Roles Reference
Every Identity in MASS has a role that controls what actions it can perform across the system. A role is assigned when the identity is created and can be updated at any time.
Built-in Roles
| Role | Description |
|---|---|
super_admin | Full system access, including identity and role management. Use only for break-glass scenarios. |
storage_admin | Create and manage VolumeGroups, Volumes, and cluster-wide storage settings. |
operator | Operational tasks: monitor nodes, view hardware status, manage node lifecycle. |
volume_manager | Create and manage Volumes and VolumeGroups, but cannot change cluster settings. |
identity_manager | Create and manage Identities and AccessPolicies. |
auditor | Read-only access to audit logs and system status. No configuration changes. |
viewer | Read-only access to all resources. |
usergroup_admin | Manage group membership only. |
member | Default role. No system privileges — data access is granted exclusively through AccessPolicies. |
Recommendations for Initial Setup
When setting up the cluster for the first time, consider creating the following accounts:
| Account purpose | Recommended role |
|---|---|
| Day-to-day storage administration | storage_admin |
| User and access management | identity_manager |
| Monitoring and reporting | auditor or viewer |
| Regular users who mount volumes | member (access via AccessPolicy) |
Avoid using super_admin for routine operations. Reserve it for emergency access when other
administrator accounts are unavailable.
Custom Roles
In addition to the built-in roles, you can create custom roles tailored to your organization's needs. Navigate to Access → Roles → + Add Role to define a role with a specific set of permissions.
Custom roles allow you to apply the principle of least privilege — granting each identity only the access it requires, without relying on a built-in role that may be broader than needed.