Creating Custom VMS Realms

  • Updated on Jan 24, 2026
  • 3 minute(s) read
Prev Next

VAST VMS allows assigning of Roles to define the rights available to VMS administrators and groups.  Roles consist of a collection of Realms and the actions allowed for those Realms.

Default Realms

The Default Realms defined on a VAST Cluster cover the following areas.

  • Events - Alarms, events, notifications, and event definition management.

  • Hardware - Hardware component management, including all field replacement functionality.

  • Logical - Configuration of object and file storage, such as NFS exports, quotas, and VIP pools.

  • Monitoring - Monitoring VAST Cluster with analytics reports, via the Analytics page.

  • Security - Management of managers, roles, and client users of storage on the VAST Cluster, via the Security page.

  • Settings - Settings managed via the Settings page.

  • Support -Support-related functionality, including bundle creation.

These various realms can be broad in scope, and it may be desired to grant rights to only certain areas and not others.  For instance, granting a user the ability to create new Views but not new View Policies.  Or the ability to assign S3 keys, but not configure Providers.  For these cases, custom Realms can be created.

Custom Realms

When defining custom Realms, one must consider the areas needed and the actions to be performed within them, and group them accordingly.  This is important because when these Realms are assigned to a Role, the actions allowed (Create, View, Edit, or Delete) will apply to ALL of the object types in the Realm.  For example, if a custom Realm was created to allow for management of View Policies, access is needed not only to the ViewPolicy objects to administer the View Policies, but also to the VIPPool objects to be able to read and list the VIP Pools configured to be able to assign to the View Policy.  If both of these objects were part of the same custom Realm, granting Create, View, Edit, and Delete rights to the Realm would allow for not only the administration of View Policies but also the ability to create and modify VIP Pools!  Fortunately, when Roles are defined, different rights can be defined for different Realms to limit rights.  In our example, we would create a custom Realm that would only contain the ViewPolicy object.  This would then be incorporated into a Role where we would grant Create, View, Edit, and Delete to our custom Realm, and only View to the Realm containing the VIPpool object.

Creating a Custom Realm

  1. Navigate to Administrators → Realms

     

    The screenshot displays the "Administrators" section menu, which includes options such as "Managers," "Administrative Roles," "Realms," and "SAML." These options allow administrators to manage user roles and configurations within an administrative interface.

    Create new Realm

  2. Click on the Create Realm button.

     The image shows a button labeled "Create Realm," which is likely part of an interface designed to initiate the creation of a realm, possibly within a game or application that supports realms.

  3. Define a Name for the custom Realm.

  4. Select the Tenant to assign this Realm to.  Leaving the field blank will allow this Custom Realm to be used within the context of the Roles for any Tenant.  Specifying a Tenant makes the Realm available only to that Tenant.  NOTE:  This cannot be changed after creation.

  5. Select the ObjectTypes desired for the custom Realm.

     

    The image shows a user interface for defining new realms, where users can select various categories like Applications, Events, Hardware, Logical, Monitoring, Security, Settings, and Support, each with multiple options to choose from for customization.

    Select the ObjectTypes desired for the Realm.

  6. Click Save

Using a Custom Realm in a Role

  1. Navigate to Administrators → Roles

  2. Select an existing Role or Create a new one.

  3. The default Realms will be listed with custom Realms at the bottom.

  4. Select the desired permissions for the various Realms.

  5. Click Create or Update as appropriate.

Example

In this example, we will create a custom role for a group of administrators who need to create and administer S3 buckets for users via the VAST VMS GUI.  This requires the ability not only to generate S3 keys, but also to create Identity Policies and assign them to users, as well as to search for users.  In order to create buckets, rights will be needed for View Policies and Views.  As such, this will require different permissions in different Realms.

So in summary, the following is needed:

  • Create/Edit of View Policies

  • Create/Edit of Views/S3 Buckets

  • Create/Edit of Identity Policies

  • Assign Identity Policies to Users

  • Assign Identity Polices to group

  • Create/Edit Lifecycle Policies

Most of these are part of the default Logical Realm, but as that includes VIP Pools, we want these administrators to be able to see the VIP Pools but not modify them.  Users, Groups, and S3 Policies are part of the Security Realm.  

Here are the objects that these administrators need to modify and the Realm they come from:

  • Logical: S3LifeCycleRule, View, ViewPolicy

  • Security: Group, S3Policy, User, S3Key

We will create a custom Realm called s3-administrator that contains these Objects.

The screenshot depicts a user interface for creating a realm, where users can define custom realms by selecting various logical components such as S3LifeCycleRule and ViewPolicy from a list provided on the right side.

Create a custom Realm called s3-administrator

We will then create a new Role called s3-administrator that contains Create, View, Edit, and Delete for our custom-defined Realm and just Read for the Logical Realm to be able to gather VIP pool information.

The image shows the "Create Role" interface where administrators can define permissions and configurations for users or realms, including options to create, view, edit, and delete various resources such as Logical entities under VAST realms, and user-defined realms with granular permission settings.

Create Role

Lastly, assign the appropriate group or Manager to the Role to allow the VMS User the ability to administer the cluster.  Be aware that if a VMS User is part of multiple roles, the rights are cumulative!

Related articles