User Impersonation

  • Updated on Jan 30, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

User impersonation lets you run client users' IO using a preconfigured impersonating user account. When an NFS or SMB client user creates or accesses a file or directory stored on the VAST cluster, the operation is handled as though it is performed by the impersonating user.

Notice

User impersonation is available starting with VAST Cluster 5.2.0-SP10.

Scope of User Impersonation

User impersonation applies to NFS and SMB access only.

When user impersonation is in effect:

  • Permission checks, including checks against share-level ACLs, are made for the impersonating user.

  • The impersonating user becomes the owner of files and directories being created on the user-impersonated view.

  • Access-Based Enumeration (ABE) is performed per impersonating user.

  • Attribute-Based Access Control (ABAC) is performed per impersonating user.

  • Quota calculations and accounting are done for the impersonating user and its primary group.

  • Any file replicated from a view for which user impersonation is in effect, will have the same owner on the replica.

The following capabilities are not affected by user impersonation:

  • User authentication (Kerberos, NTLM) is performed per impersonated user.

  • Protocol audit records show the impersonated user.

  • Quality of Service (QoS) policies are applied per impersonated user.

  • Data flow reporting is done per impersonated user.

Setting Up the Impersonating User

Ensure that the impersonating user account belongs to an authentication provider associated with the tenant where user-impersonated views are to be configured.

A disabled or Everyone user cannot be used as the impersonating user.

If the user-impersonated view has NFS protocol enabled, the impersonating user must have an NFS User ID (UID) and Group ID (GUID).

If the user-impersonated view has SMB protocol enabled, the impersonating user must have a Security Identifier (SID).

Configuring User Impersonation for a View

The view must meet the following requirements:

  • The view's tenant is not configured to use SMB native authentication.

  • The view's view policy has No Squash set to * (all hosts).

The view for which user impersonation is to be used, cannot have protocols other than NFSv3, NFSv4 and SMB in the list of enabled protocols.

To configure user impersonation in VAST Web UI:

  1. Go to User Impersonation tab in view settings (Element Store -> Views -> choose to create or edit a view).

  2. Toggle the Enable user impersonation option on.

  3. Enter the name of the impersonating user in the Select user field.

    To do so, start typing the user name in the field. When a list of matching users is displayed, select the user you want from the list.

  4. Click Save to save your change.

To configure user impersonation in VAST CLI, run the view create or view modify commands and specify the following options:

  • --enable-user-impersonation to enable the capability for the view.

  • --user-impersonation-identifier-type, --user-impersonation-identifier and --user-impersonation-username to specify the impersonating user.

Related articles
  • User Impersonation
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Data > Views
  • User Impersonation
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > Managing Data > Views
  • User Impersonation
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Tenant Administrator’s Guide > Managing Data > Views