Security application

The IBM Cloud Object Storage Manager Security application is used to manage user accounts, encryption keys and certificates, user access, and security policy.

Press the Security tab at the top of the screen to start the application. A summary of all accounts, groups, and vaults is initially shown. Vault permissions are displayed when a specific vault is selected.

System Fingerprint [View-Only]

Security Certificates are created at the time the manager is installed, and is confirmed via the Cloud Object Storage System Appliance Configuration utility each time a new device is installed. For more information, see Manager Administration.

Accounts and Groups

When the manager application is installed, an administrator account Super User is created automatically and cannot be deleted. Individual user Accounts with appropriate access roles can be created and managed.

Press Create Account for a new user or Create Group for an Active Directory (AD) or Keystone Group. Alternatively from the list, select an existing Account or Group to edit (change, change password, delete).

The list of accounts and groups can be filtered by using one or more of the following options:

  1. The Type field to select one or more account types if present (Account, Active Directory Account, Group).
  2. The Roles field to select one or more roles (Super User, System Admin, Security Officer, Operator, Vault Provisioner, Service Account).
  3. The Search field to search for accounts that match a custom input string.

Click Clear Filters to clear the filters that are selected in Type and Roles fields. Click Hide/Show Filters to toggle the display of the filters. The number of items that are shown in the list per page can be changed by using Show rows and page forward ">" and page back "<" to scroll through the list.

Clicking Plus (Plus) on the column header shows roles for all the accounts in the list. Clicking Plus (Plus) specific to an account displays its associated roles.

The list can be sorted by Name, Username, and Creation Date.

Attention: The AD server must be configured to create an AD Group and the Keystone server must be configured to create a Keystone Group.

Account Icons - Local Account Local Account, AD Account Active Directory Account, AD Group Account AD Group Account, Account Role Account Role

Roles [Access Control Groups]

Select the type of roles that are allowed for this user or group. The following Administrative roles (Access Control Groups) are predefined.

Note: Every account should be assigned one (or more) roles. An account without a role does NOT function.
Role Permissions / Access
Super User All Manager applications and devices. No access to user data.
System Administrator All Manager functions except the Security tab. No access to user data.
Security Officer Security-only. Add, delete, and modify users. No access to Security vault access permissions, Super User or Security roles, system configuration, operation, or user data.
Operator All Manager monitoring-only functions. Cannot change the configuration of the system. No access to user data. In addition to monitoring functions, an account assigned the operator role can access all reports, including configuration of automatic emailing, generation, export, and send via email (after configured).
Service Account Needed for container accounts for Service API access.
Vault Provisioner Create / delete vaults using the Provisioning API. This role alone does not grant access to the Cloud Object Storage Manager interface.
Storage Account Administrator Allows access to the Storage Account Portal while in Container Mode.

These roles allow the following manager application access:

Monitor Configure Security Settings
Super User Super User Super User Super User
System Administrator System Administrator Security Officer System Administrator
Operator     Operator
Note:
  • The Operator role has visibility to the Monitor tab and to the Reports section in the Settings tab. The Security Officer role has visibility to the Security tab. The default Super User account cannot be deleted.
  • The Storage Account Administrator role only has access to the Storage Accounts page.

Vaults

The list of vaults can be filtered by using one or more of the following options:

  1. Vault Type field to select one or more vault types if available (Management, Mirror, Standard, Service, Container).
  2. Tags field to select one or more available tags.
  3. Search field to search for vaults that match a custom input string.

Click Clear Filters to clear the filters that are selected in Vault Type and Tags fields. Click Hide/Show Filters to toggle the display of the filters. The number of items that are shown in the list per page can be changed by using Show rows and page forward ">" and page back "<" to scroll through the list.

Clicking Plus (Plus) on the column header shows tags for all the vaults in the list. Clicking Plus (Plus) specific to a vault displays its associated tags.

The list can be sorted by Vault and Creation Date.

Create Private Account

Click Configure to create a private account to access locked vaults that are used for WORM compliance along with third-party applications.

Authentication Mechanisms

Press Configure to enable or disable the use of passwords, access key authentication, or hiding secret access keys for user authentication against system devices.

Event Console

The Event Console is similar to an event log and displays the most recent 50 events (most recent first), based on the context defined by the Current Filters. The Current Filters are selected via the Advanced Search (Pressing Advanced Search opens/closes the display). After the filters are selected, press Search to view the corresponding events. The default context is a single filter that indicates a time range that represents the last week. Selecting the “x” on a filter removes the filter and automatically initiates a new search, establishing a new context. Click Show Audits to include 30 days of audit information with the events. Audits can be filtered via Advanced Search.

Click Show More to display more events in increments of 50. Use the Remove/Add scroll bar to hide/add back the inner scroll bar in the display.

Select Export to create a .csv (comma-separated values) file for use with spreadsheet applications. The export file, limited to the most recent 50000 events, contains all events, regardless of the severity filter setting. Events can also be forwarded to an email account based on severity, frequency, and timing. Use the Preference menu to configure this function to the wanted operation.

Note: A New Event Count (#) prefix is added to the HTML title tag in the browser when new events exist in the Event Console. After the New Events link is selected, the count disappears until a new event occurs.

In Advanced Search, the Message text box accepts standard text and operates in Quick Mode by default. This mode will return results faster compared to the older legacy mode. When using this mode, an "AND" search is done on the individual search terms provided. For example, if you search for "device hostname", the results will contain both the word "device" and the word "hostname".

Searching with Quick Mode will return queries significantly faster than legacy mode, so it is recommended to use for most searches.

When Quick Mode is disabled, the search will switch to the legacy mode that allows for standard text or regular expressions (a special pattern that specifies a set of strings - see http://en.wikipedia.org/wiki/Regular_expression for an overview). When you use standard text (Regular expression box cleared), an “AND” search is done of the individual terms that are provided in the text box. In particular, all terms in any order are returned when the regular expression box is not checked.

Alternatively, a search based on regular expressions can be initiated. It is accomplished by entering a regular expression in the Message text box, selecting the Regular expression box, and clicking Search. Several examples of regular expressions are provided.

Table 1. Regular expression examples
“OR” functions. usage | space (matches events with usage or space). Note - The vertical bar separates alternatives.
Matching preceding character zero or one time. file? (matches events that contain fil or file, such as file system). Note - In addition to "?", the "*" and "+" characters can be used to match a set of strings.
Bracket construct. slices[te] (matches events with terms such as slicestor, sliceserver). Note - The items in the bracket are interpreted as “t” or “e”.
One term followed by another. reporting status (matches events with “reporting status”). Note - This pattern represents a request to match based on a specific ordering, one term after another. It is a constrained “AND” search.
Combining parentheses with a preceding element zero or one time. r(eb)?oot (matches events with root and reboot).  

Numerous other constructs can be used as part of regular expressions, which are not described. An error occurs if an invalid regular expression is provided.

Event Console Details

The display includes event: Status [Severity], Summary [Description], and Time [Occurrence], including amount of time relative to the current time. When selected, a detailed view of an event is shown within this box. An event might occur multiple times. The count appears in a rectangular box (Count) next to the event. Older events that were migrated from an earlier Manager version are denoted with an asterisk (*).

Times are shown in GMT (Greenwich Mean Time) by default. Use the Preference menu to change the display to local time.

Severity Key - Red = Critical, Orange = Error, Yellow = Warning, Blue = Information, Green = Cleared  

Selecting a cleared event displays all related events. Selecting of any of the related events in the Event Console displays the same collection of events as the clear event. In addition, the duration from the time of the event occurrence until the time that it is cleared is displayed.

Clicking any event in the Event Console displays additional information on the event.

Example - Click a diagnostic disk event to show the suspend reason: List Disk Suspend Codes.

Note: Virtual device disk events reference the device name, instead of bay string and drive serial number.
Note: Only a Security Officer account (or a Super User account) can access the Audit Search utility.
Attention: Any time a device is added or a vault, site, cabinet, or an administration configuration is changed, the Manager device must be backed up by navigating to Settings > Operations > Backup Manually . Permanent data loss can occur if the Manager database becomes corrupted. Periodic backups must also be performed to preserve historical statistics and log information. For details, click the Settings tab, and navigate to Operations > Backup Configuration.