Creating a Tenant via VAST Web UI
From the left navigation menu, select Element Store and then Tenants.
Click + Create Tenant.
In the Add Tenant dialog that opens, complete the fields in the General tab:
Name
Enter a name for the tenant.
Trash folder GID
If you want to allow access to the trash folder for non-root NFSv3 users serviced by the tenant, enter the GID of a user group that you want to use for this purpose in the Trash folder GID field. Users who belong to this group will have permission to move files into the trash folder.
By default, the operation of moving files into the trash folder is supported for the root user only.
Default share-level ACL
Optionally set the default 'Everyone' Group share-level permission for the tenant. This default permission affects all views associated with the tenant where share-level ACL is disabled. The permission can be set to Read, Change or Full Control. By default, it is set to Full C-ntrol.
For more information about share-level ACLs , see Share-Level ACLs.
Encryption Group
If encryption is enabled on the cluster with external key management (EKM), enter a string identifier for the tenant's encryption group for encryption group management.
You can optionally provide the same encryption group for more than one tenant if you want to join multiple tenants to the same encryption group on the EKM. Tenants that belong to the same group will be managed by the same encryption key.
Valid format: string, up to 128 characters
Encryption Group is required if EKM encryption is enabled.
The encryption group cannot be changed after creating the tenant.
For more information about EKM encryption, see Encryption of Data at Rest.
Under Privileged users and groups:
Note
The privileged user and group settings are active only when an Active Directory provider is associated with the tenant and this provider is configured to allow SMB access.
Enable privileged domain user restore access
Enabled (default). The SMB privileged user is enabled.
Disabled. The SMB privileged user is disabled.
Enable privileged domain group backup access
Enabled (default). The SMB privileged user group is enabled.
Disabled. The SMB privileged user group is disabled.
Enable privileged group restore access
Enabled (default). The SMB privileged user group has read and write control access. Members of the group can perform backup and restore operations on all files and directories, without requiring read or write access to the specific files and directories.
Disabled. The SMB privileged user group has read control access. Members of the group can perform backup operations on all files and directories without requiring read access to the specific files and directories. They cannot perform restore operations without write access to the specific files and directories.
Logon name of the privileged domain user
An optional custom user name for the SMB or NFSv4.1 privileged user. If not set, the user name is 'vastadmin' in the cluster's joined domain.
SID of the privileged domain group
Specify a custom group SID in order to have a working SMB or NFSv4.1 privileged group with backup operator privileges. If not set, the SMB privileged group is set to the Backup Operators domain group (S-1-5-32-551), which, due to a known issue, does not receive backup operator privileges.
BUILTIN\Administrators group name
Optional custom name to set for a non-default privileged group. If not specified, the privileged group name is Backup Operators.
In the Providers tab:
Use the Active Directory, LDAP and NIS fields to enable external authorization provider(s) for the tenant. In each of these fields, you can select only one provider from the dropdown.
Note
Providers configured on the cluster are subject to combination restrictions per tenant, as described in Supported Combinations of Providers and Access Protocols.
If you enabled more than one provider:
Select one of the enabled providers from the POSIX Primary Provider dropdown to take precedence over other enabled providers in case of any conflicts between attribute values when user information is retrieved from the providers.
In the Login Name Primary Provider field, select one of the providers as the primary provider for the user's login name.
In the Tenant Access tab, configure optional tenant access settings. See ??? for more information.
Client IP Ranges List
Specify which client IPs can access the tenant.
Note
The use of client source IPs for access to a tenant that is associated with an Active Directory provider is only supported if the Active Directory provider is SMB allowed.
To add a range of client IPs, click Add IP Range and then enter the Start IP and End IP for the range.
To remove a range, click the Remove button for the range.
VIP Pool Ranges List
Determine which virtual IP pools are dedicated to the tenant:
To dedicate a virtual IP pool to the tenant, select the virtual IP pool from the dropdown.
The virtual IP pool is added to the list of virtual IP pools.
To remove a range, click the Remove button for the range.
In the Advanced tab, optionally make the following setting:
Use SMB native authentication
When enabled, VAST Cluster authorizes client access by using user and group information supplied via Kerberos or NTLM authentication, rather than by querying that user in Active Directory. For more information, see Authentication for SMB Access. By default, this option is disabled.
Click Create.
The tenant is created and appears in the listing of tenants in the Tenants page.
Creating a Tenant via VAST CLI
To create a tenant from the VAST CLI, run the tenant create command.