Role-based authorization

Roles determine the functions that are available to users of IBM Spectrum Control. When a user ID is authenticated to IBM Spectrum Control through the GUI, CLI, or APIs, membership in an operating system or LDAP group determines the authorization level of the user.

The following table shows the IBM Spectrum Control roles and their authorization levels:

Table 1. IBM Spectrum Control roles and authorization levels
Roles Authorization level

Administrator

This role has full access to all monitoring and administrative functions. At least one group must have the Administrator role.

Note: When IBM Spectrum Control is first installed, the following operating system groups are assigned the Administrator role:
  • Windows: Administrators
  • UNIX and Linux®: root
  • AIX®: system

Monitor

This role has access to the following read-only functions:
  • Viewing and exporting information about monitored resources
  • Viewing, acknowledging, and removing alerts
  • Viewing tasks and data collection jobs
  • Opening management GUIs
  • Opening logs
  • Viewing chargeback, consumer, predefined capacity and inventory, and custom reports
Exception: Users with the Monitor role can provision storage if they are granted permission in a service class. A service class is a logical entity that describes storage capabilities and characteristics and can be used to specify requirements for storage provisioning. For more information about service classes, see Creating service classes.

External Application

If you assign the External Application role to the user, you must also assign one or more service classes to the user.

This role does not enable users to log in to the IBM Spectrum Control GUI.

Tips:
  • To determine the role of the user who is logged in, click the user icon User icon In the upper-right corner of any page in the GUI.
  • If a user belongs to multiple groups and the groups have different roles, the role with the highest level of authorization is granted to the user. For example, if a user belongs to a group that is assigned the Administrator role and also belongs to a group that is assigned a Monitor role, the user is granted the authorization of the Administrator role.
  • If a user is not a member of a group that is assigned a IBM Spectrum Control role, no access is granted to that user.
  • If assigned the Monitor role, a user can only open and view logs from the Data Collection page for the selected resource.
Nested groups are not supported: Adding active directory or any other type of domain user group to a local operating system group is not supported in IBM Spectrum Control. You can configure IBM Spectrum Control to authenticate domain IDs that rely on the operating system to perform the authentication operation against the active directory, but it cannot resolve nested groups.

Alternatively, you can configure LDAP authentication to perform queries against active directory user repositories and assign domain groups directly to roles within IBM Spectrum Control.