Supported Array Roles

The array roles indicate the level of access permissions that group members have to perform particular tasks. Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP) support the following roles:
  • Administrator: This role allows users to perform all actions.
  • PowerUsers: A user can perform most actions. A user cannot perform user management tasks, set inactivity timeouts, or perform array setup.
  • Operator. The user can perform most management operations. The user cannot delete or remove data.
  • Guest. The user can view information and choose VMware subnets.

If the user belongs to a group that is not associated with any role or if the group is disabled, the user will not be able to log in to the array.

If a user belongs to multiple groups that have different roles, the group-role mapping that is used depends on whether Active Directory or LDAP is being used:
  • Active Directory: The role with the fewest privileges is used.
  • LDAP: The role with the highest privileges is used.
NOTE: You can check a user's role by running the userauth --test_user command from the array CLI.

When an array administrator makes a change to the group-based RBAC rules, users who are logging in will use the updated roles. Any users who are already logged in will receive the new privileges for subsequent operations.