VAST Cluster provides you with a granular system for controlling administrative permissions. It works like this:
Administrative users who can access the management clients (VAST Web UI, VAST CLI, and VAST API) are referred to as managers.
Managers can belong to security groups called roles.
You can assign permissions to managers and to roles.
Managers inherit permissions from any roles they belong to. Example: The manager admin has permission to create analytics reports because the administrators role has permission to create analytics reports and admin belongs to administrators.
The management functionality is separated into realms. Realms are specific sets of managed objects and functions. You can allow a manager to access some realms without allowing the same manager to access other realms. The following realms are defined:
Events. Includes alarms, events, and event definition management, managed via the Alarms and Events page.
Hardware. Includes hardware component management, including all field replacement functionality, via the Maintenance and Hardware pages.
Logical. Includes configuration of object and file storage, such as NFS exports, quotas and VIP pools, via the Configuration page.
Monitoring. Includes monitoring VAST Cluster with analytics reports, via the Analytics page.
Security. Includes management of managers, roles, and client users of storage on VAST Cluster, via the Security page.
Settings. Includes miscellaneous settings managed via the Settings page.
Support. Includes support-related functionality, managed via the Support page.
You can assign a manager (or role) permission to access specific managed objects without permitting access to the entire realm to which the object belongs.
For example, you could assign a specific manager permission to access the LDAP server configuration, part of the Security realm, without giving the manager the ability to access the other objects in the realm (managers, roles and users).
For any realm or object, you can specify any combination of four distinct types of access: create, view, edit and delete.
For example, if you give a manager create, view and edit permissions to the Configuration realm and you do not give the manager delete permission to the Configuration realm, the user will be able to create, view and edit exports, export policies, quotas, and VIP pools, but will not be able to delete any objects of those types.
You cannot explicitly deny permission to specific objects or realms.