Users

Each user of the management GUI must provide a username and a password to sign on.

Each user also has an associated role, such as monitor or security administrator. These roles are defined at the system level. For example, a user can be the administrator for one system, but the security administrator for another system.

Security Administrators can create role-based user groups where any users that are added to the group adopt the role that is assigned to that group. Roles apply to both local and remote users on the system and are based on the user group to which the user belongs. A local user can belong only to a single group; therefore, the role of a local user is defined by the single group to which that user belongs. Roles are defined at the system level, which means that a user can be an administrator on one system, but a security administrator on another system. Remote users that use either LDAP or single sign-on require a user group on the system that matches a group defined on the remote authentication server. Security Administrators can also select to enable multifactor authentication per user group. With multifactor authentication, any users that are assigned to a user group must present a second factor to access the system. Multifactor authentication requires that an authentication server is configured to verify the identity of all users within the group.

You can assign the following roles to your user groups:
Monitor
Users have access to all actions that are related to viewing objects and processes on the system. Monitor-role users cannot change the state of the system nor change the resources that the system manages. Monitor-role users can access all information-related GUI functions and commands, back up configuration data, and change their own passwords.
You can issue the following commands:
  • chcurrentuser
  • dumperrlog
  • finderr
  • ping
  • svcconfig backup
In addition, you can issue any information display command.
Copy Operator
Users with this role have privileges of the monitor role and can change or manage all Copy Services functions (Replication, FlashCopy® and Snapshots), but cannot create replication policies.
You can issue the following commands:
  • addsnapshot
  • backupvolume
  • backupvolumegroup
  • chfcconsistgrp
  • chfcmap
  • chpartnership
  • chrcconsistgrp
  • chrcrelationship
  • chsnapshot
  • chvolumegroup
  • chvolumegroupsnapshotpolicy
  • mkvolumegroup
  • prestartfcconsistgrp
  • prestartfcmap
  • restorevolume
  • rmsnapshot
  • rmvolumebackupgeneration
  • rmvolumegroup
  • startfcconsistgrp
  • startfcmap
  • startrcconsistgrp
  • startrcrelationship
  • stopfcconsistgrp
  • stopfcmap
  • stoprcconsistgrp
  • stoprcrelationship
  • switchrcconsistgrp
  • switchrcrelationship
In addition, you can issue all the commands that are allowed by the Monitor role.
FlashCopy Administrator

Users can create, change, and delete all the existing FlashCopy mappings and consistency groups as well as create and delete host mappings.

You can issue the following commands:
  • addsnapshot
  • backupvolumegroup
  • backupvolume
  • chcurrentuser
  • chfcconsistgrp
  • chfcmap
  • chsnapshot
  • chvolumegroup
  • chvolumegroupsnapshotpolicy
  • dumperrlog
  • dumpinternallog
  • finderr
  • logerror
  • lscurrentssh
  • mkfcconsistgrp
  • mkfcmap
  • mkvdiskhostmap
  • mkvolumegroup
  • prestartfcconsistgrp
  • prestartfcmap
  • restorevolume
  • rmfcconsistgrp
  • rmfcmap
  • rmsnapshot
  • rmvdiskhostmap
  • rmvolumebackupgeneration
  • rmvolumegroup
  • startfcconsistgrp
  • startfcmap
  • stopfcconsistgrp
  • stopfcmap
Service
Users can set the time and date on the system, delete dump files, add and delete nodes, apply service, and shut down the system. Users can also complete the same tasks as users in the monitor role.
You can issue the following commands:
  • applysoftware
  • setlocale
  • addnode
  • rmnode
  • rmnodecanister
  • cherrstate
  • writesernum
  • detectmdisk
  • includemdisk
  • clearerrlog
  • cleardumps
  • settimezone
  • stopsystem
  • startstats
  • stopstats
  • settimezone
  • cheventlog
  • chnodebattery
  • addcontrolenclosure
In addition, you can issue all the commands that are allowed by the Monitor role.
Administrator
Users can manage all functions of the system except those functions that manage users, user groups, authentication, and encryption. Administrator-role users can run the system commands that the security-administrator-role users can run from the CLI, except for commands that deal with users, user groups, authentication, and encryption. Users with Administrator privileges can create and configure the Safeguarded Copy function and create and manage Safeguarded policies. However, they cannot remove or damage existing Safeguarded backups or change child pools that are used as Safeguarded backup locations.
You can issue any command other than:
  • chauthservice
  • chauthmultifactorduo
  • chauthmultifactorverify
  • chauthsinglesignon
  • chencryption
  • chkeyserver
  • chkeyserverciphertrustmanager
  • chkeyserverisklm
  • chldap
  • chldapserver
  • chnodeserviceip
  • chownershipgroup
  • chsecurity
  • chsystemcert
  • chtruststore
  • chtwopersonintegrityrequest
  • chuser
  • chusergrp
  • mkkeyserver
  • mkldapserver
  • mkownershipgroup
  • mktruststore
  • mktwopersonintegrityrequest
  • mkuser
  • mkusergrp
  • rmkeyserver
  • rmldapserver
  • rmownershipgroup
  • rmtruststore
  • rmuser
  • rmusergrp
  • setpwdreset
  • setsystemtime
Security Administrator
Users can manage all functions of the system, including managing users, user groups, user authentication, and configuring encryption. Users with the Security Administrator role can run any system commands from the command-line interface (CLI). However, they cannot run the satask command from the CLI. Only the superuser ID can run satask command. Like the Administrator role, users with Security Administrator privileges can also create and configure the Safeguarded Copy function and create and manage Safeguarded policies. However, they can also change or remove existing Safeguarded backup copies and child pools that are used as Safeguarded backup locations.
Restricted Administrator
Users can perform the same tasks and run most of the same commands as administrator-role users. However, users with the Restricted Administrator role are not authorized to run the rmvdisk, rmvolume, rmvdiskhostmap, rmhost, or rmmdiskgrp commands. Support personnel can be assigned this role to help resolve errors and fix problems.
You can issue any command that is allowed by the Administrator role other than:
  • rmhost
  • rmmdiskgrp
  • rmvdisk
  • rmvdiskhostmap
  • rmvolume
Restricted Security Administrator
Users with the security administrator role is changed to restricted security administrator when two person integrity (TPI) is enabled on the IBM® Storage Virtualize. TPI requires two security administrators to work together to complete critical or risky tasks. For example, a restricted security administrator with an approved TPI request can remove Safeguarded snapshots.
You can issue any command that is allowed by the Administrator role, and additionally the following commands:
  • chtwopersonintegrityrequest
  • chuser
  • chusergrp
  • mktwopersonintegrityrequest
  • mkuser
  • mkusergrp
  • rmuser
  • rmusergrp
Note:
  • The Restricted Security Administrator role cannot create, delete, or change a user or user group that refers to Security Administrator role by using these commands: chuser, chusergrp, mkuser, mkusergrp, rmuser, and rmusergrp. This restriction does not apply to Security Administrator role.
  • The Restricted Security Administrator is not an allowed role option for the mkusergrp and chusergrp commands.
  • The Restricted Security Administrator role is used for two person integrity feature only.

For more information, see Two person integrity.

VASA Provider
Users with this role can manage VMware vSphere Virtual Volumes.
The system uses this role to implement the VMware Virtual Volumes function. It provides a group with users that can be used by that software. You can issue any command other than:
  • chauthservice
  • chldap
  • chldapserver
  • chsecurity
  • chuser
  • chusergrp
  • mkldapserver
  • mkuser
  • mkusergrp
  • rmldapserver
  • rmuser
  • rmusergrp
  • setpwdreset
The system uses this role for the commands that the Embedded VASA provider and Spectrum Connect need to use. External users cannot use this role.

User groups

Users with the Security Administrator role can organize users of the system by role through user groups.

The following user groups are configured by default:
SecurityAdmin
Users access all functions on the system, including managing users, user groups, and user authentication. Users can also configure encryption on the system.
Administrator
Users can complete most of the same tasks as users who are in the SecurityAdmin role. However, these users cannot access functions that deal with managing users, user groups, and authentication.
RestrictedAdmin
Users can complete the same tasks and run most of the same commands as administrator-role users. However, users with the Restricted Administrator role are not authorized to run the rmvdisk, rmvdiskhostmap, rmhost, or rmmdiskgrp commands. Support personnel can be assigned this role to help resolve errors and fix problems.
CopyOperator
Users with this role have privileges of the monitor role and can change or manage all Copy Services functions (Replication, FlashCopy and Snapshots), but cannot create replication policies.
Service
Users can set the time and date on the system, delete dump files, add and delete nodes, apply service, and shut down the system. Users can also complete the same tasks as users in the monitor role.
Monitor
Users can view objects and the system configuration settings but cannot configure, modify, or manage the system or its resources.
VASA Provider
Users with this role can manage VMware vSphere Virtual Volumes.