Setting up user accounts by using the DS CLI

This task describes how to set up a user account. You must have administrator authority to enable this function.

Before you begin

The default administrator and security administrator accounts are set up automatically at the time of installation. To access the storage administrator account, use the user name admin and the default password admin. To access the security administrator account, use the user name secadmin and the default password secadmin. These passwords are temporary and expire after their initial use. You must change the password before you can use any of the other functions. The storage administrator can assign a user to one or more user roles, except for the security administrator role. Only the security administrator can assign a user to the security administrator role. The user roles and the associated functions that are allowed by the assignment are as follows:
admin (Administrator)
All users that you assign to the storage administrator user role have access to all storage image resources except those that are reserved for security administrator users.
ibm_engineering) (Engineering)
This user role is typically assigned to IBM® support personnel that perform all service functions and other functions that might be needed. This role does not have access to the logical configuration or data on the storage system.
ibm_service) (Service)
This user role is typically assigned to IBM support personnel that service the hardware (install, remote, or repair) and update firmware. This role does not have access to the logical configuration or data on the storage system. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
op_volume (Logical Operator)
The logical operator user role allows access to service methods and resources that relate to logical volumes, hosts, host ports, logical subsystems, logical volumes, and volume groups, excluding security methods. In addition, this user role inherits all authority of the monitor user role.
op_storage (Physical Operator)
The physical operator user role allows access to physical configuration service methods and resources, including storage complex, storage image, array, rank, and extent pool objects. This user role inherits all the authority of the Copy Services operator and logical operator user roles, excluding security methods.
op_copy_services (Copy Services Operator)
The Copy Services operator user role allows access to all Copy Services service methods and resources, excluding security methods. In addition, this user role inherits all authority of the monitor user role.
monitor (Monitor)
The monitor user role allows access to list and show commands. It provides access to all read-only, nonsecurity management console-server service methods and resources.
no_access (No Access)
The no_access user role does not allow access to any service methods or storage image resources. By default, this user role is assigned to any user account in the security repository that is not associated with any other user role.
secadmin (Security Administrator)
All users that you assign to the security administrator user role can initiate recovery key operations, and add other users to this role. Users in this role can not be assigned to any other user role, and users in any other user role can not be assigned to this role.
Table 1. Permissions for roles
Permission Administrator Copy operator IBM Engineering IBM Service Logical operator Logical and copy operator Physical operator Security administrator
Arrays and Pools                
  Create pools and assign arrays X           X  
  Manage pools and arrays X           X  
  Delete pools and unassign arrays X           X  
IBM Z® Volumes and LSSs                
  Configure IBM Z volumes and LSSs X       X X X  
  Manage IBM Z volumes and LSSs X       X X X  
  Delete and reinitialize IBM Z volumes X       X X X  
Open System Volumes                
  Configure open system volumes X       X X X  
  Manage open system configuration X       X X X  
  Delete open system configuration X       X X X  
IBM i Volumes and LSSs                
  Configure IBM i configuration X       X X X  
  Manage IBM i configuration X       X X X  
  Delete and reinitialize IBM i configuration X       X X X  
Local and Remote Access Management                
  Manage security administrators               X
  Manage local user accounts X              
  Manage user roles X              
  Manage remote authentication X              
  Manage network security X   X X     X  
Notifications and Monitoring                
  Manage SNMP trap notifications X              
  Manage system events X              
  Offload audit log X              
  Manage call home X              
  Manage syslog settings X   X X        
Remote Support                
  Manage Remote Support Center (RSC) connection X              
  Manage Assist On-Site (AoS) connection X   X X        
  Change HMC access settings X   X X     X  
  Troubleshooting X   X X        
System Settings                
  Manage Fibre Channel port settings X   X X     X  
  Manage Fibre Channel port security X              
  Manage system settings X   X X     X  
  Install software X              
  Power off system X   X X X X X  
Encryption                
  Manage data at rest encryption X   X          
  Create data at rest recovery key               X
  Manage Fibre Channel Port Endpoint Security X   X          
Feature Settings                
  Modify Ethernet settings X   X X        
  Modify Easy Tier® settings X   X       X  
  Modify zHyperLink settings
Note: Not available on DS8882F systems.
X              
  Manage resource group settings X   X X     X  
  Manage performance group settings X              
  Manage cloud settings X              
FlashCopy®                
  Manage FlashCopy relationships X X       X    
  Manage remote FlashCopy relationships X X       X    
Mirroring and Paths           X    
  Manage mirroring paths X X       X    
  Manage mirroring relationships X X       X    
  Modify LSS CS settings X X       X    
In addition to assigning users to one or more user roles, you also must assign a default password to each user. When you notify users of their role assignment and default password, indicate that the default password is only good for the initial logon. Users must change the password at the time of their initial logon. Also, remind all users to record their password in a safe place because there is no way that the administrator or the application can retrieve a password.
Note: You must change the default password for an account, including the administrator account, to be able to use any CLI command other than the one to change the password. See the chuser command for more information.

About this task

Use the mkuser DS CLI command to create new user accounts with specific roles (user role or roles) and an initial password. If you assign multiple roles to an account, ensure that you separate the different roles with a comma. For example, op_volume, op_storage. See the mkuser command description for more details.

Procedure

  1. Log in to the DS CLI in interactive command mode.
  2. Type the following command from the dscli command prompt to assign a user to an account with a default password: dscli> mkuser -pw AB9cdefg -group service,op_copy_services -pol my_policy1 testuser
  3. Press Enter and observe the processing result. A successful process returns the following display:
    User Name testuser with my_policy1 successfully created.