VAST Cluster has a role based access control (RBAC) system for VAST Management System (VMS) users and permissions.
VMS Permissions
Permissions are divided by type (create, view, edit, and delete) and can be assigned per realm. Each realm is a category of objects that can be created, viewed, edited and deleted.
You can assign permissions to security groups called roles and to managers. Managers are VMS users that are configured in VMS.
VMS Users
You can provision VMS access for two types of users:
Managers configured in VMS itself. These users can be assigned specific VMS permissions directly and they can be assigned roles. Managers inherit all permissions assigned to all roles that they are assigned.
Users configured on an LDAP server that is connected to the cluster. You can give these users VMS access by adding LDAP groups to VMS roles. This option is supported for any Active Directory or other LDAP-based authorization service that is configured on the cluster for protocol access. These users have all permissions that are assigned to all roles that they have.
There is a predefined manager admin with a predefined role admin. It is not possible to delete all VMS users defined with the admin role. At least one VMS admin user always remains, so that it's possible to access VMS without LDAP connectivity if needed.
LDAP users can log into VMS with their Active Directory/LDAP user name and password. Successful login requires connectivity with the Active Directory/LDAP server. Users are granted all permissions granted to all roles associated with the group.
RBAC Realms
VMS permission realms enable access to the following configurations:
Realm | Includes | Relevant VAST Web UI Menus/Pages/Tabs | VAST CLI Command Groups | VMS REST API Paths |
|---|---|---|---|---|
Events | Alarms, events, event definitions and global event definition settings. | Alarms and Events | event, alarm, eventdefinition, eventdefinitionconfig | /alarms/, /events/, /eventdefinition/, /eventdefinitionconfig/ |
Hardware | The cluster object and all infrastructure components. | Infrastructure, Hardware, Settings/Cluster | carrier, cbox, cluster, cnode, dbox, dnode, dtray, fan, host, lock, nic, nvram, port, psu, ssd, subnetmanager, switch | /cluster/, /host/, /dbox/, /cbox/, /cnode/, /dtray/, /dnode/, /bmc/, /carrier/, /ssd/, /nvram/, /psu/, /fan/, /switch/, /port/, /nic/, /subnetmanager/ |
Logical | Configuration of virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules. | Element Store, Data Protection, Network Access | dns, lifecyclerule, protectedpath, protectionpolicy, quota, replicationpeer, restorepoint, snapshot, s3replicationpeer, userquota, version, view, viewpolicy, vip, vippool | /vtasks/, /versions/, /vippools/, /vips/, /views/, /viewpolicies/, /dns/, /s3lifecyclerules/, /snapshots/, /quotas/, /quotaentityinfos/, /userquotas/, /replicationtargets/, /nativereplicationremotetargets/, /protectionpolicies/, /protectedpaths/, /replicationrestorepoints/ |
Monitoring | Analytics reports, capacity usage estimations, data flow analytics | Analytics | monitor | /analytics/, /metrics/, /monitors/, /iodata/, /topndata/, /capacity/ |
Security | Users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, VAST-support tunnels for remote support access. | User Management, Administrators, Settings/Indestructability, Support | activedirectory, group, indestructibility, ldap, manager, nis, role, s3policy, user, vpntunnel | /indestructibility/, /permissions/, /roles/, /managers/, /ldaps/, /nis/, /activedirectory/, /tenants/, /groups/, /users/, /s3policies/, /vpntunnels/ |
Settings | VMS settings | Settings/VMS | vms | /vms/ |
Support | Call Home configuration, Support bundles, licenses, envs, and modules. | Settings/Call Home, Support | callhomeconfig, env, license, module, supportbundle | /callhomeconfigs/, /supportbundles/, /licenses/, /envs/, /modules/ |
RBAC Auditing
The following are audited as events:
Changes to the VMS RBAC configuration.
Login attempts, including the time of the attempt, the attempting user and the login result.