Managing secure user accounts

Follow these recommended practices for managing secure user accounts.

Procedure

Complete the following steps to achieve the level of secure access for users that is required for your storage system.

  1. Assign two or more storage administrators and two or more security administrators to manage your storage system. To preserve the dual control that is recommended for recovery key management, do not assign both storage administrator and security administrator roles to the same user. Change the password for both the default storage administrator and default security administrator user accounts, or delete the default user account after user accounts for other administrators are created.
  2. Create one user account for each user who is authorized to access your storage system. Do not share a single user account between multiple users.
  3. Assign appropriate user roles and scopes to user accounts in accordance with the storage management responsibilities of the user.
  4. Review configurable user ID policies, and set the policies in accordance with your security objectives. The default settings are consistent with IBM recommended user ID and password policies and practices.
  5. For applications that require network access to the storage system, assign a unique user ID (an ID that is not assigned to any other user). You can assign different user IDs for different software applications or different servers so that actions can be distinguished by user ID in the audit logs.
  6. It is recommended to use remote authentication so that the user accounts are centralized and easily managed. For instance, you can revoke access to a user from multiple systems in a single step. You can use remote authentication that is provided by the following:
    • LDAP server.
    • Copy Services Manager (CSM) as a proxy for an LDAP server.
    • Multi-factor authentication (MFA) with RSA SecurID Authentication Manager.
    • Multi-factor authentication with Direct LDAP+RSA SecurID Authentication Manager.

    In setting up an LDAP server, it is recommended to use the secure channel, Transport Layer Security (TLS), and enable a local administrator. There are three authentication methods that can be used when configuring LDAP: Simple, Anonymous, and Direct authentication. The recommended is direct authentication.

    For configuring LDAP, the storage administrator requires the following information from an LDAP administrator:
    • LDAP server name and port number.
    • User and groups base for Distinguished Name (DN) lookup.
    • A bind user DN and password if Simple authentication is used.
    • Username attribute for logging in.
    • Group name attribute and group membership attribute.