Hitachi Command Suite 8 User Guide
Have a look at the manual Hitachi Command Suite 8 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Related references • Required roles and resource groups by function on page 108 Changing the lock status of user accounts A user account can be locked or unlocked by an administrator. Procedure 1. On the Administration tab, select Users and Permissions . This will launch a user management window. 2. Click Users , select the check box for the user whose lock status you want to change. 3. Click Lock Users or Unlock Users . A verification dialog box displays. 4. Click Ok to lock or unlock the account, or click Cancel. 5. Verify that the user account has been locked (a lock icon displays in the user list), or that the previously locked user can now log in. Related concepts • About user accounts and controlling access to resources on page 84 Related tasks • Changing the password for a user account on page 89 Configuring external authentication for users External authentication systems can be used to authenticate user logins. External authentication systems, such as LDAP (for example, Active Directory), RADIUS, or Kerberos may be used to authenticate HCS users as they log in. You can re-configure existing accounts, or create new accounts to use external authentication. Prerequisites • The HCS server must be linked to an external authentication server. See the Hitachi Command Suite Administrator Guide . • The HCS server must be configured to support user authentication, which activates the Change Auth button in the GUI, and which presentsauthentication options such as Internal for a local account, or LDAP forexternal authentication. • The HCS user ID must exist on the external authentication server. It is recommended that user ID information be acquired from the external authentication server administrator before creating accounts. Procedure 1. From the Administration tab, select Users and Permissions . Setting up users and access control91Hitachi Command Suite User Guide
2.Select Users folder, then select one or more users (using the checkbox) whose authentication method you want to change, or click Add User to create a new account.Note: When creating a new account, only the User ID is required for external authentication, and must match a user ID on the external authentication server. For a local (internal) account, a User ID and Password are both required. When external authentication is available, new user accounts created without a password value are automatically configured to use external authentication (for example, LDAP is selected for you). Fill in the desired fields, and click OK to create the user account. 3. If you have selected existing users, click Change Auth. A dialog box is displayed. From the drop down list, select the desired authentication method (for example, LDAP) and click OK. The user list will be re- displayed. 4. Review the Authentication column to verify the authentication method. Result On the next login attempt by each user, the users login credentials (user ID and password) will be validated using the external authentication server. Tip: Set permissions or roles so that the registered user can perform necessary operations using HCS products. Also consider adding user accounts to user groups with assigned roles for controlled access to resource groups. Related concepts • About user accounts and controlling access to resources on page 84 Related tasks • Configuring external authentication for groups on page 92 Related references • User ID and password policies on page 87 Configuring external authentication for groups External authentication systems can be used to authenticate user groups. External authentication systems, such as LDAP (for example, Active Directory), RADIUS, or Kerberos may be used to authenticate HCS user group members as they log in. You can configure one or more user groups, from one or more external authentication servers. When linking with an external authentication server, if using together with Active Directory as an external authorization server, user permissions can be managed by using the Active Directory groups (authorization groups) 92Setting up users and access controlHitachi Command Suite User Guide
registered on the external authorization server. In this case, user permissions
are specified for each group.
Prerequisites
• The HCS server must be linked to an external authentication (authorization) server. See the Hitachi Command Suite Administrator
Guide .
• The HCS server must be configured to support group authentication, which activates the Groups folder in the GUI.
• The HCS user group must exist on the external authentication (authorization) server. It is recommended that domain and group
information, as required below, be acquired from the external
authentication server administrator.
Procedure 1. From the Administration tab, select Users and Permissions .
2. Click the Groups folder to display the Domain List. This is a list of
external authentication servers listed by domain name, and host name or
IP address. If the Groups folder is not displayed, see the pre-requisites
above.
3. Select the desired Domain Name to display the Group List, which may
be empty ('No Groups' is displayed). Click Add Groups.
4. Enter the Distinguished Name for the group. Use Check DN to verify a
correct DN entry. Click Ok to save your group and re-display the Group
List . Note that the Group Name is derived from the entered DN. To
specify multiple groups, note that:
• You can add multiple DNs at the same time using the " +" button
• If multiple DNs are listed, you can remove an entry with the " -" button
• Reset clears all DN entries
5. From the Group List , click the Group Name link, then click Change
Permission and set the HCS permissions for the group (repeat this for
each new group).
6. Your groups will now be visible from the Administration tab, User
Groups . You can affiliate the groups with resource groups and roles, just
like HCS user groups. If you delete external authentication groups from
Users and Permissions at a later time, the groups are also removed
from the User Groups list.
Result
On the next login attempt by each group member, the users login credentials (User ID and Password) will be validated using the external authentication
(authorization) server.Tip: To delete registered authorization groups, select the check boxes of the
groups to be deleted, and then click Delete Groups.Setting up users and access control93Hitachi Command Suite User Guide
Related concepts • About user accounts and controlling access to resources on page 84 Related tasks • Configuring external authentication for users on page 91 Related references • User ID and password policies on page 87 Deleting user accounts If user accounts are no longer needed for accessing HCS, for example if users leave the organization, you can delete the user accounts. Procedure 1. On the Administration tab, select Users and Permissions . 2. Select Users in the navigation pane, and then select the users to delete. 3. Click Delete Users . 4. Click OK. Result The user accounts you deleted no longer appear in the list of user accounts. Controlling access to resources This module describes how to control access to resources. About access control Within a managed SAN environment, user accounts are created, added to user groups, and the user groups affiliated with resource groups and assigned roles to provide controlled access to functionality available in Device Manager and Tiered Storage Manager (GUI). • A user group consists of local user accounts, or accounts from external authentication systems • A resource group consists of storage system resources (storage systems, parity groups, DP pools, LDEV IDs, and storage ports) • Assigned roles for resource groups provide either full, partial, or read-only access to resource group resources This creates an access control policy that allows secure data handling in multi-tenant environments and supports more efficient and secure operations. An access control policy can be used for: • Data center hosting services• Management of departments in an organization 94Setting up users and access controlHitachi Command Suite User Guide
• Management of locations in an organizationA user group is a group of users who can access the same resources with the same user permissions. Externally authenticated groups can also be used as user groups. When you assign resource groups and roles (user permissions, such as Admin, Modify, View or Custom) to a user group, resources are consistently controlled for the users in that group. When the storage system is Virtual Storage Platform G1000, you can use custom roles to specify one or more roles and user permissions at a more detailed, granular level. For example, you can allow: • Provisioning operations • Remote copy operations• System resource operations• Storage encryption key and authentication management• Audit log management Resource groups can be created in this configuration only when the storage system is Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM. The following figure illustrates user groups and their permissions (standard Admin, Modify and View roles) for accessing resources. The use of custom roles is not shown here, but is illustrated in the user group topics. Custom roles provide more granular permissions to specific functionality. For Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM systems, physical configurations such as parity groups, and logical configurations such as LDEV IDs, are used to create resource groups. After resource groups are created, they can then be assigned to user groups. Setting up users and access control95Hitachi Command Suite User Guide
Related references • Access control examples on page 96 Access control examples The following examples show how resource groups can control access in a Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM system. One method for dividing resources would be by separating resources based on company location. For example, if you create resource groups based on location, the administrators in each location are limited to using only the resources that have been assigned to them, and are restrictedfrom accessing the resources of other locations. It is also possible to share physical resources (such as parity groups or storage ports) among departments, and divide only logical resources (such as DP pools, LDEV IDs, or host group numbers) by department. For example, you can assign resource groups that contain shared physical resources to all departments, and then assign individual resource groups that contain specificlogical resources to the appropriate departments. This allows department 96Setting up users and access controlHitachi Command Suite User Guide
administrators to use only the resources assigned to them, while still allowingfor effective sharing of physical resources. Related concepts • About resource groups on page 97 • About user groups on page 102 • About access control on page 94 About resource groups Resources can be grouped by system resource types that include storage system, parity groups, DP pools, LDEV IDs, and storage ports. Note: When DP pools are registered to resource groups, related DP pool volumes and their LDEV IDs are also registered. There are several types of resource groups: • All Resources is a resource group that is created during management server installation and includes all resources managed by HCS. For Setting up users and access control97Hitachi Command Suite User Guide
example, a user who is a member of one of the built-in user groups for AllResources has access to all storage systems. • Default ResourceGroup is the name for default resource groups that are created as storage systems are discovered and registered. A user who is a member of a user group in a default resource group has access to all of the storage system resources. • Resource pool is another type of resource group. A resource pool is a resource group to which resources of a virtual storage machine in a Virtual Storage Platform G1000 belong, when the resources have not been added to any individual resource group. There are two types of resource pools. There are resource pools on the default virtual storage machine, and resource pools that are automatically created on user-defined virtual storage machines. You can check the resource pools on user-defined virtual storage machines from the resource group list. • User-defined resource groups defining more specific storage access can be created for the Virtual Storage Platform G1000, Virtual Storage Platform,and Unified Storage VM depending on the operating environment.Resources can be grouped by parity groups, DP pools, LDEV IDs, or storage ports. Resource group definitions in Device Manager are applied to the storage system when using the Virtual Storage Platform G1000. However, these resource group definitions are not applied to other storage systems. Resource groups, which are user-defined, can be set for the Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM. Only default resource groups are created for other storage systems. Each resource is automatically registered in the All Resources and in Default resource groups created for its storage system (this group cannot be deleted). If a volume that is part of a LUSE volume is registered in a resource group, other volumes in that LUSE volume are also registered in the same resource group. For the Virtual Storage Platform G1000, when you register a part of a parity group that is part of a concatenated parity group to a resource group, other parity groups that are a part of the concatenated parity group will also be registered in the same resource group automatically. If the resource is in a Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM system, you can register it in only one user-defined resource group. Related concepts • About user groups on page 102 • About virtual storage machines on page 264 Related tasks • Creating resource groups on page 100 • Editing a resource group on page 100 • Assigning resource groups and roles to a user group on page 129 98Setting up users and access controlHitachi Command Suite User Guide
Related references • Prerequisites for creating resource groups on page 99 • Access control examples on page 96 Prerequisites for creating resource groups Resources can be grouped by system resource types that include storagesystems, parity groups, DP pools, LDEV IDs, and storage ports. The following list identifies the conditions for creating a user-defined user group for the Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM. All of the following resources can be set to create a user-defined group for a Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM. • Parity Groups: Includes parity groups and volumes in external storage systems. Users with Modify, Storage Administrator (Provisioning), orhigher roles for parity groups, or the LDEV ID of a DP pool volume, and an unused LDEV ID is assigned to the user, the user can create a volume. For the Virtual Storage Platform G1000, when you register a part of a parity group that is part of a concatenated parity group to a resource group, other parity groups that are a part of the concatenated parity group will also be registered in the same resource group automatically. • DP Pools: Includes DP pools consisting of DP pool volumes with LDEV IDs. • LDEV IDs: Includes parity groups and volumes in external storage systems. Non-existent IDs can also be specified. Users with Modify, Storage Administrator (Provisioning), or higher roles for parity groups or DP pools and assigned an unused volume ID, can create a volume. • Storage Ports: Users with Modify, Storage Administrator (Provisioning), or higher roles for ports and assigned an unused Host Group Number can create a host group that has that host group number. • Host Group Number: Non-existent numbers can also be specified. Users with Modify, Storage Administrator (Provisioning), or higher roles for portsand assigned an unused Host Group Number can create a host group that has that host group number. Related concepts • About resource groups on page 97 Related tasks • Creating resource groups on page 100 Setting up users and access control99Hitachi Command Suite User Guide
Creating resource groupsUser created resource groups can be used to group system resource typesincluding storage systems, parity groups, DP pools, LDEV IDs, and storage ports. Resource groups, which are user defined, can be created for the Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM. Procedure 1. On the Administration tab, in the Administration pane, select Resource Groups . 2. Click Create Resource Group . 3. Enter a name and description, and select the storage system providing the resources. 4. Using the tabs, specify the parity groups, DP pools, LDEVs, ports, or host groups (or a mix of resources) for the resource group. 5. Click Submit to register this as a task. 6. You can check the progress and result of the task on the Tasks & Alerts tab. Click the task name to view details of the task. Result The new resource group is displayed, and can be assigned to an existing user group using the Edit User Group button. You can also assign resource groups when creating new user groups with Create User Group. Related tasks • Editing a resource group on page 100 • Assigning resource groups and roles to a user group on page 129 • Deleting resource groups on page 101 Related references • Access control examples on page 96 • Prerequisites for creating resource groups on page 99 Editing a resource group You can edit storage system resources in an existing resource group. Information about resource groups can be modified to reflect changing access control requirements. Procedure 1. On the Administration tab, in the Administration pane, select Resource Groups . 2. To edit a resource group, do one of the following: 100Setting up users and access controlHitachi Command Suite User Guide