Skip to main content

Tenant management permissions

Contributors netapp-madkat netapp-perveilerk netapp-lhalbert

Before you create a tenant group, consider which permissions you want to assign to that group. Tenant management permissions determine which tasks users can perform using the Tenant Manager or the Tenant Management API. A user can belong to one or more groups. Permissions are cumulative if a user belongs to multiple groups.

To sign in to the Tenant Manager or to use the Tenant Management API, users must belong to a group that has at least one permission. All users who can sign in can perform the following tasks:

  • View the dashboard

  • Change their own password (for local users)

For all permissions, the group's Access mode setting determines whether users can change settings and perform operations or whether they can only view the related settings and features.

Note If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features.

You can assign the following permissions to a group. Note that S3 tenants and Swift tenants have different group permissions.

Permission Description

Root access

Provides full access to the Tenant Manager and the Tenant Management API.

Note: Swift users must have Root access permission to sign in to the tenant account.

Administrator

Swift tenants only. Provides full access to the Swift containers and objects for this tenant account

Note: Swift users must have the Swift Administrator permission to perform any operations with the Swift REST API.

Manage your own S3 credentials

Allows users to create and remove their own S3 access keys. Users who don't have this permission don't see the STORAGE (S3) > My S3 access keys menu option.

Manage all buckets

  • S3 tenants: Allows users to use the Tenant Manager and the Tenant Management API to create and delete S3 buckets and to manage the settings for all S3 buckets in the tenant account, regardless of S3 bucket or group policies.

    Users who don't have this permission don't see the Buckets menu option.

  • Swift tenants: Allows Swift users to control the consistency level for Swift containers using the Tenant Management API.

Note: You can only assign the Manage all buckets permission to Swift groups from the Tenant Management API. You can't assign this permission to Swift groups using the Tenant Manager.

Manage endpoints

Allows users to use the Tenant Manager or the Tenant Management API to create or edit platform service endpoints, which are used as the destination for StorageGRID platform services.

Users who don't have this permission don't see the Platform services endpoints menu option.

Manage objects with S3 Console

When combined with the Manage all buckets permission, allows users to access the Experimental S3 Console from the Buckets page. Users who have this permission but who don't have the Manage all buckets permission can still navigate directly to the Experimental S3 Console.