Fine-Grained RBAC in Nutanix Prism Central

From the Archives · Video Series · 3 parts

Where the Theory Gets Real

IAM is easy to understand in theory. The bouncer analogy, the valet key, the hospital nurse — they all make sense on a whiteboard. But theory only gets you so far. At some point, you need to see it inside a real product, with real UI, real roles, and real consequences when you get it wrong.

Back at Nutanix, I had the chance to do exactly that. I recorded a three-part video series on Fine-Grained RBAC in Prism Central 2024.1 — the management plane for Nutanix clusters. If RBAC and IAM feel abstract after reading the theory, these videos are the concrete version.

Prism Central is a great case study because it implements almost every concept from the IAM playbook. It speaks SAML to external IdPs like ADFS or Okta. It supports LDAP and local users. It has a full RBAC system with roles, permissions, and entity-level scoping. In 2024.1, it added fine-grained permissions — the kind of granular, least-privilege control enterprise security teams actually want.

Watch them in order. Identity comes in via SAML or LDAP, roles decide what users can do, and fine-grained permissions let admins get surgical about entity-level access. Same concepts, specific product.

The Series

▶ PART 01 · OVERVIEW

Introducing Fine-Grained RBAC Features in PC 2024.1

The big-picture tour: what IAM means inside Prism Central, the model shift in 2024.1, and why fine-grained permissions matter for enterprise clusters.

https://www.youtube.com/watch?v=F3VbXvWLvCc&t=6s

▶ PART 02 · SYSTEM-DEFINED ROLES

Assigning User Access to System-Defined Roles

Walking through the built-in roles shipped with Prism Central — what each one can do out of the box, and how to assign them to real users and groups.

https://www.youtube.com/watch?v=43NvEEzsSmg&t=4s

▶ PART 03 · CUSTOM ROLES

Fine-Grained RBAC — Custom Roles & Permissions

Going beyond the built-ins: creating custom roles with exactly the permissions you need, scoped to specific entities. Least-privilege in practice.

https://www.youtube.com/watch?v=-j4Z1zW0G4w&list=PLAHgaS9IrJecWIw-c6Yxanp1G116qYTB1

What to take away

RBAC is one of those things that sounds simple — give people the access their role requires, nothing more — until you're the one configuring it across a production cluster with 50 admins, three departments, and a compliance audit due next quarter.

What Prism Central 2024.1 gets right is the move toward entity-level scoping. It's not enough to say "this person is a viewer." The real question is: a viewer of what, on which clusters, under which conditions? Fine-grained permissions make that question answerable without a mountain of custom scripting.