Each user of the management GUI must provide a username and a
password to sign on. Each user also has an associated role, such as monitor or security
administrator. These roles are defined at the system level. For example, a user can be the
administrator for one system, but the security administrator for another system.
Security Administrators can create role-based user groups where any users that
are added to the group adopt the role that is assigned to that group. Roles apply to both local and
remote users on the system and are based on the user group to which the user belongs. A local user
can belong only to a single group; therefore, the role of a local user is defined by the single
group to which that user belongs. Roles are defined at the system level, which means that a user can
be an administrator on one system, but a security administrator on another system. Remote users that
use either LDAP or single sign-on require a user group on the system that matches a group defined on
the remote authentication server. Security Administrators can also
select to enable multifactor authentication per user group. With multifactor authentication, any
users that are assigned to a user group must present a second factor to access the system.
Multifactor authentication requires that an authentication server is configured to verify the
identity of all users within the group. Up to 256 user groups can be created per system,
including the default user groups.
You can create up to
400 users per system, which includes default users.
You can assign the following roles to your user groups:
- Monitor
- Users have access to all actions that are related to viewing objects and processes on the
system. Monitor-role users cannot change the state of the system nor change the resources that the
system manages. Monitor-role users can access all information-related GUI functions and commands,
back up configuration data, and change their own passwords.
- You can issue the following commands:
- chcurrentuser
- dumperrlog
- finderr
- ping
- svcconfig backup
In addition, you can issue any information display command.
- Copy Operator
- Users can start and stop all existing FlashCopy®,
Metro Mirror, and Global Mirror relationships. Copy-operator-role users can run the system commands
that administrator-role users can run that deal with FlashCopy, Metro Mirror, and Global Mirror relationships.
- You can issue the following commands:
- addsnapshot
- backupvolume
- backupvolumegroup
- chfcconsistgrp
- chfcmap
- chpartnership
- chrcconsistgrp
- chrcrelationship
- chsnapshot
- chvolumegroup
- chvolumegroupsnapshotpolicy
- mkvolumegroup
- prestartfcconsistgrp
- prestartfcmap
- restorevolume
- rmsnapshot
- rmvolumebackupgeneration
- rmvolumegroup
- startfcconsistgrp
-
startfcmap
- startrcconsistgrp
- startrcrelationship
- stopfcconsistgrp
- stopfcmap
- stoprcconsistgrp
- stoprcrelationship
- switchrcconsistgrp
- switchrcrelationship
In addition, you can issue all of the commands that are allowed by the
Monitor role.
- FlashCopy Administrator
-
Users can create, change, and delete all the existing FlashCopy mappings and consistency groups as well as create and delete host mappings.
- You can issue the following commands:
- addsnapshot
- backupvolumegroup
- backupvolume
- chcurrentuser
- chfcconsistgrp
- chfcmap
-
chsnapshot
- chvolumegroup
- chvolumegroupsnapshotpolicy
- dumperrlog
- dumpinternallog
- finderr
- logerror
- lscurrentssh
- mkfcconsistgrp
- mkfcmap
- mkvdiskhostmap
- mkvolumegroup
- prestartfcconsistgrp
- prestartfcmap
- restorevolume
- rmfcconsistgrp
- rmfcmap
- rmsnapshot
- rmvdiskhostmap
- rmvolumebackupgeneration
- rmvolumegroup
- startfcconsistgrp
- startfcmap
- stopfcconsistgrp
- stopfcmap
- Service
- Users can set the time and date on the system, delete dump files, add and delete nodes, apply
service, and shut down the system. Users can also complete the same tasks as users in the monitor
role.
- You can issue the following commands:
- applysoftware
- setlocale
- addnode
- rmnode
- rmnodecanister
- cherrstate
- writesernum
- detectmdisk
- includemdisk
- clearerrlog
- cleardumps
- settimezone
- stopsystem
- startstats
- stopstats
- settimezone
- cheventlog
- chnodebattery
- addcontrolenclosure
In addition, you can issue all of the commands that are allowed by the
Monitor role.
- Administrator
- Users can manage all functions of the system except those functions that manage users, user
groups, authentication, and encryption. Administrator-role users can run the system
commands that the security-administrator-role users can run from the CLI, except for commands that
deal with users, user groups, authentication, and encryption. Users with Administrator privileges can create and configure the Safeguarded Copy function and
create and manage Safeguarded policies. However, they cannot remove or damage existing Safeguarded
backups or change child pools that are used as Safeguarded backup locations.
- You can issue any command other than:
- chauthservice
- chauthmultifactorduo
- chauthmultifactorverify
- chauthsinglesignon
- chencryption
- chkeyserver
- chkeyserverciphertrustmanager
- chkeyserverisklm
- chldap
- chldapserver
- chownershipgroup
- chsecurity
- chsystemcert
- chtruststore
- chtwopersonintegrityrequest
- chuser
- chusergrp
- mkkeyserver
- mkldapserver
- mkownershipgroup
- mktruststore
- mktwopersonintegrityrequest
- mkuser
- mkusergrp
- rmkeyserver
- rmldapserver
- rmownershipgroup
- rmtruststore
- rmuser
- rmusergrp
- setpwdreset
- setsystemtime
- Security Administrator
- Users can manage all functions of the system, including managing users, user groups, user
authentication, and configuring encryption. Users with the Security Administrator role can run any
system commands from the command-line interface (CLI). However, they cannot run the
satask commands from the CLI. Only the superuser ID can
run sainfo
command. Like the Administrator
role, users with Security Administrator privileges can also create and configure the Safeguarded
Copy function and create and manage Safeguarded policies. However, they can also change or remove
existing Safeguarded backup copies and child pools that are used as Safeguarded backup
locations.
- Restricted Administrator
- Users can perform the same tasks and run most of the same commands as administrator-role users.
However, users with the Restricted Administrator role are not authorized to run the
rmvdisk, rmvolume, rmvdiskhostmap,
rmhost, or rmmdiskgrp commands. Support personnel can be
assigned this role to help resolve errors and fix problems.
- You can issue any command that is allowed by the Administrator role
other than:
- rmhost
- rmmdiskgrp
- rmvdisk
- rmvdiskhostmap
- rmvolume
- 3-Site Administrator
- Users with this role can configure, manage, and monitor 3-site replication configurations
through certain command operations only available on the 3-Site Orchestrator. Before you can work
with 3-Site Orchestrator, a user profile must be created.
- VASA Provider
- Users with this role can manage VMware vSphere Virtual Volumes.
The system uses this role to implement the VMware Virtual Volumes function. It provides a
group with users that can be used by that software. You can issue any command other than:
- chauthservice
- chldap
- chldapserver
- chsecurity
- chuser
- chusergrp
- mkldapserver
- mkuser
- mkusergrp
- rmldapserver
- rmuser
- rmusergrp
- setpwdreset
User groups
Users with the Security Administrator role can organize users of
the system by role through user groups.
The following user groups are configured by default:
- SecurityAdmin
- Users access all functions on the system, including managing users, user groups, and user
authentication. Users can also configure encryption on the system.
- Administrator
- Users can complete most of the same tasks as users who are in the SecurityAdmin role. However,
these users cannot access functions that deal with managing users, user groups, and authentication.
- RestrictedAdmin
- Users can complete the same tasks and run most of the same commands as administrator-role users.
However, users with the Restricted Administrator role are not authorized to run
the rmvdisk, rmvdiskhostmap, rmhost, or
rmmdiskgrp commands.
Support personnel can be assigned this role to help resolve
errors and fix problems.
- CopyOperator
- Users manage FlashCopy, Metro Mirror, and Global
Mirror relationships.
- Service
- Users can set the time and date on the system, delete dump files, add and delete nodes, apply
service, and shut down the system. Users can also complete the same tasks as users in the monitor
role.
- Monitor
- Users can view objects and the system configuration settings but cannot configure, modify, or
manage the system or its resources.
- 3-Site Administrator
- Users with this role can configure, manage, and monitor replications between three sites through
certain command operations that are only available in the 3-Site Orchestrator.
- VASA Provider
- Users with this role can manage VMware vSphere
Virtual Volumes.
Ownership Groups
User groups can be
assigned to an ownership group. An ownership group defines a subset of users and
objects within the system. You can create ownership groups to further restrict access to specific
resources that are defined in the ownership group. Only users with Security Administrator roles can
configure and manage ownership groups. Restricted users are those users who are defined to a
specific ownership group and can only view or manage specific resources that are assigned to that
ownership group. Unrestricted users are not defined to an ownership group and can manage any objects
on the system based on their role on the system.
Ownership can be defined explicitly or it can be inherited from the user,
user group, or from other parent resources, depending on the type of resource. User groups can be
owned if assigned an ownership group explicitly or by inheritance from the user who creates them.
The following rules apply to user groups:
- Only users with Security Administrator role can create or manage ownership groups.
- Users with Security Administrator role cannot be assigned to an ownership group.