VAST Cluster has a role based access control (RBAC) system for VAST Management System (VMS) users (managers) and permissions.
VMS Permissions
Permissions are divided by type (create, view, edit, and delete) and can be assigned per realm. Each realm is a category of objects that can be created, viewed, edited and deleted. There are built-in realms and custom realms.
You can assign permissions to security groups called roles and to managers.
VMS Users
You can configure Managers in VMS. These users can be assigned a user type and specific VMS permissions directly and they can be assigned roles. Managers inherit all permissions assigned to all roles that they are assigned.
Manager users and their permissions may also be provisioned through groups on an Active Directory, LDAP or SAML provider, which can be attached to roles. This is handled for the tenant by the cluster admin through the cluster VMS.
LDAP users can log into VMS with their Active Directory/LDAP user name and password. Successful login requires connectivity with the Active Directory/LDAP server. Users are granted all permissions granted to all roles associated with groups to which they belong.
RBAC Realms
Predefined VMS permission realms enable access to the following configurations (some of which are not applicable to Tenant Admin type users):
Realm | Includes | Relevant VAST Web UI Menus/Pages/Tabs | VAST CLI Command Groups | VMS REST API Paths |
|---|---|---|---|---|
Events | Alarms, events, event definitions and global event definition settings. | Alarms and Events | event, alarm, eventdefinition, eventdefinitionconfig, webhook | /alarms/, /events/, /eventdefinition/, /eventdefinitionconfig/, /webhooks/ |
Hardware | The cluster object and all infrastructure components. | Infrastructure, Hardware, Settings/Cluster | carrier, cbox, cluster, cnode, dbox, dnode, dtray, ebox, fan, host, lock, nic, nvram, port, psu, rack, ssd, subnetmanager, switch | /carrier/, /cluster/, /dbox/, /cbox/, /cnode/, /dtray/, /dnode/, /eboxes/, /fan/, /host/, /nic/, /nvram/, /port/, /psu/, /racks/, /ssd/, /switch/, /subnetmanager/ |
Logical | Configuration of virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules. | Element Store, Data Protection, Network Access | blockhost, dns, globalsnapshotclone, kafkabroker, lifecyclerule, protectionpolicy, protectedpath, qospolicy, quota, replicationpeer, replicationstream, restorepoint, snapshot, s3replicationpeer, userquota, vastauditlog, version, view, viewpolicy, vip, vippool, volume, vtask | /blockhosts/, /dns/, /globalsnapstreams/, /kafkabrokers/, /nativereplicationremotetargets/, /protectionpolicies/, /protectedpaths/, /qospolicies/, /quotas/, /quotaentityinfos/, /replicationrestorepoints/, /replicationstreams/, /replicationtargets/, /snapshots/,/s3lifecyclerules/, /userquotas/, /vastauditlog/, /vtasks/, /versions/, /vippools/, /vips/, /views/, /viewpolicies/, /volumes/, |
Monitoring | Analytics reports, capacity usage estimations, data flow analytics | Analytics | monitor | /analytics/, /capacity/, /metrics/, /monitors/, /monitors/topn/ |
Security | Users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, VAST-support tunnels for remote support access. | User Management, Administrators, Settings/Indestructability, Support | activedirectory, apitoken, encryptiongroup, encryptedpath, group, identitypolicy, indestructibility, ldap, localprovider, manager, nis, realm, role, tenant, user | /activedirectory/, /apitokens/, /encryptiongroups/, /encryptedpaths/, /groups/, /indestructibility/, /ldaps/, /localproviders/, /locals3keys/, /managers/,, /nis/, /permissions/, /realms/, /roles/, /s3policies/, /tenants/, /users/ |
Applications | Managed applications that run on the cluster's CNodes | Applications | cnodegroups | /managedapplications/, /cnodegroups/ |
Database | VAST Database and any components that utilize VAST Database, such as VAST Catalog, VAST audit logs, VAST Event Broker event topics | VAST Database, VAST Catalog, VAST Audit Logs | column, projection, projectioncolumn, schema, table, topic, vastdatalogconfig, vastcatalogindexedcolumn |
|
RBAC Auditing
The following are audited as events:
Changes to the VMS RBAC configuration.
Login attempts, including the time of the attempt, the attempting user and the login result.