Creating Tenants

Creating a Tenant via VAST Web UI

From the left navigation menu, select Element Store and then Tenants.
Click + Create Tenant.

In the Add Tenant dialog that opens, complete the fields in the General tab:

Name	Enter a name for the tenant.
Encryption Group	If encryption is enabled on the cluster with external key management (EKM), enter a string identifier for the tenant's encryption group for encryption group management. You can optionally provide the same encryption group for more than one tenant if you want to join multiple tenants to the same encryption group on the EKM. Tenants that belong to the same group will be managed by the same encryption key. Valid format: string, up to 128 characters Encryption Group is required if EKM encryption is enabled. The encryption group cannot be changed after creating the tenant. For more information about EKM encryption, see Encryption of Data at Rest.Encryption of Data at Rest
Under Privileged users and groups: Note The privileged user and group settings are active only when an Active Directory provider is associated with the tenant and this provider is configured to allow SMB access.
Enable privileged domain user restore access	Enabled (default). The SMB privileged user is enabled. Disabled. The SMB privileged user is disabled.
Enable privileged domain group backup access	Enabled (default). The SMB privileged user group is enabled. Disabled. The SMB privileged user group is disabled.
Enable privileged group restore access	Enabled (default). The SMB privileged user group has read and write control access. Members of the group can perform backup and restore operations on all files and directories, without requiring read or write access to the specific files and directories. Disabled. The SMB privileged user group has read control access. Members of the group can perform backup operations on all files and directories without requiring read access to the specific files and directories. They cannot perform restore operations without write access to the specific files and directories.
Logon name of the privileged domain user	An optional custom user name for the SMB or NFSv4.1 privileged user. If not set, the user name is 'vastadmin' in the cluster's joined domain.
SID of the privileged domain group	Specify a custom group SID in order to have a working SMB or NFSv4.1 privileged group with backup operator privileges. If not set, the SMB privileged group is set to the Backup Operators domain group (S-1-5-32-551), which, due to a known issue, does not receive backup operator privileges.
BUILTIN\Administrators group name	Optional custom name to set for a non-default privileged group. If not specified, the privileged group name is Backup Operators.

In the Providers tab:
1. Use the Active Directory, LDAP and NIS fields to enable external authorization provider(s) for the tenant. In each of these fields, you can select only one provider from the dropdown.
  Note
  Providers configured on the cluster are subject to combination restrictions per tenant, as described in Authorization Providers in VAST Cluster.Authorization Providers in VAST Cluster
2. If you enabled more than one provider:
  - Select one of the enabled providers from the POSIX Primary Provider dropdown to take precedence over other enabled providers in case of any conflicts between attribute values when user information is retrieved from the providers.
  - In the Provider for NFSv4.1 Login Name field, select one of the providers as the primary provider for NFSv4.1 users' login names.

In the Tenant Access tab, configure optional tenant access settings.

Client IP Ranges List

Specify which client IPs can access the tenant.

Note
The use of client source IPs for access to a tenant that is associated with an Active Directory provider is only supported if the Active Directory provider is SMB allowed.

To add a range of client IPs, click Add IP Range and then enter the Start IP and End IP for the range.
To remove a range, click the Remove button for the range.

VIP Pool Ranges List

Determine which virtual IP pools are dedicated to the tenant:

To dedicate a virtual IP pool to the tenant, select the virtual IP pool from the dropdown.
The virtual IP pool is added to the list of virtual IP pools.
To remove a range, click the Remove button for the range.

In the Advanced tab, optionally make the following settings:

Create default view policies	Create a view policy to be used by default for new S3 buckets that are created using the S3 API.
Under NFSv4.2 Protocol Support:
Enable NFSv4.2	Toggle on or off to enable or disable support of NFS version 4.2 for this tenant. Tip Toggle it on if you want to let your clients use the NFSv4.2 Security Labels capability.
Under SMB:
Default share-level ACL	Optionally set the default 'Everyone' Group share-level permission for the tenant. This default permission affects all views associated with the tenant where share-level ACL is disabled. For more information about share-level ACLs , see Share-Level ACLs.Share-Level ACLs Possible values: Full control (Default). Includes Change permission and permission to change file owners and Windows ACLs. Read. Permission for Read operations only. Change. Includes Read permission and permission to change files, create files, create directories, and to delete files and directories. Note Change permission does not include permission to modify file attributes or ACLs.
Use native SMB authentication	When enabled, VAST Cluster authorizes client access by using user and group information supplied via Kerberos or NTLM authentication, rather than by querying that user in Active Directory. For more information, see Authentication for SMB Access. By default, this option is disabled.Authentication for SMB Access Note After you disable use of Kerberos/NTLM Authentication to authorize users from non-trusting domains, users that previously had access, would still have access although the feature is now disabled.
Require SMB signing	When enabled, SMB signing is mandatory for the clients accessing the cluster. SMB requests with a missing or invalid signature are not accepted. Notice This option is available starting with VAST Cluster 5.1.0-SP50.
Under Locked Accounts in Active Directory:
Disabled users	Enabling this setting allows IO to be performed on the cluster by users whose accounts are disabled in Active Directory. By default, if the user's account is disabled in Active Directory by an administrator, the user is blocked from performing IO on the cluster. This setting overrides the default behavior.
Locked users	Enabling this setting allows IO to be performed on the cluster by users whose accounts are automatically locked out in Active Directory by account lockout policies. Active Directory account lockout policies determine when and for how long users are automatically locked out after invalid login attempts. By default, if the user's account is locked out by Active Directory lockout policies, the user is blocked from performing IO on the cluster. This setting overrides the default behavior.
Under Trash folder GID, to override cluster defaults:
Enable Trash folder GID	Enable this setting to allow a group of non-root users access to the trash folder. Use the Trash folder GID field to specify the group.
Trash folder GID	If you want to allow access to the trash folder for non-root NFSv3 users serviced by the tenant, enter the GID of a user group that you want to use for this purpose in the Trash folder GID field. Users who belong to this group will have permission to move files into the trash folder. By default, the operation of moving files into the trash folder is supported for the root user only. Specify a group of non-root users, by the group's GID attribute, to be granted permission to access the trash folder, if Enable Trash folder GID is enabled.

Click Create.
The tenant is created and appears in the listing of tenants in the Tenants page.

Creating a Tenant via VAST CLI

To create a tenant from the VAST CLI, run the tenant create command.