This section explains how Role-Based Access Control (RBAC) for users and groups works in Qumulo Core, explains the role types, and shows how to manage them by using the Qumulo Core Web UI.
To share management responsibilities with others, you can grant specific privileges to a user or group—locally or through Active Directory—by using RBAC.
- For changes to take effect, a user account with newly assigned roles must log out of Qumulo Core and then log back in (or its sessions must time out).
- Because certain privileges (such as replication-write privileges) can overwrite or move data to a location where a user has greater (or total) permissions, use special care when you grant privileges to roles and users.
Built-In Roles
Qumulo Core includes built-in roles that provide predefined privileges for common administrative operations to typical access control personas. This section explains the use cases and the authorization scope for each built-in role.
Administrators
Only the default administrator account can access a Qumulo cluster by using SSH.
This role is suitable for system administrators. Users with this role have full access to, and control of, the cluster, including:
- Configuration and management of general cluster settings for audit logging, snapshots, replication, quotas, and so on by using the Qumulo Core Web UI, REST API, or
qqCLI - Creation of files and directories in any current and future directories
- Reading of any files and file attributes and listing of any directories in any current and future directories
- Deletion or renaming of any files and directories in any current and future directories
- Changing of ownership and permissions for any files and directories in any current and future directories
Data-Administrators
This role is suitable for Qumulo REST API and qq CLI users who don’t have access to the Qumulo Core Web UI but have the same file privileges as those of the Administrators role, including:
- Read and write permissions for all NFS, SMB, quota, and snapshot REST APIs
- Read-only permissions for local REST API users
- Access to analytics and file system
Observers
This role is suitable for users or groups who can access the Qumulo Core Web UI and read-only REST APIs (with the exception of DEBUG REST APIs and authentication settings).
- Clusters that run Qumulo Core 3.0.5 (and higher) don't assign the Observers role automatically and non-administrative users don't have access to the Qumulo Core Web UI or read-only APIs (unless you explicitly assign the necessary role to specific usernames).
- It is possible to assign both Data-Administrators and Observers roles to a single user. This can give the user the ability to manage data on your Qumulo cluster by using the Qumulo Core Web UI without full administrative access.
Qumulo-Support
- The built-in
Qumulo-SupportRBAC role doesn't include file-level access to your cluster's data. - When you register your Qumulo cluster with Nexus to enable Remote Support, Qumulo Core assigns the
qumulosupport:everyonetrustee to theQumulo-SupportRBAC role. You can assign other roles to this trustee. - If you delete the default assignment, Qumulo Core removes all the permissions that the Qumulo Care Team requires to support your Qumulo cluster.
- You can create a custom RBAC role for the Qumulo Care Team and assign the
qumulosupport:everyonetrustee to this custom role. - If you use a custom RBAC role for the Qumulo Care Team, review any changes to the built-in
Qumulo-Supportrole after upgrading your Qumulo cluster and apply these changes to your custom RBAC role.
This role is suitable for members of the Qumulo Care Team who access and support your Qumulo cluster. Users with this role have:
- Read permissions for REST API endpoints that control cluster configuration
- Write permissions (including
DEBUGREST APIs) for internal debugging features - Permissions for REST API endpoints that help debug integration with external services (such as Active Directory, LDAP, and DNS)
Custom Roles
For information about managing RBAC and creating custom roles by using the qq CLI, see the following sections in the Qumulo qq CLI Command Guide:
Managing Roles by Using the Qumulo Core Web UI
This section explains how to add a member to, and remove a member from, an existing Qumulo Core role and how to create and edit a custom role.
To Add a Member to an Existing Qumulo Core Role
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Role Management.
-
On the Role Management page, next to the role to assign, click Add Member.
-
In the Add Member to <Role Type> dialog box, enter the Trustee and then click Yes, Add Member.
Tip
For examples of valid trustees, click
. -
Click Yes, Assign Role.
To Remove a Member from an Existing Qumulo Core Role
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Role Management.
-
On the Role Management page, next to the user or group to remove from a role, click
.
To Create a Custom Qumulo Core Role
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Role Management.
-
On the Role Management page, on the the upper-right side, click Create Role.
-
On the Create Role page:
-
Enter a Name and Description.
-
Select the privileges to add to the role and click Save.
-
To Edit a Custom Qumulo Core Role
-
Log in to the Qumulo Core Web UI.
-
Click Cluster > Role Management.
-
On the Cluster Management page, next to the role to edit, click
. -
On the Edit <Role Name> page, select the privileges to include in the role and click Save.