Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS Authentication, Identity Management, and Authorization > Introduction to Role Based Access Control
Role Based Access Control (RBAC) enables PowerScale administrators to delegate administrative tasks to cluster-authenticated users. Roles can be assigned to users and groups to control administrative access. By default, only the root and admin users have access to the CLI and the web interface. The root and admin users can add administrative privileges to other users or create custom roles. As the role of the cluster grows across departments, you must ensure that each additional user has the minimum required access levels to enforce security and better maintain accountability.
Before OneFS 8.2.0, roles and privileges could be created and assigned only from the System access zone. All administrators, including administrators who own privileges by being a member of a role, must connect to the System access zone to configure the cluster. When these administrators log in to the cluster through the WebUI, SSH, or API interface, they can view and modify all access zones in the cluster based on the granted privileges. For more information about RBAC, see the OneFS CLI Administration Guide.
Beginning with OneFS 8.2.0, Zone-aware Role Based Access Control (ZRBAC) provides a more granular cluster administration. Administrators might want to delegate a user to perform administrative tasks in a specific access zone only, but disallow the user to have control over other access zones. ZRBAC supports this requirement by enabling roles and a subset of privileges to be assigned on a per-access-zone level. A user in the System access zone can still view and modify all non-System access zones. There are two roles, ZoneAdmin and ZoneSecurityAdmin, for zone-specific administration. Administrators from non-System access zones can connect to a cluster only through the WebUI or API interface. The following table outlines the access methods supported by RBAC and ZRBAC:
| Zone | WebUI access | API access | SSH access |
RBAC (before OneFS 8.2.0) | System access zone | √ | √ | |
|
|
| ||
(OneFS 8.2.0 and later) | System access zone | √ | √ | √ |
Non-System access zone | √ | √ |
|