Identity policies are the primary access control method available with the VAST Cluster S3 service.
Identity policies comprise statements that grant or deny permissions for any combination of specific actions on any combination of specified resources.
Identity policies are manageable exclusively through VMS. They are created using JSON document structure and uploaded to VMS. You can create, modify and delete identity policies, and you can attach them to users and to groups.
Identity policies supersede ACLs as the recommended access control method for the VAST S3 service, covering permission control for the full range of supported actions in this version. ACLs continue to be supported, and are limited to legacy S3 action types. Every new bucket and object is created with a default ACL granting FULL CONTROL to the owner. Permission checking looks at ACLs in the event that the incoming request is not covered by any user policy.
Note
All permissions required for the Object Locking feature must be assigned through identity policies.
Note
In native replication, where a protected path transfers snapshots from a destination replication peer to a target replication peer, identity policies are replicated from the destination peer to the target peer. They are disabled by default on the target peer and can be enabled for use when needed.