Provisioning User Access and Permissions for DataEngine

  • Updated on Feb 18, 2026
  • Published on Jan 26, 2026
  • 6 minute(s) read
Prev Next

Overview

User Types

You can provision the following types of users to enable access to DataEngine on a given tenant:

  • Tenant admin users. As administrators with access to a specific tenant's VMS for management purposes, these users can be authorized to enable DataEngine on the tenant, add Kubernetes clusters and container registries, and create buckets to trigger events. They automatically have permission to use all DataEngine features.

  • Application user. This is a type of user that you can provision for users in your organization who have no administration role on the cluster or the tenant. This type of user can access DataEngine on the tenant without any of the VMS tenant administration functionality.  These users do not have automatic permission to use all DataEngine features. Specific permissions are granted through identity policies. These include creating and managing triggers, serverless functions, and pipelines, deploying pipelines, and observing telemetry logs and traces.  

Provisioning Application Users

Application users are provisioned through user groups on authentication providers. The following provider types are supported:

  • VAST providers.

    Note

    To enable cluster admin and/or tenant admin users to configure user provisioning using a local provider, make sure the provider has management enablement for the relevant user type. See {TBD}.

    The default VAST provider is initially, by default, enabled for management by cluster admin users and not tenant admin users.

  • LDAP

  • Active Directory

Granting DataEngine Access and Permissions to Application Users

In order to grant application users access to DataEngine, you add the users to a group. The group must be on a provider that is connected to the tenant. In the tenant configuration, the group must be explicitly granted Data Engine access.

In order to perform tasks such as creating triggers and pipelines on DataEngine, application users must be granted permissions through identity policies.

The procedure below guides you to select an option within the tenant configuration to add the group to a predefined DataEngine role and to assign the group to a predefined identity policy that grants specific permissions.

Provisioning Application Users for DataEngine

This procedure creates a user group on a provider that has access DataEngine, adds users to the group and grants permissions to the users in the group to perform DataEngine tasks such as creating triggers and functions and building pipelines.

  1. Create a user group on a provider.

    Tip

    If you are using a local (VAST) provider, you can do the following to create a user group:

    1. From the left navigation menu, choose User Management and then Local Groups.

    2. Click Create Local Group and complete the following fields:

      Field

      Description

      Name (required)

      The group name.

      GID

      A GID number for the user.

      Local Provider (required)

      Select the VAST provider with which the group will be associated.

    3. Click Create. The group is created.

  2. Connect the provider to the tenant and add the user group to the tenant for Data Engine access:

    1. From the left navigation menu, select Settings and then User Groups and Access.

    2. In the Group name field, start typing the name of the user group and select the group from the autocomplete suggestions.

    3. Enable Assign Group to DataEngine role. This setting adds the group to a VMS role that is created automatically for DataEngine.

      Note

      This setting is technically optional. If you do not select this option, you will need to separately add the user group to a VMS RBAC role as described in Managing Administrative Roles in VAST Web UI. This is because membership of a role that belongs to the tenant is required to enable login access to the tenant.

    4. Enable Assign DataEngine identity policy to group. This setting assigns the data-engine-TENANT_NAME identity policy to the group, where TENANT_NAME is the name of the tenant. This policy grants users permission to create and manage DataEngine resources.

      Note

      Enabling this policy is optional. If you choose not to enable it, the group will not have any permissions to perform any Data Engine related tasks until you assign another identity policy to the group. See Configuring Identity Policies for DataEngine.

      The content of the data-engine-TENANT_NAME identity policy is:

      {
  "Id": "DataEnginePolicy1757876601",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DataengineTablesAccess",
      "Action": [
        "s3:HeadBucket",
        "s3:Tabular*Transaction",
        "s3:TabularList*",
        "s3:TabularGet*",
        "s3:TabularQueryData"
      ],
      "Effect": "Allow",
      "Resource": [
        "dataengine-*",
        "dataengine-*/*"
      ]
    },
    {
      "Sid": "DataEngineDefault",
      "Action": [
        "dataengine:CreateTrigger",
        "dataengine:CreateFunction",
        "dataengine:CreatePipeline"
      ],
      "Effect": "Allow",
      "Resource": [
        "vast:dataengine:triggers:*",
        "vast:dataengine:functions:*",
        "vast:dataengine:pipelines:*"
      ]
    }
  ]
}

      Note

      The CreateTrigger, CreateFunction and CreatePipeline actions allow the user to create triggers, functions and pipelines and also to update, modify and view those triggers, functions and pipelines that the user created. The CreatePipeline action includes permission to configure function deployment.

    5. Click Update.

  3. Create users on the provider. Assign them to the user group. If the user is on a local provider, assign a password.

    Tip

    If you are using a local provider, you can do this to create a user:

    1. From the left navigation menu, choose User Management and then Users.

    2. In the Users page that opens, click Create User and complete the following fields:

      Field

      Description

      Name (required)

      The user name.

      UID

      The user's POSIX UID.

      Local Provider (required)

      Select the local provider with which the user will be associated.

      Leading group

      The name of the user's leading group.

      This is the group assigned by default as the owning group of any files created by the user.

      Select the group you created in the previous step from the dropdown.

      Groups

      Names of other groups that the user belongs to beside the leading group. Also known as auxiliary groups.

      Select groups from the dropdown. If a group has not been added to the local provider, add the group first.

      Select tenant to see  user details

      Select the tenant from the list. Tenants associated with the selected local provider (if any) are shown, as well as the default tenant.

      Allow Create Bucket

      Enable this setting.

      Allow Delete Bucket

      Enable this setting.

    3. In the User Password section, enter a temporary password for the user, or click Generate Password to have one randomly generated. The password can be any string matching the password requirements set in the VMS Settings. The user will be required to change the password when they first log in using it. If the user has access to multiple tenants, the same password is used to login to all of them.

    4. Click Create. The user is created.

  4. Grant each user an S3 access key pair. See ???

    Note

    S3 access key pairs are per tenant, even when a user belongs to multiple tenants that all use the same provider.

    Application users can also manage their own S3 access key pairs. If the user does not have s3 access keys, the user will be prompted to create a pair after logging into the tenant.

  5. Attach identity policies as needed to the user and/or user group. If you applied the data-engine-TENANT_NAME identity policy to the user group you specified for DataEngine access in the tenant configuration, you may not need to apply further identity policies. See Configuring Identity Policies for DataEngine.

Configuring Identity Policies for DataEngine

DataEngine requires permissions to create buckets and to perform queries against VAST databases. For application users, these are granted through identity policies.

The predefined data-engine-TENANT_NAME identity policy grants users all permissions needed for DataEngine tasks. In the tenant configuration, if you select the Assign DataEngine identity policy to group option, this policy is applied to all the users in the user group specified under Who Can Access This Tenant (Data Engine) (as described in step 2 of the procedure described above).

If for some reason, you don't choose to apply that identity policy to the user group, you can create custom identity policies and attach them to each user or to the group. For general information about creating and modifying identity polices and assigning them to users and groups, see Creating Identity Policies .

Note

The vast-data-engine-collector-policy is automatically created and applied to the DataEngine telemetry collector, to enable the collector to query DataEngine telemetries.

DataEngine Permissions Granted through Identity Policies

The following supported S3 actions apply to DataEngine resources (triggers, functions and pipelines):

Action

Description

dataengine:CreateTrigger

Create trigger

dataengine:DeleteTrigger

Delete trigger

dataengine:GetTrigger

List triggers

dataengine:UpdateTrigger

Modify triggers

dataengine:CreateFunction

Create function

dataengine:DeleteFunction

Delete function

dataengine:GetFunction

List Functions

dataengine:UpdateFunction

Modify Function

dataengine:CreatePipeline

Create pipelines

dataengine:DeletePipeline

Delete pipelines

dataengine:GetPipeline

List pipelines

dataengine:UpdatePipeline

Modify pipelines

Related articles