ONTAP Tools for VMware vSphere: RBAC Configuration
Applies to
- ONTAP Tools for VMware vSphere (OTV) 9.13 and earlier
- Virtual Storage Console (VSC)
- Storage Replication Adapter (SRA)
- VASA Provider (VP)
Answer
This KB covers:
- OTV RBAC to vCenter
- OTV RBAC to ONTAP
To control what access users have to both vCenter and ONTAP, ONTAP Tools for VMware vSphere (OTV) utilizes Role Base Access Control (RBAC).
VMware vCenter Server RBAC:
There are two types of vSphere accounts that can be leveraged by OTV:
- service account
- user accounts
Service Account
OTV uses the service account to issue API calls to vCenter. This account needs to:
- be assigned to the vCenter administrator (or admin) role
User Account
It is the user account that determines what actions a user can perform in OTV.
- When OTV is installed, new priviledges and roles are added to vCenter
- For example, after OTV is installed, a user can be assigned to the
VSC Provisionrole and that will allow them the ability to provision new datastores:
- Alternatively, you can configure custom roles and add only the OTV priviledges you need
ONTAP RBAC
OTV can access ONTAP:
- Using SVM scope
- Using Cluster scope
Note: If you are planning to use VASA Provider, then you must use cluster scoped storage.
Note: If using SVM scoped storage, you must configure a new user and role at the SVM level. The default vsadmin user does not have all of the necessary priviledges needed by SRA.
For details on how to create a local ONTAP user and role to be used by OTV, please see How to configure role-based access control for ONTAP Tools
Additional Information
Please also be aware of Unable to discover SVM or cluster on OTV 9.12