Configuring ownership groups

Edit online

You can configure ownership groups to manage access to resources on the system. You can use the management GUI or the command-line interface to configure ownership groups on the system.

An ownership group defines a subset of users and objects within the system. You can create ownership groups to further restrict access to specific resources that are defined in the ownership group. Only users with Security Administrator roles can configure and manage ownership groups. Restricted users are those users who are defined to a specific ownership group and can only view or manage specific resources that are assigned to that ownership group. Unrestricted users are not defined to an ownership group and can manage any objects on the system based on their role on the system. Before you create ownership groups and assign resources and users, it important to understand the following guidelines:
  • Users within an ownership group can view or change resources within the ownership group in which they belong. Only users outside of an ownership group, usually users with Security Administrator roles, can view and manage all resources on the system, including users within an ownership group.
  • Users within an ownership group cannot change any objects outside of their ownership group. This restriction includes global resources that are related to resources within the ownership group. Global resources cannot be assigned to ownership groups. For example, a user can change a volume in the ownership group, but not the MDisk or drive that provides the storage for that volume. The MDisk or drives are considered global resources and cannot be assigned to ownership groups.
  • Users within an ownership group cannot view or change resources if those resources are assigned to another ownership group or are not assigned to any ownership group. However, users within ownership groups can view and display global resources. For example, if a volume is assigned to an ownership group, a user outside of that ownership group cannot display information for that volume. However, the same user can display information on drives on the system, since drives are a global resource that cannot be assigned to any ownership group.

Using the management GUI

These steps are for new systems where owned objects, such as child pools, hosts, and volumes are not configured yet.

To configure supported objects to use ownership groups on system, complete these steps:
  1. In the management GUI, select Access > Ownership Groups.
  2. On the Ownership Groups page, click Create Ownership Group. A new ownership group is created and displays on the Ownership Groups page.
  3. After you have created an ownership group, create a user group to include users that are the owners of the ownership group. Select Access > Users by Group and click Create User Group.
  4. On the Create User Group page, enter the following information:
    Name
    Enter the name of the user group.
    Role
    Select the role for all users within the user group. User groups that are assigned in ownership groups cannot use the Security Administrator role.
    Ownership Group
    Select the ownership group that you created earlier and assign it to this user group.
  5. On the Access > Users by Group page, select existing users or create new users to assign to the user group. These users automatically inherit the ownership group that is assigned to the user group.
  6. On the Pools > MDisks by Pools page, if a parent pool does not exist, click Create Pool and assign storage to that pool. Right-click the new parent pool and select Create Child Pool.
  7. On the Create Child Pool page, enter the following information:
    Name
    Enter the name of the child pool.
    Capacity
    Select the amount of capacity that you are allocating from this child pool.
    Note: The Capacity field is not available when you are creating a data reduction child pool. A data reduction child pool has access to the complete free capacity of the parent pool without limit. A data reduction child pool cannot be created if the parent pool does not have free capacity.
    Ownership Group
    Select the ownership group that you created earlier and assign it to this child pool.
  8. After child pools are configured and assigned to the ownership groups, users that you created in Step5 can create objects like hosts, volumes, and FlashCopy mappings.

Using the command-line interface

To configure the system to use ownership groups, complete the following steps:
  1. To create an ownership group, enter the following command:
    mkownershipgroup -name name
    where name is the name of the ownership group that you are creating.
  2. After you have created an ownership group, create a user group to include users that are the owners of the ownership group. To create a user group, enter the following command: 
    mkusergrp -name group_name -role administrator -ownershipgroup owner_name
    where group_name is the name of the user group and owner_name is the name of the new ownership group. User groups that are assigned to ownership groups cannot use the SecurityAdmin role.
  3. You can use either the mkuser command to create new users in the user group or use the chuser to assign existing users to the user group. Users inherit the ownership group that was assigned to the user group.
  4. If child pools do not exist on the system, you must create them before you assign them to ownership groups. To create a standard child pool, enter the following command:
    mkmdiskgrp -size 100 -unit tb -parentmdiskgrp name
    where name is the name of the parent pool that provides the capacity for the child pool. To create a data reduction child pool, enter the following command: 
    mkmdiskgrp -parentmdiskgrp name -datareduction yes -noquota
    where name is the name of the parent pool that provides the capacity for the child pool.
  5. To assign an existing child pool to the new ownership group, enter the following command: 
    chmdiskgrp -ownershipgroup owner_name name
    where owner_name is the name of the new ownership group and name is the name of the child pool. Any volumes that are associated with the child pool inherit the new ownership group.
  6. The users that you created in step 3 can now start creating objects, like hosts and volumes, within this ownership group, using capacity in the child pools that are assigned to the ownership group.