Setting up user accounts by using the DS CLI
This task describes how to set up a user account. You must have administrator authority to enable this function.
Before you begin
The default
administrator and security administrator accounts are set up automatically at the time of
installation. To access the storage administrator account, use the user name admin and the
default password admin. To access the security administrator account, use the user name
secadmin and the default password secadmin. These passwords are temporary and expire
after their initial use. You must change the password before you can use any of the other functions.
The storage administrator can assign a user to one or more user roles, except for the security
administrator role. Only the security administrator can assign a user to the security administrator
role. The user roles and the associated functions that are allowed by the assignment are as
follows:
- admin (Administrator)
- All users that you assign to the storage administrator user role have access to all storage image resources except those that are reserved for security administrator users.
- ibm_engineering) (Engineering)
- This user role is typically assigned to IBM® support personnel that perform all service functions and other functions that might be needed. This role does not have access to the logical configuration or data on the storage system.
- ibm_service) (Service)
- This user role is typically assigned to IBM support personnel that service the hardware (install, remote, or repair) and update firmware. This role does not have access to the logical configuration or data on the storage system. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
- op_volume (Logical Operator)
- The logical operator user role allows access to service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems, logical volumes, and volume groups, excluding security methods. In addition, this user role inherits all authority of the monitor user role.
- op_storage (Physical Operator)
- The physical operator user role allows access to physical configuration service methods and resources, including storage complex, storage image, array, rank, and extent pool objects. This user role inherits all the authority of the Copy Services operator and logical operator user roles, excluding security methods.
- op_copy_services (Copy Services Operator)
- The Copy Services operator user role allows access to all Copy Services service methods and resources, excluding security methods. In addition, this user role inherits all authority of the monitor user role.
- monitor (Monitor)
- The monitor user role allows access to list and show commands. It provides access to all read-only, nonsecurity management console-server service methods and resources.
- no_access (No Access)
- The no_access user role does not allow access to any service methods or storage image resources. By default, this user role is assigned to any user account in the security repository that is not associated with any other user role.
- secadmin (Security Administrator)
- All users that you assign to the security administrator user role can initiate recovery key operations, and add other users to this role. Users in this role can not be assigned to any other user role, and users in any other user role can not be assigned to this role.
Permission | Administrator | Copy operator | IBM Engineering | IBM Service | Logical operator | Logical and copy operator | Physical operator | Security administrator | |
---|---|---|---|---|---|---|---|---|---|
Arrays and Pools | |||||||||
Create pools and assign arrays | X | X | |||||||
Manage pools and arrays | X | X | |||||||
Delete pools and unassign arrays | X | X | |||||||
IBM Z® Volumes and LSSs | |||||||||
Configure IBM Z volumes and LSSs | X | X | X | X | |||||
Manage IBM Z volumes and LSSs | X | X | X | X | |||||
Delete and reinitialize IBM Z volumes | X | X | X | X | |||||
Open System Volumes | |||||||||
Configure open system volumes | X | X | X | X | |||||
Manage open system configuration | X | X | X | X | |||||
Delete open system configuration | X | X | X | X | |||||
IBM i Volumes and LSSs | |||||||||
Configure IBM i configuration | X | X | X | X | |||||
Manage IBM i configuration | X | X | X | X | |||||
Delete and reinitialize IBM i configuration | X | X | X | X | |||||
Local and Remote Access Management | |||||||||
Manage security administrators | X | ||||||||
Manage local user accounts | X | ||||||||
Manage user roles | X | ||||||||
Manage remote authentication | X | ||||||||
Manage network security | X | X | X | X | |||||
Notifications and Monitoring | |||||||||
Manage SNMP trap notifications | X | ||||||||
Manage system events | X | ||||||||
Offload audit log | X | ||||||||
Manage call home | X | ||||||||
Manage syslog settings | X | X | X | ||||||
Remote Support | |||||||||
Manage Remote Support Center (RSC) connection | X | ||||||||
Manage Assist On-Site (AoS) connection | X | X | X | ||||||
Change HMC access settings | X | X | X | X | |||||
Troubleshooting | X | X | X | ||||||
System Settings | |||||||||
Manage Fibre Channel port settings | X | X | X | X | |||||
Manage Fibre Channel port security | X | ||||||||
Manage system settings | X | X | X | X | |||||
Install software | X | ||||||||
Power off system | X | X | X | X | X | X | |||
Encryption | |||||||||
Manage data at rest encryption | X | X | |||||||
Create data at rest recovery key | X | ||||||||
Manage Fibre Channel Port Endpoint Security | X | X | |||||||
Feature Settings | |||||||||
Modify Ethernet settings | X | X | X | ||||||
Modify Easy Tier® settings | X | X | X | ||||||
Modify zHyperLink settings Note: Not available on DS8882F
systems.
|
X | ||||||||
Manage resource group settings | X | X | X | X | |||||
Manage performance group settings | X | ||||||||
Manage cloud settings | X | ||||||||
FlashCopy® | |||||||||
Manage FlashCopy relationships | X | X | X | ||||||
Manage remote FlashCopy relationships | X | X | X | ||||||
Mirroring and Paths | X | ||||||||
Manage mirroring paths | X | X | X | ||||||
Manage mirroring relationships | X | X | X | ||||||
Modify LSS CS settings | X | X | X |
In addition to assigning users to one or more user roles, you also must assign a default password
to each user. When you notify users of their role assignment and default password, indicate that the
default password is only good for the initial logon. Users must change the password at the time of
their initial logon. Also, remind all users to record their password in a safe place because there
is no way that the administrator or the application can retrieve a password.
Note: You must change
the default password for an account, including the administrator account, to be
able to use any CLI command other than the one to change the password. See the
chuser command for more information.