Managing user accounts
You can create, modify, lock, unlock, or delete a cluster or Storage Virtual Machine (SVM) user account, reset a user’s password, or display information for all user accounts.
You can manage cluster or SVM user accounts in the following ways:
• Creating a login method for a user by specifying the user’s account name, associated SVM, the access method, and the authentication method
You can optionally specify the access-control role the user is assigned and add a comment about the user account.
The maximum number of cluster user accounts you can create is 100. This limit includes the Active Directory domain user accounts that are added to the cluster. There is no limit to the number of SVM user accounts you can create for an SVM.
• Displaying users’ login information, such as the account name, allowed access method, authentication method, access-control role, account comment, and account status
• Displaying information about SNMP users, including the account name, the associated SVM, authentication method, hexadecimal engine ID, authentication protocol, privacy protocol, and security group
• Modifying the access-control role that is associated with a user’s login methodIt is best to use a single role for all access and authentication methods of a user account.
• Deleting a user’s login method, such as the access method or the authentication method
• Changing the password for a user account
• Locking a user account to prevent the user from accessing the system
• Unlocking a previously locked user account to enable the user to access the system again
You use the security login commands to manage user accounts. You use the security snmpusers command to display information about SNMP users. For more information about these commands, see the appropriate man pages.
Note: The system prevents you from creating or using accounts with names that are reserved for the system (such as “root” and “naroot”.) You cannot use a system-reserved name to access the cluster, an SVM, the SP, or the RLM.
Access methods for user accounts
Data ONTAP provides several methods that you can use to specify how a user account can access the storage system.
You use the -application parameter of the security login commands to specify the method that a user can use to access the storage system. The supported access methods include the following:
• System console (console)
• HTTP or HTTPS (http)
• Data ONTAP API (ontapi)
• RSH (rsh)
RSH is disabled by default.
• The SP or RLM (service-processor)
• SNMP (snmp)
• SSH (ssh)
• Telnet (telnet)
Telnet is disabled by default.Storage Virtual Machine (SVM) user accounts cannot use console, rsh, service-processor, ortelnet as an access method.
If a firewall is enabled, the access method you use must also be added in the firewall policy to allow the access requests to go through the firewall. The system services firewall policy show command displays firewall policies. For more information, see the system services firewall policy man pages.