Hitachi Command Suite 8 User Guide
Have a look at the manual Hitachi Command Suite 8 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Related concepts • About registering and removing file servers on page 75 Discovering, registering, and adding management targets81Hitachi Command Suite User Guide
82Discovering, registering, and adding management targetsHitachi Command Suite User Guide
4 Setting up users and access controlThis module describes how to control access to managed resources.□ Setting up users and access control □ About user accounts and controlling access to resources □ Creating and managing user accounts □ Controlling access to resources Setting up users and access control83Hitachi Command Suite User Guide
Setting up users and access controlAfter users are registered, you can limit the scope of allowed operations for each user by configuring access control settings for users and storage resources. To set access control you will need to create resource groups and user groups, then assign the resource groups and roles to the user groups. Related concepts • About user accounts and controlling access to resources on page 84 • About access control on page 94 About user accounts and controlling access to resources Hitachi Command Suite provides built-in user accounts and the ability to addadditional local user accounts and users from external authentication servers. You grant controlled access to storage resources by adding new users to user groups with assigned resource groups and roles (permissions). Built-in resource groups and user groups exist for administrative convenience. The following two built-in user accounts are created when Hitachi Command Suite is installed. You will see them when you view the list of user accounts. Additional user accounts will also be listed as you add them. • The System account (default password: manager) is a fully-privileged administrator account, and is used to manage all HCS functionality, including HCS user accounts, user groups, and resource groups. • The HaUser account (default password: haset) is the default user account used by Device Manager agents and exclusive account of management software for file servers. The default role for the HaUser account is Peer and the PeerGroup is set for the HaUser account. The HaUser account belongs to PeerGroup as soon as the installation completes. 84Setting up users and access controlHitachi Command Suite User Guide
Log in with the System account to access user management functionality onthe Administration tab to create local HCS user accounts. While creating useraccounts, you can list available applications (as installed on the management server) and set user permissions for those applications. You must add users to at least one, or more, resource groups to determine the storage they can access. Together, application permissions and resource group/user group membership determine the scope of what each user can do in HCS. Note the following when managing Virtual Storage Platform G1000: • Enable user authentication in HCS so that user accounts are authenticated when they log in to CCI and the SVP so that user accounts can be centrally managed. • SSL communication must be configured between the Device Manager server and the storage system. Also, you might need to add firewall exceptions between the Device Manager server and the storage system. For details on implementing SSL communication and adding firewall exceptions between the Device Manager server and the storage system, see the Hitachi Command Suite Administrator Guide . • User accounts should be created with user names and passwords compatible with HCS and the Virtual Storage Platform G1000 components. • If a user account that is used to perform operations by using CCI or the SVP is already registered in Hitachi Device Manager - Storage Navigator, also register that user account in HCS. • Create an administrator user account for Hitachi Device Manager - Storage Navigator that can be used if HCS is not available.Note: If HCS authentication of user accounts is disabled when logging into CCI or SVP, you must specify the same user account information and access control to storage resources in both HCS and Hitachi Device Manager - Storage Navigator. You can also manage user accounts by linking to an external authentication server, such as an LDAP directory server, RADIUS server, or Kerberos server. However, the built-in accounts (System and HaUser) cannot be authenticated on an external authentication server. The HCS user account used to connect to external authentication servers and external authorization servers is managed as a Windows Active Directory (authorization) group. Permissions that are specified for authorized groups are also applied to users who belong to nested groups. Application permissions After adding basic user information such as username, password, email, and description, set permissions for available applications, such as: • Tier management (CLI) • Replication management • Performance management Setting up users and access control85Hitachi Command Suite User Guide
Permissions include View, Execute, Modify, and Admin. These permissions control what the user can do on the related tabs, and possibly elsewhere. Users can assist in user management tasks by selecting the admin permission for the User Management application. The user will be able to assist in: • Specifying user settings • Creating user groups for Device Manager and Tiered Storage Manager • Assigning resources and roles to user groups • Reporting user, and user group information in CSV format • Specifying security settings (such as locking an account) Resource groups and User groups The resource group All Resources is a built-in group (created by default) and contains the built-in user groups called AdminGroup, ModifyGroup, PeerGroup, and ViewGroup. Adding a user to ViewGroup would allow a user to see all registered storage systems and related underlying detail such as parity groups. Putting the user in ModifyGroup enables task related buttons and tasks listed under General Tasks, allowing the user to work with resources. Essentially, as a member of an All Resources group, you have access to the Device Manager GUI and Tiered Storage Manager GUI elements. Additionally, each storage system has a resource group named Default ResourceGroup. If you have three registered storage systems you would seethree of these groups in addition to All Resources listed. This group is used to provide Admin, Modify, or View permissions (roles) to one or more users in a user-defined user group so they have access to the specific resources of the storage system. In other words, instead of placing a user in the All Resources group, you can place them in one or more storage system resource groups and narrow the scope of what they can view or manage. To do this, you must create a named user-defined group and edit the resource group to add the user-defined group and one or more users, whose permissions (roles) can be set independently as you add them. Additionally, if the default resource group is for a Virtual Storage Platform G1000, you can select Custom roles which are more specific, such as roles for provisioning, or copy pair management and tasks. Mulitiple roles can be combined. For very specific control over access to resources, consider creating user- defined resource groups. You can identify specific parity groups and LDEVs that members of your user-defined user group can access. As with default resource groups, for a Virtual Storage Platform G1000, you can select Custom roles.Tip: For details about the required permissions for executing each command of the Tiered Storage Manager CLI, see the Hitachi Command Suite Tiered Storage Manager CLI Reference Guide.86Setting up users and access controlHitachi Command Suite User Guide
Related tasks • Creating a user account on page 87 Related references • User ID and password policies on page 87 Creating and managing user accounts Create user accounts and assign permissions. Creating a user account All users not allowed to log in with the System account require a user account for access to HCS. A user account consists of general user profile information (User ID, Password, Full Name, E-mail, and Description). Procedure 1. On the Administration tab, click Users and Permissions . This will launch a user management window. 2. Click Users to display the current user list. 3. Click Add User and specify user profile information. 4. Click OK. Result The user list is re-displayed and will include the new user. Related tasks • Editing the profile for a user account on page 88 • Deleting user accounts on page 94 Related references • User ID and password policies on page 87 User ID and password policies User IDs and passwords must adhere to specific requirements. The User ID and password requirements for HCS, the SVP, and CommandControl Interface (CCI) vary. When using HCS as an authentication server for Virtual Storage Platform G1000, User IDs and passwords must be valid for both HCS and the SVP, and for HCS and CCI. Setting up users and access control87Hitachi Command Suite User Guide
Table 4-1 HCS, SVP, and CCI login account requirementsComponentItemLengthRequirementsHCSUser ID1-256A-Z, a-z, 0-9 ! # $ % & ' ( ) * + - . = @ \ ^ _ |Password1-256Same as aboveSVPUser ID1-128Alphanumeric (ASCII code) characters ! # $ % & ' - . @ ^ _Password6-127Alphanumeric (ASCII code) characters ! # $ % & ' ( ) * + - . = @ \ ^ _ |CCIUser ID1-63Alphanumeric (ASCII code) characters - . @ _Password6-63Alphanumeric (ASCII code) characters - . @ _Note: When using a Windows computer for CCI, you can also specify a backslash ( \ ) for both the User ID and password. If using external authentication servers such as LDAP (and others), note the following: • User IDs and passwords must be valid for the external authentication server and Hitachi Command Suite products. A password policy can be configured from the Administration tab to enforce stronger passwords. If using external authentication, the password enforcement must be compatible. Related concepts • About user accounts and controlling access to resources on page 84 Related tasks • Creating a user account on page 87 • Changing the password for a user account on page 89 • Changing your own password on page 90 • Configuring external authentication for users on page 91 • Configuring external authentication for groups on page 92 Editing the profile for a user account Modify the name, email address, and description for a user account. Procedure 1. On the Administration tab, click Users and Permissions . 88Setting up users and access controlHitachi Command Suite User Guide
This will launch a user management window. 2. Click Users , select the target user by clicking the User-ID link, and click Edit Profile . 3. Edit the profile information for the user, and then click OK. The user profile is displayed. 4. Confirm the updated user profile information. Related tasks • Changing permissions for a user account on page 90 • Editing your own user profile on page 89 Editing your own user profile As your user attributes change, you will need to update your user profile. Procedure 1. On the Administration tab, click User Profile . Your user information is displayed. 2. Click Edit Profile . 3. Edit the profile information and click OK. 4. Confirm that the updated user profile information appears in the Users area. Related tasks • Changing your own password on page 90 Changing the password for a user account As user passwords expire or are compromised, they can be changed. Procedure 1. On the Administration tab, click Users and Permissions . This will launch a user management window. 2. Click Users , select the target user by clicking the User-ID link, and click Change Password . 3. Enter the new password and verify it. 4. Click OK. 5. Confirm that the user account can log in with the new password. Related tasks • Changing your own password on page 90 Related references • User ID and password policies on page 87 Setting up users and access control89Hitachi Command Suite User Guide
Changing your own passwordAs your password expires or is compromised, it will need to be changed. Procedure 1. On the Administration tab, click User Profile . Your information is displayed. 2. Click Change Password . 3. Type the new password and verify it. 4. Click OK. 5. Log in with your new password. Result Your password is changed. Related concepts • About user accounts and controlling access to resources on page 84 Related tasks • Changing the password for a user account on page 89 Related references • User ID and password policies on page 87 Changing permissions for a user account To grant a user new permissions or remove existing permissions, changepermission settings in the user account. Tip: For a user of Device Manager or Tiered Storage Manager (GUI), specify a role for the user group which is assigned to the user, instead of granting user permissions. Procedure 1. On the Administration tab, click Users and Permissions . This will launch a user management window. 2. Click Users , select the target user by clicking the User-ID link, and click Change Permission . 3. Edit the permissions and click OK. The user account is re-displayed, including granted permission. 4. Verify the correct user permissions are selected. Result The user permissions are changed. 90Setting up users and access controlHitachi Command Suite User Guide