Security application
The IBM Cloud Object Storage Manager Security application is used to manage user accounts, encryption keys and certificates, user access, and security policy.
Press the Security tab at the top of the screen to start the application. A summary of all accounts, groups, and vaults is initially shown. Vault permissions are displayed when a specific vault is selected.
System Fingerprint [View-Only]
Security Certificates are created at the time the manager is installed, and is confirmed via the Cloud Object Storage System Appliance Configuration utility each time a new device is installed. For more information, see Manager Administration.
Accounts and Groups
When the manager application is installed, an administrator account Super User is created automatically and cannot be deleted. Individual user Accounts with appropriate access roles can be created and managed.
Press Create Account for a new user or Create Group for an Active Directory (AD) or Keystone Group. Alternatively from the list, select an existing Account or Group to edit (change, change password, delete).
The list of accounts and groups can be filtered by using one or more of the following options:
- The Type field to select one or more account types if present (Account, Active Directory Account, Group).
- The Roles field to select one or more roles (Super User, System Admin, Security Officer, Operator, Vault Provisioner, Service Account).
- The Search field to search for accounts that match a custom input string.
Click Clear Filters to clear the filters that are selected in Type and Roles fields. Click Hide/Show Filters to toggle the display of the filters. The number of items that are shown in the list per page can be changed by using Show rows and page forward ">" and page back "<" to scroll through the list.
Clicking Plus (
) on the column header shows roles for all the accounts in the list. Clicking
Plus (
) specific to an account displays its associated roles.
The list can be sorted by Name, Username, and Creation Date.
Account Icons -
Local Account,
Active Directory Account,
AD Group Account,
Account Role
Roles [Access Control Groups]
Select the type of roles that are allowed for this user or group. The following Administrative roles (Access Control Groups) are predefined.
| Role | Permissions / Access |
|---|---|
| Super User | All Manager applications and devices. No access to user data. |
| System Administrator | All Manager functions except the Security tab. No access to user data. |
| Security Officer | Security-only. Add, delete, and modify users. No access to Security vault access permissions, Super User or Security roles, system configuration, operation, or user data. |
| Operator | All Manager monitoring-only functions. Cannot change the configuration of the system. No access to user data. In addition to monitoring functions, an account assigned the operator role can access all reports, including configuration of automatic emailing, generation, export, and send via email (after configured). |
| Service Account | Needed for container accounts for Service API access. |
| Vault Provisioner | Create / delete vaults using the Provisioning API. This role alone does not grant access to the Cloud Object Storage Manager interface. |
| Storage Account Administrator | Allows access to the Storage Account Portal while in Container Mode. |
These roles allow the following manager application access:
| Monitor | Configure | Security | Settings |
|---|---|---|---|
| Super User | Super User | Super User | Super User |
| System Administrator | System Administrator | Security Officer | System Administrator |
| Operator | Operator |
- The Operator role has visibility to the Monitor tab and to the Reports section in the Settings tab. The Security Officer role has visibility to the Security tab. The default Super User account cannot be deleted.
- The Storage Account Administrator role only has access to the Storage Accounts page.
Vaults
The list of vaults can be filtered by using one or more of the following options:
- Vault Type field to select one or more vault types if available (Management, Mirror, Standard, Service, Container).
- Tags field to select one or more available tags.
- Search field to search for vaults that match a custom input string.
Click Clear Filters to clear the filters that are selected in Vault Type and Tags fields. Click Hide/Show Filters to toggle the display of the filters. The number of items that are shown in the list per page can be changed by using Show rows and page forward ">" and page back "<" to scroll through the list.
Clicking Plus (
) on the column header shows tags for all the vaults in the list. Clicking
Plus (
) specific to a vault displays its associated tags.
The list can be sorted by Vault and Creation Date.
Create Private Account
Click Configure to create a private account to access locked vaults that are used for WORM compliance along with third-party applications.
Authentication Mechanisms
Press Configure to enable or disable the use of passwords, access key authentication, or hiding secret access keys for user authentication against system devices.
Event Console
The Event Console is similar to an event log and displays the most recent 50 events (most recent first), based on the context defined by the Current Filters. The Current Filters are selected via the Advanced Search (Pressing Advanced Search opens/closes the display). After the filters are selected, press Search to view the corresponding events. The default context is a single filter that indicates a time range that represents the last week. Selecting the “x” on a filter removes the filter and automatically initiates a new search, establishing a new context. Click Show Audits to include 30 days of audit information with the events. Audits can be filtered via Advanced Search.
Click Show More to display more events in increments of 50. Use the Remove/Add scroll bar to hide/add back the inner scroll bar in the display.
Select Export to create a .csv (comma-separated values) file for use with spreadsheet applications. The export file, limited to the most recent 50000 events, contains all events, regardless of the severity filter setting. Events can also be forwarded to an email account based on severity, frequency, and timing. Use the Preference menu to configure this function to the wanted operation.
In Advanced Search, the Message text box accepts standard text and operates in Quick Mode by default. This mode will return results faster compared to the older legacy mode. When using this mode, an "AND" search is done on the individual search terms provided. For example, if you search for "device hostname", the results will contain both the word "device" and the word "hostname".
Searching with Quick Mode will return queries significantly faster than legacy mode, so it is recommended to use for most searches.
When Quick Mode is disabled, the search will switch to the legacy mode that allows for standard text or regular expressions (a special pattern that specifies a set of strings - see http://en.wikipedia.org/wiki/Regular_expression for an overview). When you use standard text (Regular expression box cleared), an “AND” search is done of the individual terms that are provided in the text box. In particular, all terms in any order are returned when the regular expression box is not checked.
Alternatively, a search based on regular expressions can be initiated. It is accomplished by entering a regular expression in the Message text box, selecting the Regular expression box, and clicking Search. Several examples of regular expressions are provided.
| “OR” functions. | usage | space (matches events with usage or space). | Note - The vertical bar separates alternatives. |
| Matching preceding character zero or one time. | file? (matches events that contain fil or file, such as file system). | Note - In addition to "?", the "*" and "+" characters can be used to match a set of strings. |
| Bracket construct. | slices[te] (matches events with terms such as slicestor, sliceserver). | Note - The items in the bracket are interpreted as “t” or “e”. |
| One term followed by another. | reporting status (matches events with “reporting status”). | Note - This pattern represents a request to match based on a specific ordering, one term after another. It is a constrained “AND” search. |
| Combining parentheses with a preceding element zero or one time. | r(eb)?oot (matches events with root and reboot). |
Numerous other constructs can be used as part of regular expressions, which are not described. An error occurs if an invalid regular expression is provided.
Event Console Details
The display includes event: Status [Severity],
Summary [Description], and Time [Occurrence],
including amount of time relative to the current time. When selected, a detailed view of an
event is shown within this box. An event might occur multiple times. The count appears in a
rectangular box (
) next to the event. Older events that were migrated from an earlier Manager version are
denoted with an asterisk (*).
Times are shown in GMT (Greenwich Mean Time) by default. Use the Preference menu to change the display to local time.
Severity Key -
= Critical,
= Error,
= Warning,
= Information,
= Cleared
Selecting a cleared event displays all related events. Selecting of any of the related events in the Event Console displays the same collection of events as the clear event. In addition, the duration from the time of the event occurrence until the time that it is cleared is displayed.
Clicking any event in the Event Console displays additional information on the event.
Example - Click a diagnostic disk event to show the suspend reason: List Disk Suspend Codes.