User management

Use the role-based user restrictions and user management information for IBM Storage Fusion HCI System.

IBM Storage Fusion HCI System user interface is configured with OpenShift® Container Platform to have a single sign-on. For the first time login to IBM Storage Fusion HCI System user interface and OpenShift Container Platform web management console, use the kubeadmin, which is the default user for both. To authenticate the default user login, use the password that got generated during the installation of IBM Storage Fusion HCI System.

Role-based user configuration

Role-based access control (RBAC) objects determine whether a user is allowed to do an action within a project. By using role-based access control, you can set the resources and permissions available to a user. Role can be assigned to a user or group with role bindings. Role binding has the mapping of a role to a user or user group. You can bind your users to the following two default OpenShift cluster level roles:
  • cluster-admin

    A super-user that can do any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.

  • view

    A user who cannot do any modifications, but can see most of the objects in a project. They cannot view or modify roles or bindings.

Note: For security reasons, create a user with cluster-admin role and delete the default kubeadmin user.

For more information about roles, see OpenShift Container Platform documentation at Default cluster roles.

You can create more users and user groups. You can also update or delete existing users by using the cluster-admin user roles. You can also configure with the following different identity providers:
  1. Configure identify providers.
    LDAP
    Configure your organizations LDAP with OpenShift to access IBM Storage Fusion HCI System user interface. For the more information and procedure, see Configuring an LDAP identity provider.
    httpasswd
    Configure httpassword identity provider to create users that can access OpenShift and IBM Storage Fusion HCI System user interface. To configure the user with httpasswd identity provider, see https://docs.openshift.com/container-platform/4.15/authentication/identity_providers/configuring-htpasswd-identity-provider.html.
    Note: Users configured with identity providers must log in while navigating from IBM Storage Fusion HCI System user interface to other integrated applications like Red Hat® OpenShift and IBM Storage Scale ECE.
  2. Bind your user to a role or to a group. The user or group can have cluster-admin or view roles.
  3. Log in to IBM Storage Fusion HCI System user interface by using the newly created or added user.

To know more about OpenShift Container Platform RBAC, see Using RBAC to define and apply permissions.

For more information about authentication and authorization, see OpenShift Container Platform documentation at Understanding authentication.

The following table displays the RBAC permissions for IBM Storage Fusion HCI System user interface.
Table 1. RBAC for IBM Storage Fusion HCI System users
User interface page or menu option Cluster-admin View user
Events
  • You can mark events as fixed
  • You cannot mark events as fixed
Applications
  • You can assign policies to applications
  • You can restore application backup
  • You can edit application details
  • You can enable or disable applications for disaster recovery
  • You cannot assign policies to applications
  • You cannot restore application backup
  • You cannot edit application details
  • You cannot enable applications for disaster recovery
Backup policies
  • You can add, edit, or delete policies
  • You can add, edit, or delete backup locations
  • You cannot add, edit, or delete policies
  • You cannot add, edit or delete backup locations
Infrastrucure > Compute page
  • Can upsize nodes or add storage disks.
  • Can manage node resources like moving a node to maintenance, power on a node, and so on.
  • Cannot upsize nodes or add storage disks.
  • Cannot manage node resources.
Infrastructure > Network page
  • Can run commands on switches
  • Can add VLANs and Links.
  • Cannot run commands on switches.
  • Cannot add VLANs and Links.

Settings > Call Home page.

  • Can enable IBM Call Home or edit Call Home details.
  • Cannot enable Call Home or edit Call Home details.

Settings > Encryption page.

  • Can edit encryption settings.
  • Can delete encryption settings.
  • Cannot edit encryption settings.
  • Cannot delete encryption settings.
From the title bar, click the help icon and select Collect support logs.
  • Can generate logs and log sets.
  • Can enable Call Home.
  • Cannot generate logs or log sets.
  • Can download generated logs.
App Switcher icon in title bar > Storage outbound arrow
  • Can replace disk (pdisk replacement).
  • Can download snap.
  • Can manage events (mark as resolved, fix, hide tip, notification, and others).
  • Cannot configure, modify, or manage the system or its resources.
Disaster recovery
  • Can set up site 1, site 2, and tiebreaker in Metro Sync DR.
  • Can upgrade local, remote and tiebreaker clusters
  • Can failover applications from one site to another
  • Cannot set up site 1, site 2, and tiebreaker in Metro Sync DR.
  • Cannot upgrade local, remote and tiebreaker clusters
  • Cannot failover applications from one site to another
Services
  • Can enable and disable IBM Storage Fusion services
  • Can upgrade IBM Storage Fusion services
  • Cannot enable and disable IBM Storage Fusion services
  • Cannot upgrade IBM Storage Fusion services
Applications icon in title bar >OpenShift outbound arrow For more information about the permissions of the role, see Using RBAC to define and apply permissions.
Note: Menu option is available to navigate to OpenShift console with same login credentials.