A FlashArray is set up with LDAP authentication. A user is a member of the groups associated with both Array Admin and Storage Admin.
What experience is expected for the user?
Similar to the previous question regarding directory services, Pure Storage Purity OS handles Role-Based Access Control (RBAC) overlaps by granting the most permissive role available to the user.
When configuring LDAP or Active Directory authentication on a FlashArray, administrators map directory groups to specific FlashArray roles (Array Admin, Storage Admin, Ops Admin, Read Only). If a user happens to be a member of multiple LDAP groups that are mapped to different roles on the array, Purity evaluates all mapped roles and automatically assigns the user the highest level of privilege during their session.
Since 'Array Admin' has full administrative rights over the entire array (including hardware management, directory services configuration, and firmware upgrades) and sits higher in the hierarchy than 'Storage Admin' (which is restricted to provisioning and managing storage objects like volumes and hosts), the system will seamlessly grant the user Array Admin permissions.
Here is why the other options are incorrect:
User will not be able to login (B): Purity is designed to handle this exact scenario smoothly. It resolves the conflict by defaulting to the higher privilege, rather than throwing an error or denying access.
User will have Storage Admin permissions (C): The system does not default to the lowest privilege or restrict access when a higher-level group membership is present and valid.
Currently there are no comments in this discussion, be the first to comment!