Managing Roles via VAST Web UI

You can manage permissions through roles. Managers can belong to any number of roles. Managers inherit all permissions enabled for any roles they belong to.

VAST Cluster includes several default roles that are created during cluster deployment to cover some specific use cases, such as the read-only or csi role. Do not modify these roles. If you'd like to alter a default role, create a copy of the default role and modify the copy as needed.

Viewing Roles

From the left navigation menu, select Administrators and then Roles.

The following information can be displayed for each role:

Tip
To display or hide fields, click to the right of a column title, and then click to open a dropdown where you can select or unselect fields.

ID	The ID of the role.
Name	The name of the role.
Managers	Names of managers who have this role.
Managers Count	The number of managers who have this role.
LDAP Groups	LDAP groups associated with this role.
Tenants	Tenants associated with this role.
Default	Indicates whether this role is default.

To review permissions granted by a role, open the Actions menu for the role and select View.

Adding Roles

From the left navigation menu, select Administrators and then Roles.
Click Create Roles to open the Create Role dialog.
In the Tenant field, enter the names of the tenants assocaited with this role.
In the Name field, enter a name for the role.
Enable permissions you want to include in the role:
- Enable a permission by clicking its icon.
- Toggle whole rows and columns on and off by clicking the row or column heading. For example, click Create to add Create permission for all realms.
If you want to associate authentication provider group(s) with the role, enter each group in the format <groupname>@<domain> in the Active Directory/LDAP groups field.
Users which belong to groups that are associated with the role, will be able to log into VMS using their LDAP user name and password. These users will be authorized based on the roles associated with their group.
To enter a group, start typing the initial characters and then select an auto-complete option.
To enter more than one group, enter the first group, then enter a comma and then enter another group. Each group is entered into the field with a removal button (). You can use the remove button to remove any group.
Each group can be any group on any connected LDAP-based provider, including Active Directory. Groups can be associated with multiple roles and vice versa.
If you've associated the role with an Active Directory or LDAP group and you want to let the group members access cluster nodes through SSH, toggle the Enable OS SSH login option on.
This option enables Active Directory/LDAP authentication when accessing cluster nodes through SSH. Users that are members of this LDAP group will be able to log in to cluster nodes with the same permissions as the vastdata user.
When you're done, click Create.
The role is added.

Tip
To assign the role to a manager, update the manager.

Modifying Roles

Whenever you modify a role and change the permission set enabled for the role, you automatically update the inherited permissions of all the managers who have the role.

Do not modify default roles. If you'd like to alter a default role, create a copy of the default role and modify the copy as needed.

From the left navigation menu, select Administrators and then Roles.
Open the Actions menu for the role you want to modify, and select Edit.
Make changes as needed (see Adding Roles).
Click Update.
The role is modified.

Deleting Roles

Caution
Deleting a role can remove permissions from managers who have the role.

From the left navigation menu, select Administrators and then Roles.
Open the Actions menu for the role you want to delete, and then select Remove.
Click Yes to confirm the removal.
The role is deleted.