I can provide please let me know.

Thanks very much.



Glad you like it maliu.  Unfortunately, no.  This tool only modifies existing users, it does not delete or remove them.   If you want to remove a username/role/group, you will need to do that manually with tools like the CLI, CEM, or SysMgr.



Ah... you don't have a MultiStore license.  This is a bad assumption on my part.   In order for DOT to process the vfiler-list-info ZAPI, it needs access to that license.   This error is causing the controller validation to fail.    Give me a few days and let me see what I can come up with.   It should be fairly easy to skip this check if the MultiStore is not licensed.     Of course, dealing with the fact that the vFiler list will be empty will be a whole other sets of issues to deal with in the GUI.    I'm travelling for the Thanksgiving holiday break, so it'll likely be a week or more before I can get to it.

Can you send me the log file?



Sean,  scratch my previous comment.  This was easier to fix than expected.   I fixed this over lunch today.    Please give version 2.1 a try.


It works a treat! Thanks so much!

I have used it to create the role, group and user on both of my controllers as well as modified the credentials for VSC authentication in the plugin itself.

I really appreciate your time and effort on this. We have about 20 NetApps in the business connected to ESXi hosts so I will be communicating this to all storage/VMware admins.

Thanks again.



Hi David,

Thank you for building this.

Would you happen to have the time frame for including SnapDrive for Windows here? The software shows up in the drop-down but it seems that the XML definitions have not been included in the shipping version.


Glad to hear you are finding it useful.    Thanks Sean!



I'm confused by your comment.   Please make sure you are using version 2.0+.     SDW v6.4.2 support is builtin.Screen Shot 2012-11-26 at 8.22.08 PM.png


I get the following message. Have reinstalled the utility. It works well for VSC 4.



Oh, you're running Clustered Data ONTAP.    My screenshot was from a 7-mode system.   There are definitely c-mode privileges listed in the XML file, but it doesn't look like it able to be parsed.  Let me take a look and I'll be back in touch. 


I apologize, I should have noticed this earlier.    You are trying to create a username on a direct Vserver.    There are no privs defined for that; hence the error message.   I'll have to double-check with the SDW PM.  Previously, I was only sent privileges for Cluster-Admin users.  


You are correct. The utility works if the user and role are created on the cluster itself.



great tool. I am having issues with the connection.

I try to connect to the admin vserver´with port 443 and ssl:

013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer Hostname : derotnpc0001a

2013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer Type: FILER

2013-01-21 14:08:26,120 DEBUG [ZapiUtils.getNaServer]: NaServer TransportType: HTTPS

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]: NaServer Port: 443

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]:

2013-01-21 14:08:26,121 DEBUG [ZapiUtils.getNaServer]:

2013-01-21 14:08:26,139 DEBUG [ZapiUtils.getSystemVersion]: <system-get-version/>

2013-01-21 14:09:41,110 ERROR [ZapiUtils.getSystemVersion]: Failed invoking API

Firewall from thei host is open for port 443.

Select ACL Protokoll Source Ip Destination Ip Source Port Destination Port

InfoThis communication is already permitted. Any change of ACL is not needed. permitted tcp ( ( 1045 443

So are there other ports to be open for the initial communication?

Best wishes,



Updated to version 2.2.4789.19622.  Added support for VSC 4.1P1



I have tried to update an existing user (which was created with All privileges for VSC 4.1) to all All privileges for VSC 4.1P1. The rule name which I had used for VSC 4.1 was vsc41 (vsc41.1 and vsc41.2 was generated by RBAC User Creator for Data ONTAP®p). It will add 3 capabilities. Here the log:

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Role Description Name : This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Role Name : vsc41.3

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: Privs : api-volume-list-iter-start,api-volume-list-iter-next,api-volume-list-iter-end

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-start

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-next

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: UseradminCapabilityInfo: api-volume-list-iter-end

2013-03-06 12:51:14,545 DEBUG [ZapiUtils.create7ModeLoginRole]: <useradmin-role-add>














            <comment>This is an auto-generated role created by RBAC User Creator for Virtual Storage Console for VMware vSphere.</comment>





2013-03-06 12:51:14,654 ERROR [ZapiUtils.create7ModeLoginRole]: API FAILED: Could not add role <vsc41.3>. Error: Invalid capability

2013-03-06 12:52:06,280 DEBUG [UserCreator.ValidateTextbox]: Clearing Validation field

2013-03-06 12:52:06,280 DEBUG [UserCreator.roleName_Validating]: Setting role name :  vsc41

We use ONTAP 8.0.1. It is the same on both heads.

TIA, Silvio



I apologize for not responding earlier...  I've enabled email notifications, but I'm not seeing an email when someone posts a comment. 

I don't know if I ever specifically tested "upgrading" a VSC 4.1 user  to VSC 4.1P1, but I will give it a shot tonight.


If you haven't heard already, VSC 4.2 Beta has been released.

I'm in the process of updating the tool to support VSC 4.2.  I should have something ready by the end of the week.   Stay tuned.


Hi David

how to use your tool to assign a AD account with a certain role?




I tried to create a VSC4.1P1 account but get the following error:

but for VSC 4.0 and 4.1, it works well to create account.RBACtool.JPG

in the log: 2013-03-13 18:14:08,856 ERROR [ZapiUtils.create7ModeLoginRole]: API FAILED: Could not add role <role1>. Error: Invalid capability

BTW, the ONTAP version is 7.3.6


We ran into issues when we used a AD account. We made a group and added the AD account in the group. (adexample\aduser) and when we used this user in the VSC everything became slow and unresponsive. When we made a local user and added this in the administrator group local on the Netapp controller we also got some VSC plugin features working again like show privileges.

When you don't get to see the confirmation what privileges you have it seems the plugin fails to work in combination with AD authentication.

However we would like to see AD and VSC working together as this is our standard security authentication. We are on 8.1.2 7-mode.

Next week going to do some testing with the group created by this RBAC user creator and a local account.

any idea what causing AD account failures with VSC ? We did use RBAC User creator which delivered an great job in creating roles and such.



chao, it looks like something in the XML is messed up.   Can you upload the RBACUserCreator.log and the ontapPrivs.xml file.  Thanks


I just find I could not upload file in reply. I send to you by email seperately.


Hi Dave,

Any way to prevent the clear text storage root password written on the log files during validation.


maliu - I already have this fixed in my sandbox build.   This will be addressed inversion 2.3.


I'm also having the invalid capablity issue when trying to create a user for VSC 4.1P1.

I have determined that there is indeed an error in the XML defining the capabilities for 4.1P1. The fix is as / follows:

Replace the following 3 lines:


With these 3 lines:


You should find each one twice, 6 replacements total.

I just used this to create a user from scratch for VSC 4.1P1 roles: Discover, Clone, Create Storage and Modify Storage.



Version 2.3 has been posted.

What's New?

- Added support for VSC 4.2 for VMware vSphere

- Added support for SRA for VMware SRM

- Added support for Snap Creator Framework 4.0  (Thanks John)

- Added support for VSC for Citrix XenServer (Thanks Gabe)

- Added support for NetApp Recovery Manager for Citrix ShareFile (Thanks Gabe)

- Removed clear text passwords in the log file

- Fixed the XML syntax error for VSC 4.1P1

- Other miscellaneous bug fixes


Special thanks to Chris Knowling for adding support for OnCommand Unified Manager (DFM) 5.1.    This is the first community contribution for the RUC tool!    

Version 2.3.4881.28244 has been posted.

What's New?

- Added support for OnCommand Unified Manager 5.1


Hi Kelly

I installed 2.3 and love it.  I have a question for OnCommand Unified manager for Cluster-mode.  I found I could not select version when I want to create a account for UM in cluster-mode environment.  Any tips?




Is there a RBAC user creator list that which software are supported in cluster-mode?  Thanks a lot!



Although the RUC tool supports both 7-mode and cDOT, I only have 7-mode privs for OnCommand Unified Manager.  If you or someone else here can point me to a KB where the cDOT privs are listed, I'd be happy to add it. 

I can pull a list together on which products I have cluster-mode privs for. We need to be careful when we talk about support for cluster-mode.   The product supporting cluster-mode and the RUC tool having privs for cluster-mode may be two different things.   For instance, OnCommand Unified Manager supports both 7-mode and cDOT, the RUC tool only has privs for 7-mode at this point.


I see and fully understand.  I really love this tool and help it could help us everywhere.      I also drop a question in UM  space and hope someone could reply.

Yes, would you please provide list (even an "unofficial list") about which products you already develop for Cluster-mode?  It will be helpful.


I got the 7mode privs from the DFM install manual. I’m too busy at present to actually look that up for you though.

Chris Knowling


Hi, I've installed VSC 4.2 and was creating a new user to manage it and configure all the necessary to make it work.

Creating the user/role/group and using it on the controller in VSC 4.2 tell me that some permission are missing for the backup/recovery:


The controller is a 7-mode version 8.1.2.


Francesco, Sorry to hear you are having problems, I'll take a look and try to reproduce this issue.   In the meantime, can you send me a screenshot of the tool and the log file? 


I just reproduced the issue in my lab.   It appears to be isolated to the B&R role only.   The other roles are being created correctly.   


I just uploaded a new version of the tool.   Basically, I messed up the label in the XML for the Backup & recovery role.  This is fixed in version 2.3.4896.22885.   


For half my systems the tool works create, on the others I get a "Failed to invoke API" error after the attempt to "system-get-version". Obviously it's a filer side issue but do you have any tips on tracking this down? All of my controllers are running 8.1.1 7-mode. Thank you!


Cecil, send me the logs and I will take a look.


Using the latest RBAC User tool to create a a vscadmin user and get missing rights when this user

is used in VSC4.2. 

This is an 8.1.2P4  cdot cluster and The missing rights are

system license show;  volume efficiency show

I checked the RBAC User tool xml file and those commands seem to be there.

I added these missing rights using "security login role modify -role vscadmin -cmddirname"

which solved my problem.

Has anybody seen this before?



I just double-checked the ontapPrivs.xml; you're right, those privileges are listed there.   Curious, what ONTAP roles are you selecting?   Could I get a screenshot of the RUC tool, perhaps?

I'm really curious about what could be happening here.    Can you email the logs to me?


I have some problems with the OnCommand role definition. We use oncommand also to manage backup with snapcreator and it seems there are some needed api that are missing:








I had another problem related to the user creation for a Site Recovery Manager SRA account. The user is not created because the comment field seems too long (>128 char).


Francesco,  thanks for the feedback.   I don't recall seeing those privileges when I was testing the OnCommand role.   Perhaps, it has something to do with using OnCommand and SnapCreator?   I don't know.   Anyway, I will get those added for the next release.    In the meantime, you can add those missing privs yourself.   Just follow the XML format and you should be all set.  

Interesting comment about the comment field.   Yes, it is delimited to 128 characters.    I use the roleDescription field in the XML file for the comment.    I guess "Storage Replication Adapter for VMware Site Recovery Manager" is a bit too long.    Since you are already editing the XML file, please go ahead and shorten the SRA description field.    You can make it anything you want.

         <product id="srm" label="SRA for VMware SRM" description="Storage Replication Adapter for VMware Site Recovery Manager">

  "SRA for VMware SRM" should work.

I'll get this fixed in the next release.


It looks like there is an error in the ontapPrivs.xml for the VSC user: it says:

   <ontap-dependent value="8.1.2-">

Where it should be 8.1.2+. This is for Create-Clones, Create-Storage, Modify-Storage and Destroy-Storage, so I changed 4 entries in the xml file.

I am setting up a VSC user with ONTAP 8.1.3 7-mode, and after I changed the minus-sign to the plus-sign, I correctly got al privileges in VSC.



Glad this app exists!  Any chance in future builds of being able to give it a list of controllers instead of going one-at-a-time?  Such as if I want to add a DFM account to 30+ controllers, could there be an XML file or somesuch that could be provided to the app and then let it go do its thing?

Thanks for making this application!


Thanks Anton.   Actually, the value should be '8.1.99-'.   Those API have been deprecated in 8.2.