Users

A local user is able to log in to the DS8000® storage system directly through the local authentication policy. A remote user is able to log in to the DS8000 storage system through a remote server connection with a remote authentication policy. Only one authentication policy (local or remote) can be active at a time. You cannot enable both policies at the same time. Local authentication operation is displayed by default.

Note: When the local authentication policy is active, all locally defined users are displayed. When a remote authentication policy is active, only the local and remote users who are currently logged in to the storage system are displayed.

User properties

Name
The name of the user as defined by an administrator.
State
The login state of the user.
Connected
The user is logged in to the storage system.
Disconnected
The user is not logged in to the storage system.
Locked
The user account is locked and requires administrator action to unlock the account and reset the password.
Role
An identifier that defines the set of permissions and authorization level that are assigned to the user. If a user is mapped to multiple roles, only the highest authorization role level for that user is displayed.
Administrator
This user role (also referred to as the storage administrator) has the highest level of authority. It allows a user to add or remove user accounts. This role has access to all service functions and DS8000 resources, and all DS8000 storage image resources except those functions that are reserved for Security Administrator users. Users in this role cannot be assigned to any other role, and users in any other role might not be assigned to this role.
Copy Services operator
This user role has access to all Copy Services functions and resources, excluding security functions. This role might be assigned in combination with the Logical Operator role, but not in combination with any other role.
IBM Engineering
This user role is typically assigned to IBM® support personnel that perform all service functions and other functions that might be needed by IBM support on the DS8000. This role does not have access to the logical configuration or data on the storage system.
IBM Service
This user role is typically assigned to IBM support personnel that service the hardware (install, remote, or repair) and update firmware on the DS8000. This role does not have access to the logical configuration or data on the storage system. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Logical operator
This user role has access to resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security functions. This role can be assigned in combination with the Copy Services Operator role, but not in combination with any other role.
Logical and copy operator
This user role includes the permissions for both the logical operator and copy operator roles. This role has access to resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security functions. This role also has access to all Copy Services functions and resources, excluding security functions.
Monitor
This user role has access to all read-only, non-security service functions and all DS8000 resources. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Physical operator
This user role has access to resources that are related to physical configuration, including storage complex, storage unit, storage image, management console, arrays, ranks, and extent pools. The Physical Operator role does not have access to security functions. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role.
Security administrator
This user role allows users to initiate recovery key operations, and add other users to this role. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role. Only the security administrator can manage users for this role.
No access
This user role has no access to any service functions or DS8000 resources. This role is the default selection and is assigned to a user account that is not associated with any other user role. Users in this role cannot be assigned to any other role, and users in any other role cannot be assigned to this role. You can manage this role from the DS CLI only.
Scope
The multi-tenancy scope for a user. Multitenancy, in storage terms, is a system architecture in which a hardware component or software application services the needs of more than one customer. Each customer is referred to as a tenant. Tenants can be given the ability to customize and run functions for defined parts of the infrastructure to which they are granted permission. This defined area is the customer's multitenancy scope. Multitenancy generally prevents a host or user from initiating a Copy Services operation that would cross the tenant’s domain boundaries.
Last connection
The date and time that a user was last connected to the storage system.