role assign

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

This command assigns a permission and/or LDAP groups to a role. To add multiple permissions to a role, run the command once for each permission.  

Tip

Use the VAST Web UI to see which permissions are assigned to a role.

Go to Roles tab of the Administrators page, and choose the Edit option from the Actions menu for the role. The Update Roles dialog shows which permissions are currently assigned to the role.

Do not modify default roles. If you'd like to alter a default role, create a copy of the default role and modify the copy as needed.

Usage

role assign --id ID [--realm REALM | {--object-type OBJECT_TYPE --object-id OBJECT_ID}]
                    [--permissions create|view|edit|delete]
                    [--ldap-groups GROUPS]
                    [--tenant-ids IDs]  

Required Parameters

--id ID

Specifies the role by its ID.

Options

--realm REALM

Specify a realm of VMS objects. Possible values:

  • events. This realm includes alarms, events, event definitions and global event definition settings.

  • hardware. This realm includes the cluster object and all infrastructure components.

  • logical. This realm includes virtual IPs for network access, DNS service, Element Store views for protocol access, directory and user quotas, data protection features except for indestructibility, and S3 life cycle rules.

  • monitoring. This realm includes analytics reports, capacity usage estimations, data flow analytics.

  • security. This realm includes users and groups for data client access, authentication providers, VMS Role Based Access Control (RBAC), indestructibility for snapshots and protection policies, S3 identity policies, and  VAST Data Support tunnels for remote support access.

  • settings. This realm includes VMS settings.

  • support. This realm includes Call Home configuration, support bundles, licenses, envs, and modules.

--object-type OBJECT

Use this parameter together with --object-id to specify an object. In this case, the command will grant the role permission to access a specific object.

Examples of objects are:

  • cluster

  • cnode

  • dnode

  • dbox

  • cbox

  • view

  • viewpolicy

  • quota

  • vippool

  • eventdefinition

  • ldap

For example, if you want to grant permission on a given view, you would specify --object-type view and then provide the view's view ID as --object-id.

--object-id OBJECT_ID

Specify an object ID to assign permission to access a specific object.

For example: --object-id 3

--permissions create|view|edit|delete

Include this parameter to specify a specific type of permission. Omit this parameter to grant all types.

--ldap-groups GROUPS

Specifies one or more groups to associate the group(s) with the role. Users who belong to groups that are associated with the role will be able to log into VMS using their LDAP user name and password. They will be authorized based on the role(s) associated with their group. Each group can be any group on any connected LDAP-based provider, including Active Directory. Groups can be associated with multiple roles and vice versa.

--tenant-ids IDs

Determines the tenant(s) for the role.

You can specify one tenant ID or a comma-separated list of tenant IDs.

Example

This example assigns to role 2 create permission for the logical realm on tenant 2:

vcli: admin> role assign --id 2 --realm logical --permissions create --tenant-ids 2
Related articles
  • role assign
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 CLI Command Reference > role commands
  • role assign
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 CLI Command Reference > role commands
  • role assign
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 CLI Command Reference > role commands