Table of ContentsView in Frames

Recommended Data ONTAP roles when using VSC for VMware vSphere

There are several recommended Data ONTAP roles that you can set up for working with Virtual Storage Console for VMware vSphere and role-based access control (RBAC). These roles contain the Data ONTAP privileges required to perform the necessary storage operations executed by the VSC tasks.

There are several ways to create Data ONTAP roles:

Each role has a user name/password pair associated with it. These are the role's credentials. If you do not log in using these credentials, you cannot access the storage operations associated with the role.

As a security measure, the VSC-specific Data ONTAP roles are ordered hierarchically. This means that the first role is the most restrictive role and has only the privileges associated with the most basic set of VSC storage operations. The next role includes both its own privileges and all of the privileges associated with the previous role. Each additional role is less restrictive with regard to the supported storage operations.

The following are some of the recommended Data ONTAP RBAC roles when using VSC. After you create these roles, you can assign them to users who need to perform tasks related to storage, such as provisioning and cloning storage and optimizing and migrating virtual machines.

  1. Discovery

    The Discovery role enables you to add storage systems.

  2. Create Clones

    This role enables you to clone virtual machines. It also includes all of the privileges associated with the Discovery roles.

  3. Create Storage

    This role enables you to create storage. It also includes all of the privileges associated with the previous two roles.

  4. Modify Storage

    This role enables you to modify storage. It also includes all of the privileges associated with the previous three roles.

  5. Destroy Storage

    This role enables you to destroy storage. It also includes all of the privileges associated with all of the above roles.

If you use VSC only to perform backups, then the following Data ONTAP roles are recommended:

  1. Discovery

    The Discovery role enables you to add storage systems.

  2. Backup-Recover

    This role enables you to back up information on storage systems that you can recover later. It also includes all of the privileges associated with the Discovery role.

If you are using VASA Provider for clustered Data ONTAP, you should also set up a PBM (policy-based management) role. That role will allow you to manage storage using storage policies. This role requires that you also set up the Discovery role.

Each Data ONTAP role that you create can have one user name associated with it. You must log in to the storage system using the appropriate user name/password pair if you want to perform those role-based tasks on the storage system.

To create new users, you must log in as an administrator on storage systems running clustered Data ONTAP or root on storage systems running Data ONTAP operating in 7-Mode.

Details about the privileges needed for these roles are included in Virtual Storage Console for VMware vSphere Advanced RBAC Configuration Guide.