Role-based authorization
Roles determine the functions that are available to users of IBM Spectrum Control. When a user ID is authenticated to IBM Spectrum Control through the GUI, CLI, or APIs, membership in an operating system or LDAP group determines the authorization level of the user.
The following table shows the IBM Spectrum Control roles and their authorization levels:
Roles | Authorization level |
---|---|
Administrator |
This role has full access to all monitoring and administrative functions. At least one group must have the Administrator role. Note: When IBM
Spectrum Control is first installed, the
following operating system groups are assigned the Administrator role:
|
Monitor |
This role has access to the following read-only functions:
Exception: Users with the Monitor role can provision storage if they
are granted permission in a service class. A service class is a logical entity that describes
storage capabilities and characteristics and can be used to specify requirements for storage
provisioning. For more information about service classes, see Creating service classes.
|
External Application |
If you assign the External Application role to the user, you must also assign one or more service classes to the user. This role does not enable users to log in to the IBM Spectrum Control GUI. |
- To determine the role of the user who is logged in, click the user icon
In the upper-right corner of any page in the GUI.
- If a user belongs to multiple groups and the groups have different roles, the role with the highest level of authorization is granted to the user. For example, if a user belongs to a group that is assigned the Administrator role and also belongs to a group that is assigned a Monitor role, the user is granted the authorization of the Administrator role.
- If a user is not a member of a group that is assigned a IBM Spectrum Control role, no access is granted to that user.
- If assigned the Monitor role, a user can only open and view logs from the Data Collection page for the selected resource.
Alternatively, you can configure LDAP authentication to perform queries against active directory user repositories and assign domain groups directly to roles within IBM Spectrum Control.