There are several recommended Data ONTAP roles that you can set up for working with Virtual Storage Console for VMware vSphere and role-based access control (RBAC). These roles contain the Data ONTAP privileges required to perform the necessary storage operations executed by the VSC tasks.
There are several ways to create Data ONTAP roles:
The CLI (command-line interface), using the security login set of commands
The System Administrator's Guide for Clustered Data ONTAP Administrators contains information about using this command.
Each role has a user name/password pair associated with it. These are the role's credentials. If you do not log in using these credentials, you cannot access the storage operations associated with the role.
As a security measure, the VSC-specific Data ONTAP roles are ordered hierarchically. This means that the first role is the most restrictive role and has only the privileges associated with the most basic set of VSC storage operations. The next role includes both its own privileges and all of the privileges associated with the previous role. Each additional role is less restrictive with regard to the supported storage operations.
The following are some of the recommended Data ONTAP RBAC roles when using VSC. After you create these roles, you can assign them to users who need to perform tasks related to storage, such as provisioning and cloning storage and optimizing and migrating virtual machines.
The Discovery role enables you to add storage systems.
This role enables you to clone virtual machines. It also includes all of the privileges associated with the Discovery roles.
This role enables you to create storage. It also includes all of the privileges associated with the previous two roles.
This role enables you to modify storage. It also includes all of the privileges associated with the previous three roles.
This role enables you to destroy storage. It also includes all of the privileges associated with all of the above roles.
If you use VSC only to perform backups, then the following Data ONTAP roles are recommended:
The Discovery role enables you to add storage systems.
This role enables you to back up information on storage systems that you can recover later. It also includes all of the privileges associated with the Discovery role.
If you are using VASA Provider for clustered Data ONTAP, you should also set up a PBM (policy-based management) role. That role will allow you to manage storage using storage policies. This role requires that you also set up the Discovery role.
Each Data ONTAP role that you create can have one user name associated with it. You must log in to the storage system using the appropriate user name/password pair if you want to perform those role-based tasks on the storage system.
To create new users, you must log in as an administrator on storage systems running clustered Data ONTAP or root on storage systems running Data ONTAP operating in 7-Mode.
Details about the privileges needed for these roles are included in Virtual Storage Console for VMware vSphere Advanced RBAC Configuration Guide.