User Impersonation

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

User impersonation lets you handle client users' requests against an NFS export or SMB share using a preconfigured impersonator user account. When an NFS or SMB client user creates or accesses a file or directory stored on the VAST cluster, the operation is handled as though it is performed by the impersonator.

Scope of User Impersonation

User impersonation applies to NFS and SMB access only. The view that has user impersonation enabled, cannot be accessed through S3.

When user impersonation is in effect:

  • Starting with VAST Cluster 5.3.2, permission checks are made for the impersonator (the user account used instead of the original user). Access checks against the share-level ACLs set for the view are performed for the original user (the one which sent the RPC).

    Prior to VAST Cluster 5.3.2, the permission checks, including checks against share-level ACLs, were made for the impersonator (the user account used instead of the original user).

  • The impersonator becomes the owner of files and directories being created on the user-impersonated view.

  • Access-Based Enumeration (ABE) is performed per impersonator.

  • Attribute-Based Access Control (ABAC) is performed per impersonator.

  • Quota calculations and accounting are done for the impersonator and its primary group.

  • Any file replicated from a view for which user impersonation is in effect, will have the same owner and owning group on the replica.

The following capabilities are not affected by user impersonation:

  • User authentication (Kerberos, NTLM) is performed per impersonated user (the original user which sent the RPC).

  • Protocol audit records show the impersonated user.

    Note

    When VAST protocol auditing is enabled on a user-impersonated view, only UID of the impersonated user is included in the log. The user's login name and SID are not included.

  • Quality of Service (QoS) policies are applied per impersonated user.

  • Data flow reporting is done per impersonated user.

Setting Up the Impersonator

A disabled or Everyone user cannot be used as the impersonator.

If the user-impersonated view has NFS protocol enabled, the impersonator must have an NFS User ID (UID) and Group ID (GUID).

If the user-impersonated view has SMB protocol enabled, the impersonator must have a Security Identifier (SID).

Note

Changing the impersonator may affect client access. To avoid permission denied errors, clients should remount the view after the change.

Configuring User Impersonation for a View

The view must meet the following requirements:

  • The view's tenant is not configured to use SMB native authentication.

  • The view's view policy has No Squash set to * (all hosts).

The view for which user impersonation is to be used, cannot have protocols other than NFSv3, NFSv4 and SMB in the list of enabled protocols.

To configure user impersonation in VAST Web UI:

  1. Go to User Impersonation tab in view settings (Element Store -> Views -> choose to create or edit a view).

  2. Toggle the Enable user impersonation option on.

  3. Enter the name of the impersonator in the Select user field.

    To do so, start typing the user name in the field. When a list of matching users is displayed, select the user you want from the list.

  4. Click Create or Update to save your changes.

Related articles
  • User Impersonation
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Data > Views > Overview
  • User Impersonation
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > Managing Data > Views
  • User Impersonation
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Data > Views