Zone-based Role-based Access Control (zRBAC)

You can assign roles and a subset of privileges to users on a per-access-zone basis.

Role-based Access Control (RBAC) supports granting users with privileges and the ability to perform certain tasks. Tasks can be performed through the Platform API, such as creating or modifying or viewing NFS exports, SMB shares, authentication providers, and various cluster settings.

Users may want to perform these tasks inside a single access zone, enabling a local administrator to create SMB shares for a specific access zone, for example, but disallowing that administrator from modifying configuration that would affect other access zones.

Previous to zRBAC, only users in the System Access Zone were given privileges. These users could view and modify configuration in all other access zones. Thus, a user with a specific privilege was a global administrator for configuration that was accessible through that privilege.

zRBAC enables you to assign roles and a subset of privileges that must be assigned on a per-access-zone basis. Administrative tasks that the zone-aware privileges covers can be delegated to an administrator of a specific access zone. As a result, you get the ability to create a local administrator who is responsible for a single access zone. A user in the System Access Zone can affect all other access zones, and remains a global administrator.