Table of Contents

Library

View in Frames

Supported capability types

The capability types Data ONTAP supports include login, cli, security, api, and filerview.

Capability Type	Description
login	Grants the specified role telnet, console, rsh, ssh, or http-admin login capabilities. login-* gives the specified role the ability to log in through all supported protocols. login-`protocol` gives the specified role capability to log in through a specified protocol. Supported protocols include: login-telnet—gives the specified role the ability to log in to the storage system using Telnet. login-console—gives the specified role the ability to log in to the storage system using the console. login-rsh—gives the specified role the ability to log in to the storage system using rsh. login-ssh—gives the specified role the ability to log in to the storage system using SSH. login-http-admin—gives the specified role the ability to log in to the storage system using HTTP. login-snmp—gives the specified role the ability to log in to the storage system using SNMPv3.
cli	Grants the specified role the ability to execute one or more Data ONTAP command line interface (CLI) commands. cli-* grants the specified role the capability to execute all supported CLI commands. cli-`cmd` gives the specified role the capability to execute all commands associated with the CLI command `cmd`. For example, the following command gives the specified role the capability to execute all `vol` commands: `useradmin role modify status_gatherer -a cli-vol` Note: Users with cli capability also require at least one login capability to execute CLI commands.
security	Grants the specified role security-related capabilities, such as the ability to change other users’ passwords or to invoke the CLI priv set advanced command. security-* grants the specified role all security capabilities. security-`capability` grants the specified role one of the following specific security capabilities: `security-passwd-change-others` gives the specified role the capability to change the passwords of all users with equal or less capabilities. `security-priv-advanced` gives the specified role the capability to access the advanced CLI commands. `security-load-lclgroups` gives the specified role the capability to reload the lclgroups.cfg file. `security-complete-user-control` gives the specified role the capability to create, modify, and delete users, groups, and roles with greater capabilities.
api	Grants the specified role the capability to execute Data ONTAP API calls. api-* grants the specified role all api capabilities. api-api_call_family-* grants the specified role the capability to call all API routine in the family api_call_family. api-api_call grants the specified role the capability to call the API routine api_call. Note: You have more fine-grained control of the command set with the api capabilities because you can give subcommand capabilities as well. Users with api capability also require the login-http-admin capability to execute API calls.
filerview	Grants the specified role read-only access to FilerView. This capability type includes only the filerview-readonly capability, which grants the specified role the capability to view but not change manageable objects on systems managed by FilerView. Note: There is no predefined role or group for read-only FilerView access. You must first assign the filerview-readonly capability to a role and then assign the role to a group, before you can create a user in such a group.

Parent topic: How to manage roles

Related concepts

About changing another user's capabilities

Related tasks

Loading groups from the lclgroups.cfg file

Creating a new role and assigning capabilities to roles

Assigning roles to groups by creating or modifying a group