Provisioning VMS Access

  • Updated on Feb 24, 2026
  • Published on Jan 27, 2026
  • 5 minute(s) read
Prev Next

VAST Cluster implements role-based access control (RBAC) for VAST Management System (VMS) users (manager users).

If the VAST cluster hosts multiple tenants, each tenant can have its own manager users that are configured separately from the cluster-level manager users.  

VMS Login Access: Cluster Admins and Tenant Admins

VMS login access depends on whether the manager user is configured as a cluster admin or a tenant admin:

  • A cluster admins can log into the cluster's VMS Web UI, CLI and authenticate to the VAST REST API. A cluster admin can administrate the entire cluster and create some configurations for the tenants.

  • A tenant admin can log into a tenant-specific VMS Web UI for a particular tenant, and also authenticate to the REST API to manage resources specific to the tenant.

VMS Realms, Administrative Roles and Permission Types

Multiple permission types (create, view, edit, and delete) can be assigned per RBAC realm. Each RBAC realm is a category of objects that can be created, viewed, edited and deleted. There are built-in realms and custom realms. Custom realms can be tenant-specific.

You can assign permissions to administrative roles and/or manager users.

An administrative role can be either:

  • Enabled for multiple tenants, which can be a specified restricted set. A role that is enabled for multiple tenants can be assigned to cluster admins.

  • Enabled for one tenant. A role that is enabled for one tenant, can be assigned to tenant admins of that tenant.

VMS Manager Users

You can provision VMS access in the following ways:

  • Configure manager users in the VMS. Manager users can be assigned a user type (cluster admin or tenant admin), administrative roles and/or specific VMS permissions directly. A manager user inherits all permissions granted by all the administrative roles that the user is assigned.

  • Set up cluster admin groups and/or tenant admin groups in Active Directory or LDAP provider configuration settings on the VAST cluster. For details, see Provisioning Access through Cluster/Tenant Admin Groups in Provider Configuration.

  • For Web UI access only, you can authorize manager access, user type and role on a SAML identity provider. For information about this option, see Configure SSO Authentication in VMS.

There is a predefined manager admin with a predefined role administrators. It is not possible to delete all VMS users defined with the administrators role. At least one VMS admin user always remains, so that it's possible to access VMS without LDAP connectivity if needed.

LDAP users can log into VMS with their Active Directory/LDAP user name and password. Successful login requires connectivity with the Active Directory/LDAP server. Users are granted all permissions assigned by the roles associated with the groups to which they belong.

Provisioning Access through Cluster/Tenant Admin Groups in Provider Configuration

You can provision access to VMS by supplying a list of cluster admin groups and/or tenant admin groups in Active Directory or LDAP provider configuration settings (in VAST Web UI: ​Element Store​ -> ​VAST Providers​ ->​ Active Directory​ or ​LDAP​ -> open a provider -> ​Advanced​ tab -> ​Cluster admin groups​​ field).

  • Members of the groups listed as cluster admin groups are granted cluster admin access to the VAST cluster.

  • Members of the group specified as the tenant admin group (one group per tenant) are granted tenant admin access to the tenant.

The cluster/tenant admin groups can be assigned administrative roles that grant the permissions as needed.

The prerequisites are as follows:

  • An Active Directory or LDAP provider must be configured, joined and enabled on tenants as needed.

The following rules and limitations apply when using cluster/tenant admin groups in provider configuration:

  • A user cannot be a member of a cluster admin group and a tenant admin group at the same time.

  • Login fails for a member of a cluster/tenant admin group if the user is not also a member of a group that is explicitly mapped to an administrative role. For tenant admins, this needs to be a role on the tenant configured for tenant admin access.

  • For clusters that do not have multiple tenants configured, users that are members of the user groups intended for cluster admins on the Active Directory or LDAP provider, are allowed to log into the VMS without the need to preliminary specify their groups in the provider configuration on the VAST cluster. The only requirement for such users is that their groups are assigned a relevant administrative role on the VAST cluster.
    If you are creating a new tenant on a cluster that previously did not have multiple tenants configured (so that your cluster becomes multi-tenant), cluster admins from groups that are not specified as cluster admin groups in the provider configuration on the VAST cluster, will not be able to log in to the VMS. To prevent the lockout, you need to explicitly list cluster admin groups in the cluster's provider configuration before you start creating a new tenant.

RBAC Realms

Predefined VMS permission realms enable access to the following configurations (some of which are not applicable to Tenant Admin type users):

Realm

Includes

Relevant VAST Web UI Menus/Pages/Tabs

VAST CLI Command Groups

VMS REST API Paths

Events

Alarms, events, event definitions and global event definition settings.

Alarms and Events

event, alarm, eventdefinition, eventdefinitionconfig, webhook

/alarms/, /events/, /eventdefinition/, /eventdefinitionconfig/, /webhooks/

Hardware

The cluster object and all infrastructure components.

Infrastructure, Hardware, Settings/Cluster

carrier, cbox, cluster, cnode, dbox, dnode, dtray, ebox, fan, host,  lock, nic, nvram, port, psu, rack, ssd, subnetmanager, switch

/carrier/, /cluster/, /dbox/, /cbox/, /cnode/, /dtray/, /dnode/, /eboxes/, /fan/, /host/, /nic/, /nvram/, /port/, /psu/, /racks/, /ssd/, /switch/, /subnetmanager/

Logical

Configuration of virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules.

Element Store, Data Protection, Network Access

blockhost, dns, globalsnapshotclone, kafkabroker, lifecyclerule, protectionpolicy, protectedpath, qospolicy, quota, replicationpeer, replicationstream, restorepoint, snapshot, s3replicationpeer, userquota, vastauditlog, version, view, viewpolicy, vip, vippool, volume, vtask

/blockhosts/, /dns/, /globalsnapstreams/, /kafkabrokers/, /nativereplicationremotetargets/, /protectionpolicies/, /protectedpaths/, /qospolicies/, /quotas/, /quotaentityinfos/,  /replicationrestorepoints/, /replicationstreams/, /replicationtargets/, /snapshots/,/s3lifecyclerules/, /userquotas/, /vastauditlog/, /vtasks/, /versions/, /vippools/, /vips/, /views/, /viewpolicies/, /volumes/,

Monitoring

Analytics reports, capacity usage estimations, data flow analytics

Analytics

monitor

/analytics/, /capacity/, /metrics/, /monitors/, /monitors/topn/

Security

Users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, VAST-support tunnels for remote support access.

User Management, Administrators, Settings/Indestructability, Support

activedirectory, apitoken, encryptiongroup, encryptedpath, group, identitypolicy, indestructibility, ldap, localprovider, manager, nis, realm, role, tenant, user

/activedirectory/, /apitokens/, /encryptiongroups/, /encryptedpaths/, /groups/, /indestructibility/, /ldaps/, /localproviders/, /locals3keys/, /managers/,, /nis/, /permissions/, /realms/, /roles/, /s3policies/, /tenants/, /users/

Settings

VMS settings

Settings/VMS

vms

/vms/

Support

Call Home configuration, Support bundles, licenses, envs, and modules.

Settings/Call Home, Support

callhomeconfig, env, license, module, supportbundle

/callhomeconfigs/, /supportbundles/, /licenses/, /envs/, /modules/

callhomeconfig", "supportbundle", "license", "systemsettingsdiff", "env", "module",  "challengetoken"

Applications

Managed applications that run on the cluster's CNodes

Applications

cnodegroups

/managedapplications/, /cnodegroups/

Database

VAST Database and any components that utilize VAST Database, such as VAST Catalog, VAST audit logs, VAST Event Broker event topics

VAST Database, VAST Catalog, VAST Audit Logs

column, projection, projectioncolumn, schema, table, topic, vastdatalogconfig, vastcatalogindexedcolumn

  • /vastdb/

  • /vastauditlog/query_data/, /vastauditlog/columns/, /vastauditlog/stats/

  • /topics/, /topics/show/, /topics/delete/

  • /bigcatalogindexedcolumns/, /bigcatalogindexedcolumns/add/, /bigcatalogindexedcolumns/remove/, /bigcatalogconfig/, /bigcatalog/query_data/, /bigcatalogconfig/columns/, /bigcatalogconfig/stats/

  • /projectioncolumns/, /projectioncolumns/show/, /projectioncolumns/rename/, /projectioncolumns/delete/, /columns/, /columns/show/, /columns/delete/, /columns/rename/, /tables/, /tables/show/, /tables/rename/. /tables/delete/, /tables/add_columns/, /tables/load_from_file/, /vastdbtable/aggregate/, /schemas/, /schemas/show/, /schemas/rename/, /schemas/delete/

You can also define custom realms that allow access to whichever object types you choose to include.

RBAC Auditing

The following are audited as events:

  • Changes to the VMS RBAC configuration.

  • Login attempts, including the time of the attempt, the attempting user and the login result.

Related articles
  • Provisioning VMS Access
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Administrating VMS > VMS Administrator Users and Permissions
  • Provisioning VMS Access
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Tenant Administrator’s Guide > Managing Tenant Administrators
  • Provisioning VMS Access
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Tenant Administrators