Skip to main content

Administrator authentication and RBAC workflow

You can enable authentication for local administrator accounts or remote administrator accounts. The account information for a local account resides on the storage system and the account information for a remote account resides elsewhere. Each account can have a predefined role or a custom role.



You can enable local administrator accounts to access an admin storage virtual machine (SVM) or a data SVM with the following types of authentication:

  • Password

  • SSH public key

  • SSL certificate

  • SSH multifactor authentication (MFA)

    Starting with ONTAP 9.4, authentication with password and public key is supported.

You can enable remote administrator accounts to access an admin SVM or a data SVM with the following types of authentication:

  • Active Directory

  • SAML authentication (only for admin SVM )

    Starting with ONTAP 9.4, Security Assertion Markup Language (SAML) authentication can be used for accessing the admin SVM by using any of the following web services: Service Processor Infrastructure, ONTAP APIs, or ThinkSystem Storage Manager for DM Series .

  • Starting with ONTAP 9.4, SSH MFA can be used for remote users on LDAP or NIS servers. Authentication with nsswitch and public key is supported.