Built-in Identity Management

AIStor includes a built-in identity management system for managing users and groups directly within your deployment. You can manage human and application users with either the AIStor Client command-line tool or the AIStor console. This page describes how to manage users with the AIStor Client.

Built-in users authenticate directly to AIStor using their credentials. These identities exist together with any configured external identity providers.

For information on configuring external identity providers, see:

Create a user

  1. Run the mc admin user add command:

    mc admin user add ALIAS ACCESSKEY SECRETKEY

    Replace each of the following with the desired value:

    • ALIAS is the alias of the AIStor deployment.

    • ACCESSKEY is the username for the user account.

    • SECRETKEY is the password for the user account.

    Follow your company guidelines or requirements for uniqueness, randomness, and length when specifying the username and password.

    If needed, you can later retrieve the account username with the mc admin user info command. You cannot retrieve the password after the account is created.

  2. Run mc admin policy attach to attach an AIStor policy to the new user. The following command assigns the built-in readwrite policy:

    mc admin policy attach ALIAS readwrite --user=USERNAME

    Replace USERNAME with the value you assigned in the previous step.

Delete a user

Run the mc admin user rm command:

mc admin user rm ALIAS USERNAME

where the value of:

  • ALIAS is the alias of the AIStor deployment.

  • USERNAME is the name of the user to remove.

User passwords

Users can change their own passwords at any time, regardless of their assigned policies.

To change a password, run mc admin user add with the existing username and the new password:

mc admin user add ALIAS USERNAME NEWPASSWORD

Replace USERNAME with the existing username and NEWPASSWORD with the new password.

Users cannot modify other users’ accounts without the appropriate administrative permissions.

Manage groups

Groups provide a simplified method for managing shared permissions among users with common access patterns and workloads.

Create and manage groups with the mc admin group command.

For example, consider the following groups. Each group is assigned a built-in policy or supported policy action. Each group includes one or more users.

Group Policy Members
Operations readwrite on finance bucket


readonly on audit bucket

 john.doe, jane.doe
Auditing readonly on audit bucket

 jen.doe, joe.doe
Admin admin:* greg.doe, jen.doe

Each user’s total set of permissions consists of their explicitly assigned permissions and the inherited permissions from each of their assigned groups.

By default, AIStor denies access to any resource or operation not explicitly allowed by a user’s assigned or inherited policies.