Identity & Access Overview
MASS uses a certificate-based identity model. Every user, machine, or service that accesses
storage must have a registered Identity backed by a TLS certificate.
Authentication
MASS authenticates clients using mutual TLS (mTLS). The certificate's Common Name (CN) is
used as the primary lookup key to find the corresponding Identity resource.
Authentication sources:
- Local (default): Certificates managed by the MASS certificate authority
- LDAP: Enterprise directory integration (contact MangoBoost through Dashboard → System → Support for configuration)
- OIDC: OpenID Connect provider integration (contact MangoBoost through Dashboard → System → Support for configuration)
Authorization
Authorization is two-layered:
- Role (Identity-level): Global system role controls what API operations the identity can perform
- AccessPolicy (resource-level): Grants specific data permissions (
read,write,delete) on Volumes
Role Hierarchy
super_admin
├── storage_admin (manages infrastructure)
├── identity_manager (manages users and policies)
├── volume_manager (creates and manages volumes)
├── operator (operational tasks, monitoring)
├── auditor (read-only audit access)
├── usergroup_admin (manages group memberships)
├── viewer (read-only all resources)
└── member (basic access, data access via AccessPolicies only)
AccessPolicy Scopes
system-wide
└── volumegroup (applies to all Volumes in the group)
└── volume (applies to a single Volume)
A member with no AccessPolicies has no data access. An AccessPolicy with scope: volume and
permissions: [read, write] grants data access to that specific Volume only.
Identity Lifecycle
PENDING_APPROVAL → ACTIVE → SUSPENDED → REVOKED
- PENDING_APPROVAL: Identity created but not yet approved by an
identity_manager - ACTIVE: Normal operating state
- SUSPENDED: Temporarily blocked from accessing the system
- REVOKED: Permanently removed; TLS certificate invalidated