AIStor Identity Management

You can manage human and application users for your AIStor deployment with either the mc command-line tool or the AIStor console. You create these users and assign policies to them. You can also create groups of users to assign policies to.

See Identity and Access Management.

This page explains how to work with the built-in AIStor identity management solution. You can integrate with other identity management solutions:

OpenID Connect (OIDC)
Active Directory/LDAP
Your custom identity provider, with the AIStor authentication plulgin

Manage users

Create a user

Run the mc admin user add command:
```
mc admin user add ALIAS ACCESSKEY SECRETKEY
```
where the value of:
- ALIAS is the alias of the AIStor deployment.
- ACCESSKEY is the username for the user account. You can retrieve the username with the mc admin user info command.
- SECRETKEY is the password for the user account. You cannot retrieve the password after the account is created.
Make sure to specify a unique, random, and long string for the username and password. Your organization may have specific internal or regulatory requirements for these values.
Run mc admin policy attach to attach an AIStor policy to the new user. The following command assigns the built-in readwrite policy:
```
mc admin policy attach ALIAS readwrite --user=USERNAME
```
where the value of USERNAME is the value you assigned in the previous step.

Delete a user

Run the mc admin user rm command:

mc admin user rm ALIAS USERNAME

where the value of:

ALIAS is the alias of the AIStor deployment.
USERNAME is the name of the user to remove.

Manage groups

Groups provide a simplified method for managing shared permissions among users with common access patterns and workloads.

You create and manage groups with the mc admin group command.

For example, consider the following groups. Each group is assigned a built-in policy or supported policy action. Each group includes one or more users. Each user’s total set of permissions consists of their explicitly assigned permissions and the inherited permissions from each of their assigned groups. AIStor by default denies access to any resource or operation not explicitly allowed by a user’s assigned or inherited policies.

Group	Policy	Members
`Operations`	`readwrite` on `finance` bucket `readonly` on `audit` bucket	`john.doe`, `jane.doe`
`Auditing`	`readonly` on `audit` bucket	`jen.doe`, `joe.doe`
`Admin`	`admin:*`	`greg.doe`, `jen.doe`