Skip to main content
Pure Technical Services

vSphere Client: Role-Based Access Control (RBAC)

Currently viewing public documentation. Please login to access the full scope of documentation.


What is Role-Based Access Control?

At the most basic level Role-Based Access Control (RBAC) is a security method used to determine which permissions a user is granted based on the role they play within their company. When utilizing RBAC individual users are often associated with other users that perform similar functions within groups. That group is then associated with the role(s) that are deemed necessary for them to successfully complete their jobs. Using the approach not only creates simplicity for administrators but is also less error prone than trying to track permissions for each user individually. 

If further information is required, outside of what is provided above, please refer to the references listed below for an in-depth review of RBAC.

How does RBAC work in Pure Storage plugin?

By default, the vSphere Client plugin allows all vSphere users to provision and manage FlashArrays within vSphere. By implementing the plugin's Role-Based Access Control (RBAC) feature the vSphere administrator is able to enforce which vSphere users should have permission to manage FlashArrays through the vSphere Client. All access control is implemented through vSphere's native permission structure and supports both vSphere local domain and Active Directory users.

While configuring RBAC through the plugin new permission objects for FlashArray functionality are added into vCenter permission objects. It is important to note that RBAC access configuration does not override vSphere privileges. A vSphere user still requires all vCenter privileges required to complete what task is being requested. So if a vSphere user does not have all permissions required to create a datastore, then the creation request will still fail. The vSphere Client RBAC feature is complimentary to vSphere's permission structure, not overriding.

Lastly, the RBAC feature can be enabled for all FlashArrays that are configured within the plugin or for only specific FlashArrays. This is an optional feature in versions where it is available and is not required.

The vSphere Client User Guides contain additional in-depth information regarding this feature.

Which versions of the Pure Storage plugin implement the RBAC feature?

HTML Versions RBAC Support Notes
5.0.0 and later Yes RBAC support was added to the remote HTML plugin starting in 5.0.0.
4.0.0 to 4.5.2 No RBAC support is not planned for these versions.


Flash Client Versions RBAC Support Notes
2.5.0 - 3.1.3 Yes 3.1.3 is the preferred version for RBAC due to an Active Directory (AD) integration fix.
2.1.0 and earlier No  

Pure Storage vSphere Client Release Notes

NOTE: Please note that all versions of the Pure Storage plugin are compatible with vCenter RBAC. The above table outlines the versions of the plugin that provide additional RBAC features for use with Pure Storage FlashArrays.