Table of ContentsView in Frames

Supported capability types

The capability types Data ONTAP supports include login, cli, security, api, and compliance.

The following table describes the supported capability types.

This capability type... Has the following capabilities...
login Grants the specified role login capabilities.

login-* grants the specified role the capability to log in through all supported protocols.

login-protocol grants the specified role the capability to log in through a specified protocol. Supported protocols include the following:
  • login-console grants the specified role the capability to log in to the storage system using the console.
  • login-http-admin grants the specified role the capability to log in to the storage system using HTTP.
  • login-ndmp grants the specified role the capability to make NDMP requests.
  • login-rsh grants the specified role the capability to log in to the storage system using RSH.
  • login-snmp grants the specified role the capability to log in to the storage system using SNMPv3.
  • login-sp grants the specified role the capability to log in to the SP or the RLM by using SSH.
  • login-ssh grants the specified role the capability to log in to the storage system using SSH.
  • login-telnet grants the specified role the capability to log in to the storage system using Telnet.
cli Grants the specified role the capability to execute one or more Data ONTAP command line interface (CLI) commands.

cli-* grants the specified role the capability to execute all supported CLI commands.

cli-cmd* grants the specified role the capability to execute all commands associated with the CLI command cmd.

For example, the following command grants the specified role the capability to execute all vol commands: useradmin role modify status_gatherer -a cli-vol*
Note: Users with cli capability also require at least one login capability to execute CLI commands.
security Grants the specified role security-related capabilities, such as the capability to change other users’ passwords or to invoke the CLI priv set advanced command.

security-* grants the specified role all security capabilities.

security-capability grants the specified role one of the following specific security capabilities:
  • security-api-vfiler grants the specified role the capability to forward or tunnel ONTAP APIs from the physical storage system into a vFiler unit for execution.
  • security-passwd-change-others grants the specified role the capability to change the passwords of all users with equal or fewer capabilities.
  • security-priv-advanced grants the specified role the capability to access the advanced CLI commands.
  • security-load-lclgroups grants the specified role the capability to reload the lclgroups.cfg file.
  • security-complete-user-control grants the specified role the capability to create, modify, and delete users, groups, and roles with greater capabilities.
api Grants the specified role the capability to execute Data ONTAP API calls.

api-* grants the specified role all API capabilities.

api-api_call_family-* grants the specified role the capability to call all API routines in the family api_call_family.

api-api_call grants the specified role the capability to call the API routine api_call.

Note:

You have more fine-grained control of the command set with the api capabilities because you can give subcommand capabilities as well.

Users with api capability also require the login-http-admin capability to execute API calls.

compliance Grants the specified role the capability to execute compliance-related operations.

compliance-* grants the specified role the capability to execute all compliance-related operations.

compliance-privileged-delete grants the specified role the capability to execute privileged deletion of compliance data.

Note: The compliance capabilities (compliance-*) are included in the default capabilities of the compliance role. The compliance capabilities cannot be removed from the compliance role or added to other roles.