Table of ContentsView in Frames

Commands for managing access-control roles

You use the security login role commands to control the level of access users in a role have to the system. You use the security login role config commands to manage rule settings of user names and passwords for a role to enhance user account security.

If you want to... Use this command...
Create an access-control role and specify the command or command directory that the role can access security login role create
Modify the command or command directory that an access-control role can access security login role modify
Display information about access-control roles security login role show
Display Data ONTAP APIs and their corresponding CLI commands security login role show-ontapi
Delete an access-control role security login role delete
Modify the following account restrictions and rule settings for an access-control role:
  • The required minimum length of a user name
  • Whether a mix of alphabetic and numeric characters is required in a user name
  • The required minimum length of a password
  • Whether a mix of alphabetic and numeric characters is required in a password
  • The required number of special characters in a password
  • Whether users must change their passwords when logging in to their accounts for the first time
  • The number of previous passwords that cannot be reused
  • The minimum number of days that must pass between password changes
  • The number of days after which a password expires
  • The number of invalid login attempts that triggers the account to be locked automatically
  • The number of days for which an account is locked if invalid login attempts reach the allowed maximum
security login role config modify
Display user account restrictions and rule settings security login role config show
Reset the following settings to their default values:
  • The required number of special characters in a password (-passwd-min-special-chars 0)
  • Whether users must change their passwords when logging in to their accounts for the first time (-require-initial-passwd-update disabled)
  • The number of days after which a password expires (-passwd-expiry-time unlimited)
  • The number of invalid login attempts that triggers the account to be locked automatically (-max-failed-login-attempts 0)
  • The number of days for which an account is locked if invalid login attempts reach the allowed maximum (-lockout-duration 0)

Data ONTAP prompts you to run this command if you revert to Data ONTAP 8.1.2 or earlier.

security login role config reset

(advanced privilege level)