User roles

Edit online

A user role is a set of privileges that is assigned to a user or user group to allow the user or user group to perform certain tasks and manage certain sessions.

To be assigned to a role, each user or group of users must have a valid user ID or group ID in the user registry on the management server.

Both individual users and a group of users can be assigned to a role. All users in a group are assigned the role of the group. If a user is assigned to one role as an individual and a different role as a member of a group, the user has access to the permissions of the role that has greater access.

Restricting access to sessions prevents unwarranted administrative access. This is especially useful in an open environment, where there can be many storage administrators who are responsible for their servers, applications, databases, file systems, and so on.

By default, the user that was defined during installation is granted access to Copy Services Manager and assigned to the Administrator role.

Copy Services Manager provides a set of predefined user roles: Monitor, Operator, User Administrator and Administrator.

For information on assigning and modifying user roles, see Managing security.

Monitor

Monitors can view the health and status in the Copy Services Manager GUI and CLI; however, they cannot modify or perform any commands or actions.

Monitors can view the following information:
  • All storage systems and storage system details
  • All connections and connection details
  • All sessions and session details
  • All path information
  • Management server status and details
When should a Monitor be used:
A user or group should be set to a Monitor when you only want to provide that user or group the ability to view the status of the sessions and various server connections. Examples might include upper management or an external team that does not directly manage the replication, but might need to know whether their data is currently protected.

Operator

Operators can manage sessions to which they have been assigned, including:Operators can only monitor the sessions that they have access to. They can perform the following actions on their assigned sessions:
  • Adding or removing a session. The user ID that created the session is automatically granted access to manage that session.
  • Performing actions on an assigned session, such as start, flash, terminate, and suspend.
  • Modifying session properties.
  • Adding copy sets to a session. The session operator can add volumes to a copy set only when the volume is not protected and not in another session.
  • Removing copy sets from a session.
    Note: Starting with Copy Services Manager 6.2.10, operators can no longer add copy sets to a session. This new behavior prevents operators from adding volumes that are in use, or are meant for another session or operator, including in multi-tenancy environments. Because Copy Services Manager sees all the volumes on a storage system, an administrator needs to add the copy sets to ensure that volumes are used by the correct sessions and operators.
  • Adding Peer To Peer Remote Copy (PPRC) paths, and removing paths with no hardware relationships. PPRC paths are a common resource used in Copy Services Manager sessions and also in a DS8000® storage system relationship that is established between two common logical subsystems (LSSs).
    Notes:
    • The session operator cannot issue a force removal of a path.
    • A path can also be auto-generated when starting a session.
  • Monitoring health and status, including viewing the following information:
    • All storage systems and storage system details
    • All connections and connection details
    • All sessions and session details
    • All path information
    • Management server status and details
  • Packaging program error (PE) log files

When you select the Operator role, you must indicate which sessions the Operator has access to. You can either choose individual sessions from a list of sessions, or select the all sessions option. If you select all sessions, then the Operator will have the ability to manage all existing sessions, as well as automatically managing any new sessions that get created.

When should an Operator be used:
A user or group should be set to an Operator when you only want to provide that user or group the ability to manage one or more sessions, but not the ability to manage higher level features, such as user access or server connections. Examples might include a multi-tenancy situation where more than one group is using the same Copy Services Manager server for replication, and you do not want one group to affect the replication of another.
The session Operator can also be used to provide a more-secure environment when combined with the User Administrator role. An Administrator is required for the initial setup of the server to create storage system connections, and so on. After all the connections are established, an Administrator can assign one or more users to the User Administrator role. The User Administrator can then remove Administrator privileges of the original Administrator, thereby making that Administrator an Operator.
This design creates a situation where you have User Administrators and Session Operators, but no one with all-encompassing Administrator access. A User Administrator might need to make individuals Administrators from time to time if server modifications need to be made. However, this action would require approval from the User Administrator; thereby creating a more-secure environment.

User Administrator

User Administrators do not have permissions to manage sessions, storage systems, and so on. User Administrators only have permission to manage the permissions for other users or groups, including:
  • Creating and Removing basic users
  • Granting permissions to users and groups of users
  • Managing LDAP or Active Directory authentication
  • Packaging program error (PE) log files
Note: User Administrators cannot modify their own administrative access rights.
When should a User Administrator be used:
A user or group should be set to a User Administrator when you only want to provide that user or group the ability to manage the permissions of other users on the server.
You are not required to assign a User Administrator, because the Administrator role also allows a user to manage the permissions of others. However, you might want to separate the ability to manage permissions from the ability to manage sessions for security reasons. Examples might include environments where security for all servers are managed by a common group outside of the actual storage management group.

Administrator

Administrators have unrestricted access. They can manage all sessions and perform all actions associated with Copy Services Manager, including:
  • Granting permissions to users and groups of users
  • Adding or removing a session. The user ID that created the session is automatically granted access manage that session.
  • Performing actions on all sessions, such as start, flash, terminate, and suspend
  • Modifying session properties
  • Adding and removing copy sets from a session. The administrator can add volumes to a copy set only when the volume is not protected and not in another session.
  • Protecting volumes and removing volume protection
  • Adding or removing storage system connections
  • Modifying connection properties
  • Assigning or changing storage system locations
  • Upload new certificates in the GUI
  • Adding PPRC paths and removing paths with no hardware relationships. PPRC paths are a common resource used in Copy Services Manager sessions and also in a DS8000 storage-system relationship that is established between two common logical subsystems (LSSs).
    Note: A path can also be auto-generated when starting a session.
  • Managing management servers. The standby management server is a common resource that is available to multiple sessions.
  • Packaging program error (PE) log files
  • Monitoring health and status, including viewing the following information:
    • All storage systems and storage system details
    • All connections and connection details
    • All sessions and session details
    • All path information
    • Management server status and details
Note: Administrators cannot revoke their own administrative access rights.
When should an Administrator be used:
A user or group should be set to an Administrator when you want that user or group to have all permissions on the server, including granting new permissions to other users, or managing replication sessions. Examples include environments where the same user or group that is managing the replication is also managing the security for the server.

Automation

Automation users have Administrator level access to the server but do not have permission to use the User Administrator commands. Administrators can specify whether the Automation users can log in using GUI, CLI or both. Automation users can always log in with REST API. Automation users can perform the following actions on all sessions:
  • Create or delete sessions
  • Add or remove copy sets to sessions
  • Issue commands to sessions
  • View all sessions and modify properties
  • Create log packages
  • Create database backups
  • Create hardware connections
  • Manage active and standby servers
  • Manage, create, delete, and run scheduled tasks
Automation users cannot perform the following actions:
  • Create new users
  • Change authority for existing users
  • Add LDAP-based users
  • Export license keys
  • Manage notifications like setup SNMP or email alerts
  • Set up DS8000 heartbeat
Warning: When dual control is enabled, Automation users can issue commands without a second user approval. You must implement the Automation role with dual control, only if the automation tool has significant security to prevent any malicious user from bypassing Copy Services Manager dual control through automation tool.
Automation user for running scheduled tasks only
In addition to allowing the Automation user access through CLI and GUI, the Administrator can also limit the Automation user to run scheduled tasks only. To allow the Automation user to run scheduled tasks only, the Administrator must select the Only run Scheduled Tasks check box while creating a new Automation user. When the Only run Scheduled Tasks check box is selected, the Allow GUI access check box is disabled. Automation users that are created to run scheduled tasks only, can login either through REST API or CLI.
When should an Automation be used:
A user or group should be set to automation when the user or group is meant for running commands through external automation. This user role will bypass dual control for commands that are issued through an external automation tool. Examples include setting up automation through a Copy Services Manager CLI script which is invoked by a batch job. You can define the script to use an automation user so that a second user does not have to approve the command if dual control is enabled on the server. When setting up automation through an Ansible playbook, you can define the calls to use an automation user so that a second user does not have to approve the command if dual control is enabled on the server.