The capability types Data ONTAP supports include login, cli, security, api, and filerview.
|login||Grants the specified role telnet, console, rsh, ssh, or http-admin login capabilities.
login-* gives the specified role the ability to log in through all supported protocols.
login-protocol gives the specified role capability to log in through a specified protocol. Supported protocols include:
|cli||Grants the specified role the ability to execute one or more Data ONTAP command line interface (CLI) commands.
cli-* grants the specified role the capability to execute all supported CLI commands.
cli-cmd* gives the specified role the capability to execute all commands associated with the CLI command cmd.
For example, the following command gives the specified role the capability to execute all vol commands: useradmin role modify status_gatherer -a cli-vol*
Note: Users with cli capability also require at least one login capability to execute CLI commands.
|security||Grants the specified role security-related capabilities, such as the ability to change other users’ passwords or to invoke the CLI priv set advanced command.
security-* grants the specified role all security capabilities.
security-capability grants the specified role one of the following specific security capabilities:
|api||Grants the specified role the capability to execute Data ONTAP API calls.
api-* grants the specified role all api capabilities.
api-api_call_family-* grants the specified role the capability to call all API routine in the family api_call_family.
api-api_call grants the specified role the capability to call the API routine api_call.
You have more fine-grained control of the command set with the api capabilities because you can give subcommand capabilities as well.
Users with api capability also require the login-http-admin capability to execute API calls.
|filerview||Grants the specified role read-only access to FilerView.
This capability type includes only the filerview-readonly capability, which grants the specified role the capability to view but not change manageable objects on systems managed by FilerView.
There is no predefined role or group for read-only FilerView access. You must first assign the filerview-readonly capability to a role and then assign the role to a group, before you can create a user in such a group.