3. Cluster and Tenant Admins

VAST’s Management System enables cloud service providers (CSPs) to securely delegate administrative responsibilities across both cluster-wide and tenant-specific scopes. Cluster Admins manage the full system—hardware, capacity planning, global policies, auditing, and user provisioning—while Tenant Admins are scoped to their own isolated environments, with access only to tenant-specific resources and policies.

This separation is essential for multi-tenant environments where individual customers or business units require limited self-service capabilities without impacting the rest of the system. For example:

A CSP can assign Tenant Admin access to a Kubernetes service account used by a CSI driver, enabling automated provisioning without exposing global settings.
An internal DevOps team managing a data pipeline can monitor and adjust NFS view policies, quotas, and lifecycle rules within its tenant without affecting other teams’ resources.
Compliance officers within a tenant can view audit logs and access metrics relevant only to their tenant data.

Cluster Admins

Have full visibility across the cluster, including all tenants, system resources, and configurations.
Retain all previously available privileges, governed by RBAC roles and permissions.
May be restricted by:
- Tenant Privacy Mode, which hides tenant-specific details.
- Local Identity Provider delegation, when managed by a Tenant Admin.
Can access CNodes and DNodes if explicitly granted via RBAC roles.

Tenant Admins

Administer only their assigned tenant, with access limited to:
- Views, View Policies, Quotas, and Lifecycle Rules
- Replication policies: Only when the peer cluster includes a tenant of the same name.
- Identity Policies, Local Identity Provider settings, and S3 key management for remote users.

Tenant Admin Can	Tenant Admin Cannot
Manage users and Tenant Admins within their own tenant	Create, modify, or view VIP Pools
Define and assign custom roles within their tenant	Add new Identity Providers
Manage Identity Policies and Local Identity Provider	See cluster hardware details
Assign S3 keys to remote users	View events outside their tenant
	Login to CNodes/DNodes
	Use the vcli interface.

Tenant Login Rules

Single-tenant systems don’t have tenant admins - app users map to the default tenant.
Defining tenant admins: adding their group to the tenant config's tenant admins list.
Defining app users: adding their group to the app users list in the tenant config (even if there is only one tenant).
A user can only be listed in one of the above lists (tenant admin or app user, not both).
Users are logged in to a tenant based on the providers attached to the tenant.

User Source	Login URL	Allowed Roles
VMS Manager	Without Tenant	Cluster Admin
VMS Manager	With Tenant	Tenant Admin
External Provider (LDAP/AD)	Without Tenant	Cluster Admin App User (if there is only one tenant)
External Provider (LDAP/AD)	With Tenant	Tenant Admin App User
Local Provider	Without Tenant	Cluster Admin (future) App User (if there is only one tenant, and he is on the app users list in the default tenant)
Local Provider	With Tenant	Tenant Admin (future) App User

Creating a New Manager

Via VMS Web Interface

To create a new manager account in the VAST Management System (VMS):

The screenshot displays the "Create Manager" page where users can configure details such as username, password expiration settings, and user type (Cluster Admin or Tenant Admin). The interface also includes options to assign roles and create new realms, with visible toggles for password requirements and user types highlighted. — VMS screenshot creating a new tenant

Navigate to:
Administrators → Managers → Create
Enter Manager Details:
- Set username, password (for local accounts), or leave blank for AD-based users.
- Provide optional metadata, such as name or email.
Choose User Type:
- Cluster Admin → global administrative access
- Tenant Admin → restricted access scoped to a specific tenant
Assign a Tenant (Tenant Admin only):
- Select the relevant tenant name.
- Roles shown will be restricted to that tenant.
Assign Role(s):
- Choose roles previously defined in the system.
- The dropdown will only show roles appropriate to the selected user type.
  - Cluster Admins see only cluster-wide roles.
  - Tenant Admins see only roles linked to their tenant.
Save

✅ Delegated Admin Creation: A Tenant Admin can also create new managers, but only if their role includes access to the Management Realm.

Notes:

To access Tenant VMS, use the following URL with the corresponding username and password:
<https://<vms-address>>/#/login/<tenant-name>
Upon the initial login to the Web UI, newly created tenant or cluster managers will be prompted to update their password. This ensures that the admin can assign a temporary password during creation, which the manager securely changes upon first access.

Cluster Manager Dashboard

The Cluster Manager Dashboard provides a comprehensive overview of the entire system's health and performance. It displays real-time metrics such as data reduction ratios, bandwidth, IOPS, and latency, along with a detailed inventory of active hardware components (CNodes, DNodes, SCMs, SSDs). Graphs illustrate trends in bandwidth, IOPS, and latency, helping administrators monitor workload patterns and detect anomalies.

The dashboard provides real-time capacity and performance metrics such as bandwidth, IOPS, and latency in MB/s, with options to view data reduction and inventory details under 'CNodes', 'DNodes', and 'SSDs'. Additionally, it displays trends over time in total bandwidth, read/write bandwidth, reads/writes per second (IOPS), and read/write latencies using line graphs. — VMS Manage Dashboard

Tenant Manager Dashboard

The Tenant Manager Dashboard offers a focused view of a specific tenant's activity and resource usage. It shows total and used capacity, as well as snapshot usage, but currently reports no active data or users. This dashboard is designed to help tenant administrators track top users and views, bandwidth consumption, and performance trends specific to their isolated environment.

The dashboard provides detailed storage capacity metrics for tenant1, showing 93.21 GiB and 92.459 GiB used for total views contents with no snapshots active, along with network activity trends visualizedated
addCriterion — Tenant management dashboard

Example Creating Managers via vastpy-cli

Create Tenant

$ vastpy-cli post tenants name=company-z
property                         |value
---------------------------------+-------------------------------------------------+
id                               |25
guid                             |6443163f-1aed-499d-bfdc-ca88e2cb6246
name                             |company-z
url                              |https://vast-cluster/api/tenants/25
title                            |company-z
...

Create a tenant admin

vastpy-cli post users name=companyz-admin2 uid=1471 tenant_id=25 role=tenant_manager password=XXXXXXXX
property            |value                                                  
--------------------+-------------------------------------------------------+
id                  |1026                                                     
guid                |8d1d6c48-a7db-493c-9fb5-91dfce4a11ae                   
name                |companyz-admin2                                       
url                 |https://vast-file-server-vms-kfs2/api/users/1026         
title               |companyz-admin2                                       
uid                 |1471

Create a new view policy

vastpy-cli post viewpolicies name=company-z-policy-1 tenant_id=25
property                                 |value
-----------------------------------------+------------------------------------------------------+
id                                       |73
guid                                     |d22ee03f-6046-4891-a369-87d89666a213
name                                     |company-z-policy-1
...

Create a view under /home using NFS

vastpy-cli post views path=/home create_dir=true protocols='["NFS"]' tenant_id=25 policy_id=73
property                               |value
---------------------------------------+-------------------------------------------------+
id                                     |8865
guid                                   |74a10c5d-34ac-4b88-8846-4278f22d7689
name                                   |view-8865
url                                    |https://vast-file-server-vms-kfs2/api/views/8865
title                                  |/home
path                                   |/home

Show Views


vastpy-cli get views fields=id,path,tenant_id
id   |path                  |tenant_id 
-----+----------------------+----------+    
8865 |/home                 |25         
...  |..                    |..

Delete View


vastpy-cli -delete views/8865

Delete Tenant


vastpy-cli delete tenants/25