This section explains how Role-Based Access Control (RBAC) for users and groups works in Qumulo Core, explains the role types, and shows how to manage them by using the Qumulo Core Web UI.
To share management responsibilities with others, you can grant specific privileges to a user or group—locally or through Active Directory—by using RBAC.
- For changes to take effect, a user account with newly assigned roles must log out of Qumulo Core and then log back in (or its sessions must time out).
- Because certain privileges (such as replication-write privileges) can overwrite or move data to a location where a user has greater (or total) permissions, use special care when you grant privileges to roles and users.
Built-In Roles
Qumulo Core includes built-in roles that provide predefined privileges for common administrative operations to typical access control personas. This section explains the use cases and the authorization scope for each built-in role.
Administrators
Only the default administrator account can access a Qumulo cluster by using SSH.
This role is suitable for system administrators. Users with this role have full access to, and control of, the cluster, including:
- Configuration and management of general cluster settings for audit logging, snapshots, replication, quotas, and so on by using the Qumulo Core Web UI, REST API, or
qqCLI - Creation of files and directories in any current and future directories
- Reading of any files and file attributes and listing of any directories in any current and future directories
- Deletion or renaming of any files and directories in any current and future directories
- Changing of ownership and permissions for any files and directories in any current and future directories
Data-Administrators
This role is suitable for Qumulo REST API and qq CLI users who don’t have access to the Qumulo Core Web UI but have the same file privileges as those of the Administrators role, including:
- Read and write permissions for all NFS, SMB, quota, and snapshot REST APIs
- Read-only permissions for local REST API users
- Access to analytics and file system
Observers
This role is suitable for users or groups who can access the Qumulo Core Web UI and read-only REST APIs (with the exception of DEBUG REST APIs and authentication settings).
- Clusters that run Qumulo Core 3.0.5 (and higher) don't assign the Observers role automatically and non-administrative users don't have access to the Qumulo Core Web UI or read-only APIs (unless you explicitly assign the necessary role to specific usernames).
- It is possible to assign both Data-Administrators and Observers roles to a single user. This can give the user the ability to manage data on your Qumulo cluster by using the Qumulo Core Web UI without full administrative access.
Qumulo-Support
- Because Azure Native Qumulo is a managed service, the Qumulo Care Team has access to your cluster's configuration regardless of how the
Qumulo-SupportRBAC role is configured on your cluster. </ul> </div> This role is suitable for members of the Qumulo Care Team who access and support your Qumulo cluster. Users with this role have: * Read permissions for REST API endpoints that control cluster configuration * Write permissions (including `DEBUG` REST APIs) for internal debugging features * Permissions for REST API endpoints that help debug integration with external services (such as Active Directory, LDAP, and DNS) ## Custom Roles {#custom-roles} For information about managing RBAC and creating custom roles by using the `qq` CLI, see the following sections in the QumuloqqCLI Command Guide: *qq auth_assign_role*qq auth_create_role*qq auth_list_privileges*qq auth_modify_role*qq auth_unassign_role## Managing Roles by Using the Qumulo Core Web UI This section explains how to add a member to, and remove a member from, an existing Qumulo Core role and how to create and edit a custom role. ### To Add a Member to an Existing Qumulo Core Role 1. Log in to the Qumulo Core Web UI. 1. Click **Cluster > Role Management**. 1. On the **Role Management** page, next to the role to assign, click **Add Member**. 1. In the **Add Member to <Role Type>** dialog box, enter the **Trustee** and then click **Yes, Add Member**.Tip1. Click **Yes, Assign Role**. ### To Remove a Member from an Existing Qumulo Core Role 1. Log in to the Qumulo Core Web UI. 1. Click **Cluster > Role Management**. 1. On the **Role Management** page, next to the user or group to remove from a role, click
For examples of valid trustees, click
.
.
### To Create a Custom Qumulo Core Role
1. Log in to the Qumulo Core Web UI.
1. Click **Cluster > Role Management**.
1. On the **Role Management** page, on the the upper-right side, click **Create Role**.
1. On the **Create Role** page:
1. Enter a **Name** and **Description**.
1. Select the privileges to add to the role and click **Save**.
### To Edit a Custom Qumulo Core Role
1. Log in to the Qumulo Core Web UI.
1. Click **Cluster > Role Management**.
1. On the **Cluster Management** page, next to the role to edit, click 
.
1. On the **Edit <Role Name>** page, select the privileges to include in the role and click **Save**.