Accounts

Existing Accounts and Passwords can be changed, disabled, or deleted.

Select the account to be changed from the account tree list (left side).

Click Delete Account, Disable Account, Change or Change Password to customize this account [Name, Time zone, Access Control Role policy, etc].

Note: A Keystone account cannot have its password changed, since it is managed by the Keystone server.
Note: The default Super User account may not be deleted.

Authentication

Account Authentication [User Name and Password (will not be displayed)] are listed. If Local account authentication has been disabled, that will be indicated.

PKI Authentication

If PKI Authentication has been enabled, the DN (Distinguished Name) and Realm will be displayed.

Account icons:

Local account Local Account

Active Directory Account Active Directory Account

AD Group Account AD Group Account

Account Role Account Role

Access Key Authentication

Press Change to generate a new access key or to remove an existing key.

Roles (Access Control Groups)

Select the type of Roles permitted for this user or group. The following Administrative roles (Access Control Groups) are predefined.

Note: Every account should be assigned one (or more) roles. An account without a role does not function.
Table 1. Roles
Role Description Permissions/Access
Super User root All Manager applications and devices. No access to user data.
System Administrator Storage Admin All Manager functions except the Security tab. No access to user data.
Security Officer Security Admin Security-only. Add, delete, and modify users. No access to Security vault access permissions, Super User or Security roles, system configuration, operation, or user data.
Operator Storage Operator All Manager monitoring-only functions. Cannot change the configuration of the system. No access to user data. In addition to monitoring functions, an account assigned the Operator role can access all reports, including configuration of automatic emailing, generation, export, and send by email (when configured).
Vault Provisioner End user Allows the user the ability to create / delete vaults by using the Provisioning API. No access to any Manager functions.
Elastic Device Provisioner   Allows the use of the Preregistration API.
Storage Account Administrator   Allows access to the Storage Account Portal while in Container Mode. This role allows limited access to the IBM Cloud Object Storage Manager Interface.
Service Account End user Allows access to the Service API while in Container Mode. This role alone does not grant access to the IBM Cloud Object Storage Manager interface.

These roles permit the following manager application access:

Table 2. Access to manager applications by role
Monitor Configure Security Settings
Super User Super User Super User Super User
System Administrator System Administrator Security Officer System Administrator
Operator     Operator
Note:

The Operator role has visibility to the Monitor tab and to the Reports section in the Settings tab. The Security Officer role has visibility to the Security tab. The default Super User account cannot be deleted.

Vault Authorization

Select the type of Access Authorization permitted for this user or group. Use the Search utility (Vault Type, Tag, and so on) for bulk editing or the page forward and page back arrows to scroll through the list.

Note: Account authentication is needed to access Simple Object vaults.

Anonymous Access can be granted to a vault, either R/W (read/write/delete) or R (Read Only). [Default = None (no access)]. Otherwise, Owner (read/write/delete), R/W (read/write/delete), or R (Read Only) permissions can be granted to selected user accounts. [Default = None (no access) unless created via the API.]

Note: The "Owner" option is inherited when a vault is created through the provisioning API. It can also be assigned by the Security Officer. The Owner option must be set to delete a vault. If the Provisioning API is disabled and never enabled, the "Owner" option still exists for the vault-account permission association. With the Provisioning API disabled, no difference exists between the "Owner" option and the "read/write" option.

Click Save to update or Cancel to exit.

Note: Only a Security Officer account (or a Super User account) can grant or modify these access permissions.

Device Access

A table shows the permissions that the user has for the Manager and other devices. The user's site level device accesses are shown in tabs.
Note: This section does not appear if the user is assigned "No Access" to all devices. The Site Level Access subsection does not appear if the user is assigned "No Access".
Attention: Any time a device is added or a vault, site, cabinet, or an administration configuration is changed, the Manager device must be backed up by navigating to Settings > Operations > Backup Manually . Permanent data loss can occur if the Manager database becomes corrupted. Periodic backups must also be performed to preserve historical statistics and log information. For details, click the Settings tab, and navigate to Operations > Backup Configuration.