Hitachi Command Suite 8 User Guide
Have a look at the manual Hitachi Command Suite 8 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
• From the Resource Groups pane, select the resource group, and click Edit Resource Group . • Click the resource group link, click Actions and select Edit Resource Group . 3. You can modify the resource group name and description, but not the storage system. 4. Modify the parity groups, DP pools, LDEVs, ports, or host groups to reflect your access control requirements.Note: To add or delete DP pool volumes, you must add or delete DP pools. 5. Click Submit to register this as a task. 6. You can check the progress and result of the task on the Tasks & Alerts tab. Click the task name to view details of the task. Result Depending on how you initiated your edit (see step 2), the resource group is displayed and you can confirm your changes, or you will be in the Resource Groups pane and can click the resource group link to confirm your changes. Related tasks • Creating resource groups on page 100 • Assigning resource groups and roles to a user group on page 129 Related references • Access control examples on page 96 Deleting resource groups If resource groups are no longer needed, you can delete the resource groups. Procedure 1. On the Administration tab, select Resource Groups . 2. Select the resource groups to delete. The storage system default resource groups, All Resources, and resource pools cannot be deleted. 3. Click Delete Resource Groups . 4. Click Submit . Result The resource groups you deleted no longer appear in the list of resource groups. Setting up users and access control101Hitachi Command Suite User Guide
About user groupsA user group consists of one or more users having the same permissions (role) for the same resources. An external authentication group can also be used as a user group. There are also built-in resource and user groups for administrative convenience. For a user group, one or more resource groups are added, and a role assigned for each resource group. The types of roles are: • Admin • Modify • View • Custom User group members will be able to work with each resource group according to the assigned role (permissions) for the resource group. For example, a user group member with view access to a resource group can monitor, but not change the resource. Also note the following: • A user can belong to multiple user groups, each with assigned resource groups and roles • A resource group can be registered to multiple user groups If hosts and volumes are managed as logical groups that correspond to businesses or organizations and the logical groups are registered as private logical groups, only users who belong to the same user group will be able to use the logical groups. The default (built-in) user groups assigned to the All Resources resource group (also built-in) are: • AdminGroup (role: Admin and the permission for creating resource groups) • ModifyGroup (role: Modify) • ViewGroup (role: View) • PeerGroup (role: Peer. This user group cannot be assigned to a resource group)Note: If Hitachi Compute Systems Manager (HCSM) v8.1 or later is installed on the HCS management server with Device Manager, the following user groups are created: • HCSM_AdminGroup • HCSM_ModifyGroup • HCSM_ViewGroup Two special case user group assignments exist: • The built-in account (user ID: HaUser) used by Device Manager agents and file servers is set to the PeerGroup immediately after the installation is completed, but can be set to another group later. To assign the Peer role to a user, register the user in PeerGroup. 102Setting up users and access controlHitachi Command Suite User Guide
• Authorized groups that have been registered to Hitachi Command Suiteproducts can be used as user groups. Roles assigned to authorized groups are also applied to users who belong to nested groups. For a Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM storage system, if different roles are set as follows, the role set for each resource group is applied to all resource groups within the same storage system. • When multiple resource groups in the same storage system are assigned to one user group, and a different role has been set for each resource group. • When a user belongs to multiple user groups, and a different role has been set for the resource groups in the same storage system. If the storage system is not a Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM, the previous scenario does not apply. For example, in the following figure, User A and User B can access each resource group (RG) with the following roles, respectively. User A can access RG1, RG2, and RG3 with the Admin, Audit LogAdministrator (View & Modify) and Security Administrator (View Only) roles. User B can access RG3 with the Security Administrator (View & Modify) role,and access RG4 with the View role. Some special cases apply: • If a user has the Storage Administrator (Provisioning), Modify, or higher roles for parity groups or the LDEV ID of a DP pool volume, and an unusedLDEV ID is assigned to this user, they can create a volume. • If a user has the Storage Administrator (Provisioning), Modify, or higher roles for ports, and an unused Host Group ID is assigned to this user, theycan allocate new volumes by using that Host Group ID. Setting up users and access control103Hitachi Command Suite User Guide
• If the LDEV ID of a DP volume is assigned to a user, this user can view theDP pool to which the DP volume belongs and the DP pool volumes thatcompose the DP pool. If the LDEV ID of a DP pool volume is assigned to this user, they can view the pool to which the DP pool volume belongs. • If a parity group is assigned to a user, this user can view all volumes that belong to the parity group from a list of volumes that appears whendisplaying the parity group information. If a parity group is not assigned toa user and only the LDEV IDs of the volumes belonging to the parity group are assigned to this user, they cannot view that parity group.Note: The roles above determine the operation permissions of Device Manager and the Tiered Storage Manager GUI. For users of the Tiered Storage Manager CLI, operating permissions are granted by assigning the desired roles of All Resources and Device Manager to the user groups to which the users belong, and then setting the Tiered Storage Manager permissions required to execute commands for each user. For details about the permissions required to execute each command, see the Hitachi Command Suite Tiered Storage Manager CLI Reference Guide . Related concepts • About access control on page 94 Related tasks • Creating user groups on page 127 User group roles In Device Manager and Tiered Storage Manager (GUI), permissions aregranted by assigning resource groups and roles to users in a user group. For other HCS products, permissions are granted by setting permissions for each user. For example, this method can be used for granting permissions for the Device Manager GUI and CLI operations and for the Tiered Storage Manager GUI. For users of the Tiered Storage Manager CLI, permissions are granted by assigning the desired roles of All Resources and Device Manager to the user groups to which the users belong, and then setting the Tiered Storage Manager permissions required to execute commands for each user. The table below describes roles and the tasks that can be performed when those roles are assigned. By specifying roles, resources that belong to a resource group for which a user has permission to reference or operate on are displayed. The user can perform operations or reference information for the displayed resources. Roles can be set for an external authentication group, just like for other user groups, when the external authentication group is used as a user group. By default, the View role for All Resources is set. 104Setting up users and access controlHitachi Command Suite User Guide
Table 4-2 User permissions by roleRoleDevice Manager TasksTiered Storage Manager TasksAdminThe user can register resources to be managed, change settings, and view information. If the user is assigned to All Resources, the user can manage resource groups.The user can create, edit, and delete tiers, perform operations from the Mobility tab, and perform migration tasks.ModifyThe user can register resources to be managed, change settings, and view information.The user can create, edit, and delete tiers, perform operations from the Mobility tab, and perform migration tasks.ViewThe user can view (reference) managed resources.The user can view (reference) information about tiers, information in the Mobility tab, and list migration tasks.PeerThis role applies only to Device Manager agents and file servers and cannot be assigned to resource groups and cannot be used to log in to HCS products. The Peer role cannot be assigned in combination with any permissions other than the User Management permissions.Not applicable.CustomFor VSP G1000, more granular roles are available and are referred to as custom roles. The Admin, Modify, and View roles are broad in scope, while custom roles are more specific. When selecting permissions for a user group associated with a default user group or user-defined resource group, multiple custom roles can be selected in combination to determine user capabilities. For users assigned to an All Resources built- in group, custom roles are not available as the built-in groups grant Admin, Modify, or View permissions only. Related references • Custom roles on page 105 • Required roles and resource groups by function on page 108 Custom roles Custom roles provide granular permissions for performing general HCS tasks,as well as additional tasks specific to Hitachi Virtual Storage Platform G1000.The custom roles available include Storage, Security, Audit Log, and Supportroles. The table below describes additional VSP G1000 tasks (functions) and the required custom roles when selecting System GUI from menus or application panes to open Hitachi Device Manager - Storage Navigator. Note that to use custom roles, they must be assigned to resource groupswith users. The following custom roles can be assigned to both the VSP G1000 default resource group for broad access to storage resources, and to user-defined resource groups for specific access to storage resources: • Storage Administrator (Provisioning) • Storage Administrator (Performance Management) Setting up users and access control105Hitachi Command Suite User Guide
• Storage Administrator (Local Copy)• Storage Administrator (Remote Copy) Storage, security, and audit log custom roles not in the list above are generally for tasks concerning the storage system as a whole, such assecurity and auditing. These roles are assigned to the VSP G1000 defaultresource group only.Note: Custom roles cannot be assigned to users in the All Resources built-in resource groups as these groups permit View, Modify, or Admin permissions only. Table 4-3 Custom roles Custom role (permission)FunctionsStorage Administrator (Provisioning) 1Allows provisioning related operations: • Configuring caches • Configuring LDEVs, pools, and virtual volumes • Formatting and shredding LDEVs • Configuring external volumes • Creating and deleting quorum disks used in a global- active device environment • Configuring alias volumes for Compatible PAV. • Configuring Dynamic Provisioning • Creating and deleting global-active device pairs • Configuring host groups, paths, and WWNs • Configuring Volume Migration except splitting Volume Migration pairs when using CCI • Configuring access attributes for LDEVs • Configuring LUN securityStorage Administrator (Performance Management) 1Allows performance monitoring: • Configuring monitoring • Starting and stopping monitoringStorage Administrator (Local Copy) 1Allows pair operations for local copy: • Performing pair operations for local copy • Configuring environmental settings for local copy • Splitting Volume Migration pairs when using CCIStorage Administrator (Remote Copy) 1Allows remote copy operations: • Remote copy operations in general • Managing global-active device pairs (except for creation and deletion)Storage Administrator (Initial Configuration) 1Allows initial configuration of storage systems: • Configuring settings for storage systems • Configuring settings for SNMP • Configuring settings for e-mail notification • Configuring settings for license keys • Viewing, deleting, and downloading storage configuration reports • Acquiring all the information about the storage system and refreshingStorage Administrator (System Resource Management) 1Allows configuring various storage system resources: • Configuring settings for CLPR106Setting up users and access controlHitachi Command Suite User Guide
Custom role (permission)Functions• Configuring settings for MP Blade• Deleting tasks and releasing exclusive locks of resources • Completing SIMs • Configuring attributes for ports • Configuring LUN security • Configuring Server Priority Manager • Configuring tiering policiesSecurity Administrator (View & Modify)For global-active device: • Setting the reserved attribute for a volume to be used in a global-active device pair With the exception of user management, allows management of encryption keys and authentication for storage systems: • Creating an encryption key, configuring encryption • Viewing and switching the location at which to create an encryption key • Backing up and restoring an encryption key • Deleting an encryption key that is backed up on the key management server • Viewing and changing the password policies for backing up an encryption key on the management client • Configuring the certificate used for SSL communication on the management client 2 . • Configuring the Fibre Channel authentication (FC-SP)Security Administrator (View Only)Allows viewing of storage system encryption keys and authentication settings: • Viewing information about encryption settings • Viewing information about encryption keys on the key management serverAudit Log Administrator (View & Modify)Allows management of storage system audit logs: • Configuring audit log settings • Downloading audit logsAudit Log Administrator (View Only)Allows viewing of audit log settings for storage systems and downloading of audit logs: • Viewing storage audit log settings • Downloading audit logsSupport Personnel 3 ,4Allows configuration from the SVP by service representatives: • Downloading dump files using the FD Dump toolNotes: 1. Custom roles also apply to general tasks performed on the Virtual Storage Platform G1000, such as: • Refreshing storage system information • Registering storage systems and hosts • Managing tasks, logical groups, and storage tiers • Displaying information • Downloading components 2. When a user account for logging in to the SVP or Command Control Interface (CCI) is authenticated by HCS, if the user account created in HCS is assigned the Security Administrator (View & Modify) role, that user account can be used to open the Tool Panel andSetting up users and access control107Hitachi Command Suite User Guide
Custom role (permission)Functionsconfigure the certificate. For details about this procedure, see the Hitachi Command Suite Administrator Guide . 3. When a user account for logging in to the SVP or Command Control Interface (CCI) is authenticated by HCS, if the user account created in HCS is assigned the Support Personnel role, that user account be used to log in to the SVP and perform tasks. 4. When a user account for logging in to the SVP or Command Control Interface (CCI) is authenticated by HCS, if the user account created in HCS is assigned the Support Personnel role, that user account be used to open the Tool Panel and download dump files. For details about this procedure, see the Hitachi Command Suite Administrator Guide . Related concepts • About access control on page 94 Related references • User group roles on page 104 • Required roles and resource groups by function on page 108 Required roles and resource groups by function The following tables show the resource groups and roles that are required to perform each function of Device Manager or Tiered Storage Manager. The first table below lists HCS functions, and the required resource groups and roles to perform the function. The second table lists additional HCS functions for the VSP G1000, and the required custom roles or roles to perform the functions. Note: This topic describes only the operations that can be performed from the GUI. For the operations that can be performed by using CLI, see the manuals Hitachi Command Suite CLI Reference Guide and Hitachi Command Suite Tiered Storage Manager CLI Reference Guide . The following headings are used to group related or similar functions in the table below: • Access Control • Downloads • Link and Launch • Storage Systems • Hosts • LUN Paths, HBAs, Host Modes • Data Collection Tasks • HCS Tasks• System Tasks • Alerts • Search & Reports (CSV) • Volumes 108Setting up users and access controlHitachi Command Suite User Guide
• Volumes - global-active device pairs • External Storage Systems • Pools/Tiers • File Servers • File Servers - HNAS • File Servers - HDI and HNAS F • Replication • Virtual ID • Mobility (migration) • Resources of virtual storage machines • AnalyticsNote: For custom roles, a hyphen (-) indicates that the task (function) cannot be performed with a custom role. Table 4-4 Required resource groups and roles for performing functions FunctionResource Group Required RolesAdmin, Modify, ViewCustom (VSP G1000)Access Control (Administration tab, resource groups) (Resources tab, logical groups)Assign resources and roles to user groupsAll ResourcesAdmin You must have User Management Admin permission.-Create, delete, or edit resource groupsAll ResourcesAdmin-Create, edit, or delete public logical groupAnyAdmin or ModifyOne of the following: Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy) Storage Administrator (Initial Configuration) Storage Administrator (System Resource Management)Create, edit, or delete private logical groupAnyAnyDownloads (Tools menu)Setting up users and access control109Hitachi Command Suite User Guide
FunctionResource Group Required RolesAdmin, Modify, ViewCustom (VSP G1000)Download related programsAnyAdmin or ModifyOne of the following: Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy) Storage Administrator (Initial Configuration) Storage Administrator (System Resource Management)Link and LaunchLaunch other HCS products.Any When starting Element Manager, the resource group to which the target resource belongsAnyStorage Systems (Resources & Administration tabs)Add storage systemsAll ResourcesAdmin-Edit storage systems (storage system name, IP address, host name, user name, or password)All ResourcesAdmin or Modify-Refresh storage systemsResource group to which the resources of the target system belongAdmin or ModifyOne of the following: Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy) Storage Administrator (Initial Configuration)110Setting up users and access controlHitachi Command Suite User Guide