User roles

User roles are a level of access that is assigned by the administrator, which allows users to initiate certain functions and access certain resources.

When a user account is created, the administrator must specify an initial password for the account. The initial password expires immediately, which means that the account user must change the password before they are allowed to initiate any other actions. The password expiration is true for all account roles, including Administrators.

The user must be assigned to at least one role. Users can be assigned to multiple roles or combinations of roles (DS CLI only). Roles with the label No Access (only) cannot be selected in combination with another role.

Administrators can make the following role assignments. Table 1 provides specific capabilities for each role.
Administrator
This user role (also referred to as the storage administrator) has the highest level of authority. It allows a user to add or remove user accounts. This role has access to all service functions and DS8000® resources, and all DS8000 storage image resources except those functions that are reserved for Security Administrator users. Users in this role cannot be assigned to any other role, and users in any other role might not be assigned to this role.
Copy Services operator
This user role has access to all Copy Services functions and resources, excluding security functions. This role might be assigned in combination with the Logical Operator role, but not in combination with any other role.
IBM Engineering
This user role is typically assigned to IBM® support personnel that perform all service functions and other functions that might be needed by IBM support on the DS8000. This role does not have access to the logical configuration or data on the storage system.
IBM Service
This user role is typically assigned to IBM support personnel that service the hardware (install, remote, or repair) and update firmware on the DS8000. This role does not have access to the logical configuration or data on the storage system. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Logical operator
This user role has access to resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security functions. This role can be assigned in combination with the Copy Services Operator role, but not in combination with any other role.
Logical and copy operator
This user role includes the permissions for both the logical operator and copy operator roles. This role has access to resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security functions. This role also has access to all Copy Services functions and resources, excluding security functions.
Monitor
This user role has access to all read-only, non-security service functions and all DS8000 resources. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Physical operator
This user role has access to resources that are related to physical configuration, including storage complex, storage unit, storage image, management console, arrays, ranks, and extent pools. The Physical Operator role does not have access to security functions. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Security administrator
This user role allows users to initiate recovery key operations, and add other users to this role. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role. Only the security administrator can manage users for this role.
No access
This user role has no access to any service functions or DS8000 resources. This role is the default selection and is assigned to a user account that is not associated with any other user role. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role. You can manage this role from the DS CLI only.
Note: The no access and monitor roles do not include any of the permissions that are listed in the following table.
Table 1. Permissions for roles
Permission Administrator Copy operator IBM Engineering IBM Service Logical operator Logical and copy operator Physical operator Security administrator
Arrays and Pools                
  Create pools and assign arrays X           X  
  Manage pools and arrays X           X  
  Delete pools and unassign arrays X           X  
IBM Z® Volumes and LSSs                
  Configure IBM Z volumes and LSSs X       X X X  
  Manage IBM Z volumes and LSSs X       X X X  
  Delete and reinitialize IBM Z volumes X       X X X  
Open System Volumes                
  Configure open system volumes X       X X X  
  Manage open system configuration X       X X X  
  Delete open system configuration X       X X X  
IBM i Volumes and LSSs                
  Configure IBM i configuration X       X X X  
  Manage IBM i configuration X       X X X  
  Delete and reinitialize IBM i configuration X       X X X  
Local and Remote Access Management                
  Manage security administrators               X
  Manage local user accounts X              
  Manage user roles X              
  Manage remote authentication X              
  Manage network security X   X X     X  
Notifications and Monitoring                
  Manage SNMP trap notifications X              
  Manage system events X              
  Offload audit log X              
  Manage call home X              
  Manage syslog settings X   X X        
Remote Support                
  Manage Remote Support Center (RSC) connection X              
  Manage Assist On-Site (AoS) connection X   X X        
  Change HMC access settings X   X X     X  
  Troubleshooting X   X X        
System Settings                
  Manage Fibre Channel port settings X   X X     X  
  Manage Fibre Channel port security X              
  Manage system settings X   X X     X  
  Install software X              
  Power off system X   X X X X X  
Encryption                
  Manage data at rest encryption X   X          
  Create data at rest recovery key               X
  Manage Fibre Channel Port Endpoint Security X   X          
Feature Settings                
  Modify Ethernet settings X   X X        
  Modify Easy Tier® settings X   X       X  
  Modify zHyperLink settings
Note: Not available on DS8882F systems.
X              
  Manage resource group settings X   X X     X  
  Manage performance group settings X              
  Manage cloud settings X              
FlashCopy®                
  Manage FlashCopy relationships X X       X    
  Manage remote FlashCopy relationships X X       X    
Mirroring and Paths           X    
  Manage mirroring paths X X       X    
  Manage mirroring relationships X X       X    
  Modify LSS CS settings X X       X