Home > Hitachi > Software > Hitachi Command Suite 8 User Guide

Hitachi Command Suite 8 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Hitachi Command Suite 8 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

$Page 88 Table 4-1 HCS, SVP, and CCI login account requirementsComponentItemLengthRequirementsHCSUser ID1-256A-Z, a-z, 0-9 ! # $ % & ' ( ) * + - . = @ \ ^ _ |Password1-256Same as aboveSVPUser ID1-128Alphanumeric (ASCII code) characters ! # $ % & ' - . @ ^ _Password6-127Alphanumeric (ASCII code) characters ! # $ % & ' ( ) * + - . = @ \ ^ _ |CCIUser ID1-63Alphanumeric (ASCII code) characters - . @ _Password6-63Alphanumeric (ASCII code) characters - . @ _Note: When using a Windows computer for CCI, you...$

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

View all the pages

Add page 91 to Favourites

image text

Enable zoom

Related references
•
Required roles and resource groups by function on page 108
Changing the lock status of user accounts A user account can be locked or unlocked by an administrator.
Procedure 1. On the Administration tab, select Users and Permissions .
This will launch a user management window.
2. Click Users , select the check box for the user whose lock status you
want to change.
3. Click Lock Users or Unlock Users .
A verification dialog box displays.
4. Click Ok to lock or unlock the account, or click Cancel.
5. Verify that the user account has been locked (a lock icon displays in the
user list), or that the previously locked user can now log in.
Related concepts
•
About user accounts and controlling access to resources on page 84
Related tasks
•
Changing the password for a user account on page 89
Configuring external authentication for users External authentication systems can be used to authenticate user logins.
External authentication systems, such as LDAP (for example, Active
Directory), RADIUS, or Kerberos may be used to authenticate HCS users as
they log in. You can re-configure existing accounts, or create new accounts to
use external authentication.
Prerequisites
• The HCS server must be linked to an external authentication server. See the Hitachi Command Suite Administrator Guide .
• The HCS server must be configured to support user authentication, which activates the Change Auth button in the GUI, and which presentsauthentication options such as Internal for a local account, or LDAP forexternal authentication.
• The HCS user ID must exist on the external authentication server. It is recommended that user ID information be acquired from the external
authentication server administrator before creating accounts.
Procedure 1. From the Administration tab, select Users and Permissions .
Setting up users and access control91Hitachi Command Suite User Guide

Add page 92 to Favourites

image text

Enable zoom

2.Select Users folder, then select one or more users (using the checkbox)
whose authentication method you want to change, or click Add User to
create a new account.Note: When creating a new account, only the User ID is required for
external authentication, and must match a user ID on the external authentication server. For a local (internal) account, a User ID and
Password are both required. When external authentication is available,
new user accounts created without a password value are automatically
configured to use external authentication (for example, LDAP is selected
for you). Fill in the desired fields, and click OK to create the user
account.
3. If you have selected existing users, click Change Auth. A dialog box is
displayed. From the drop down list, select the desired authentication
method (for example, LDAP) and click OK. The user list will be re-
displayed.
4. Review the Authentication column to verify the authentication method.
Result
On the next login attempt by each user, the users login credentials (user ID and password) will be validated using the external authentication server.
Tip: Set permissions or roles so that the registered user can perform
necessary operations using HCS products. Also consider adding user accounts to user groups with assigned roles for controlled access to resource groups.
Related concepts
•
About user accounts and controlling access to resources on page 84
Related tasks
•
Configuring external authentication for groups on page 92
Related references
•
User ID and password policies on page 87
Configuring external authentication for groups External authentication systems can be used to authenticate user groups.
External authentication systems, such as LDAP (for example, Active
Directory), RADIUS, or Kerberos may be used to authenticate HCS user
group members as they log in. You can configure one or more user groups, from one or more external authentication servers.
When linking with an external authentication server, if using together with Active Directory as an external authorization server, user permissions can be
managed by using the Active Directory groups (authorization groups)
92Setting up users and access controlHitachi Command Suite User Guide

Add page 93 to Favourites

image text

Enable zoom

registered on the external authorization server. In this case, user permissions
are specified for each group.
Prerequisites
• The HCS server must be linked to an external authentication (authorization) server. See the Hitachi Command Suite Administrator
Guide .
• The HCS server must be configured to support group authentication, which activates the Groups folder in the GUI.
• The HCS user group must exist on the external authentication (authorization) server. It is recommended that domain and group
information, as required below, be acquired from the external
authentication server administrator.
Procedure 1. From the Administration tab, select Users and Permissions .
2. Click the Groups folder to display the Domain List. This is a list of
external authentication servers listed by domain name, and host name or
IP address. If the Groups folder is not displayed, see the pre-requisites
above.
3. Select the desired Domain Name to display the Group List, which may
be empty ('No Groups' is displayed). Click Add Groups.
4. Enter the Distinguished Name for the group. Use Check DN to verify a
correct DN entry. Click Ok to save your group and re-display the Group
List . Note that the Group Name is derived from the entered DN. To
specify multiple groups, note that:
• You can add multiple DNs at the same time using the " +" button
• If multiple DNs are listed, you can remove an entry with the " -" button
• Reset clears all DN entries
5. From the Group List , click the Group Name link, then click Change
Permission and set the HCS permissions for the group (repeat this for
each new group).
6. Your groups will now be visible from the Administration tab, User
Groups . You can affiliate the groups with resource groups and roles, just
like HCS user groups. If you delete external authentication groups from
Users and Permissions at a later time, the groups are also removed
from the User Groups list.
Result
On the next login attempt by each group member, the users login credentials (User ID and Password) will be validated using the external authentication
(authorization) server.Tip: To delete registered authorization groups, select the check boxes of the
groups to be deleted, and then click Delete Groups.Setting up users and access control93Hitachi Command Suite User Guide

Add page 94 to Favourites

image text

Enable zoom

Related concepts
•
About user accounts and controlling access to resources on page 84
Related tasks
•
Configuring external authentication for users on page 91
Related references
•
User ID and password policies on page 87
Deleting user accounts If user accounts are no longer needed for accessing HCS, for example if users
leave the organization, you can delete the user accounts.
Procedure 1. On the Administration tab, select Users and Permissions .
2. Select Users in the navigation pane, and then select the users to delete.
3. Click Delete Users .
4. Click OK.
Result
The user accounts you deleted no longer appear in the list of user accounts.
Controlling access to resources This module describes how to control access to resources.
About access control Within a managed SAN environment, user accounts are created, added to
user groups, and the user groups affiliated with resource groups and
assigned roles to provide controlled access to functionality available in Device Manager and Tiered Storage Manager (GUI).
• A user group consists of local user accounts, or accounts from external authentication systems
• A resource group consists of storage system resources (storage systems, parity groups, DP pools, LDEV IDs, and storage ports)
• Assigned roles for resource groups provide either full, partial, or read-only access to resource group resources
This creates an access control policy that allows secure data handling in
multi-tenant environments and supports more efficient and secure operations. An access control policy can be used for:
• Data center hosting services• Management of departments in an organization
94Setting up users and access controlHitachi Command Suite User Guide

Add page 95 to Favourites

image text

Enable zoom

• Management of locations in an organizationA user group is a group of users who can access the same resources with the
same user permissions. Externally authenticated groups can also be used as user groups. When you assign resource groups and roles (user permissions, such as Admin, Modify, View or Custom) to a user group, resources are
consistently controlled for the users in that group.
When the storage system is Virtual Storage Platform G1000, you can use custom roles to specify one or more roles and user permissions at a more
detailed, granular level. For example, you can allow:
• Provisioning operations • Remote copy operations• System resource operations• Storage encryption key and authentication management• Audit log management
Resource groups can be created in this configuration only when the storage
system is Virtual Storage Platform G1000, Virtual Storage Platform, or Unified
Storage VM.
The following figure illustrates user groups and their permissions (standard
Admin, Modify and View roles) for accessing resources. The use of custom
roles is not shown here, but is illustrated in the user group topics. Custom
roles provide more granular permissions to specific functionality.
For Virtual Storage Platform G1000, Virtual Storage Platform, or Unified
Storage VM systems, physical configurations such as parity groups, and logical configurations such as LDEV IDs, are used to create resource groups.
After resource groups are created, they can then be assigned to user groups.
Setting up users and access control95Hitachi Command Suite User Guide

Add page 96 to Favourites

image text

Enable zoom

							Related references
•
Access control examples  on page 96
Access control examples The following examples show how resource groups can control access in a
Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM system. One method for dividing resources would be by separating resources based on company location. For example, if you create resource
groups based on location, the administrators in each location are limited to using only the resources that have been assigned to them, and are restrictedfrom accessing the resources of other locations.
It is also possible to share physical resources (such as parity groups or
storage ports) among departments, and divide only logical resources (such as DP pools, LDEV IDs, or host group numbers) by department. For example,
you can assign resource groups that contain shared physical resources to all departments, and then assign individual resource groups that contain specificlogical resources to the appropriate departments. This allows department
96Setting up users and access controlHitachi Command Suite User Guide

Add page 97 to Favourites

image text

Enable zoom

							administrators to use only the resources assigned to them, while still allowingfor effective sharing of physical resources.
Related concepts
•
About resource groups  on page 97
•
About user groups  on page 102
•
About access control  on page 94
About resource groups Resources can be grouped by system resource types that include storage
system, parity groups, DP pools, LDEV IDs, and storage ports.
Note:  When DP pools are registered to resource groups, related DP pool
volumes and their LDEV IDs are also registered.
There are several types of resource groups:
• All Resources is a resource group that is created during management server installation and includes all resources managed by HCS. For
Setting up users and access control97Hitachi Command Suite User Guide

Add page 98 to Favourites

image text

Enable zoom

example, a user who is a member of one of the built-in user groups for AllResources has access to all storage systems.
• Default ResourceGroup is the name for default resource groups that are created as storage systems are discovered and registered. A user who is a
member of a user group in a default resource group has access to all of the storage system resources.
• Resource pool is another type of resource group. A resource pool is a resource group to which resources of a virtual storage machine in a Virtual
Storage Platform G1000 belong, when the resources have not been added
to any individual resource group. There are two types of resource pools.
There are resource pools on the default virtual storage machine, and
resource pools that are automatically created on user-defined virtual
storage machines. You can check the resource pools on user-defined virtual storage machines from the resource group list.
• User-defined resource groups defining more specific storage access can be created for the Virtual Storage Platform G1000, Virtual Storage Platform,and Unified Storage VM depending on the operating environment.Resources can be grouped by parity groups, DP pools, LDEV IDs, or storage ports. Resource group definitions in Device Manager are applied to
the storage system when using the Virtual Storage Platform G1000. However, these resource group definitions are not applied to other storage
systems.
Resource groups, which are user-defined, can be set for the Virtual Storage
Platform, Virtual Storage Platform G1000, or Unified Storage VM. Only default
resource groups are created for other storage systems. Each resource is
automatically registered in the All Resources and in Default resource groups
created for its storage system (this group cannot be deleted). If a volume
that is part of a LUSE volume is registered in a resource group, other
volumes in that LUSE volume are also registered in the same resource group.
For the Virtual Storage Platform G1000, when you register a part of a parity group that is part of a concatenated parity group to a resource group, other
parity groups that are a part of the concatenated parity group will also be registered in the same resource group automatically. If the resource is in a
Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM system, you can register it in only one user-defined resource group.
Related concepts
•
About user groups on page 102
•
About virtual storage machines on page 264
Related tasks
•
Creating resource groups on page 100
•
Editing a resource group on page 100
•
Assigning resource groups and roles to a user group on page 129
98Setting up users and access controlHitachi Command Suite User Guide

Add page 99 to Favourites

image text

Enable zoom

Related references
•
Prerequisites for creating resource groups on page 99
•
Access control examples on page 96
Prerequisites for creating resource groups Resources can be grouped by system resource types that include storagesystems, parity groups, DP pools, LDEV IDs, and storage ports.
The following list identifies the conditions for creating a user-defined user
group for the Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM.
All of the following resources can be set to create a user-defined group for a
Virtual Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM.
• Parity Groups: Includes parity groups and volumes in external storage systems. Users with Modify, Storage Administrator (Provisioning), orhigher roles for parity groups, or the LDEV ID of a DP pool volume, and an
unused LDEV ID is assigned to the user, the user can create a volume. For
the Virtual Storage Platform G1000, when you register a part of a parity
group that is part of a concatenated parity group to a resource group,
other parity groups that are a part of the concatenated parity group will
also be registered in the same resource group automatically.
• DP Pools: Includes DP pools consisting of DP pool volumes with LDEV IDs. • LDEV IDs: Includes parity groups and volumes in external storage systems. Non-existent IDs can also be specified. Users with Modify,
Storage Administrator (Provisioning), or higher roles for parity groups or DP pools and assigned an unused volume ID, can create a volume.
• Storage Ports: Users with Modify, Storage Administrator (Provisioning), or higher roles for ports and assigned an unused Host Group Number can
create a host group that has that host group number.
• Host Group Number: Non-existent numbers can also be specified. Users with Modify, Storage Administrator (Provisioning), or higher roles for portsand assigned an unused Host Group Number can create a host group that
has that host group number.
Related concepts
•
About resource groups on page 97
Related tasks
•
Creating resource groups on page 100
Setting up users and access control99Hitachi Command Suite User Guide

Add page 100 to Favourites

image text

Enable zoom

Creating resource groupsUser created resource groups can be used to group system resource typesincluding storage systems, parity groups, DP pools, LDEV IDs, and storage ports.
Resource groups, which are user defined, can be created for the Virtual
Storage Platform, Virtual Storage Platform G1000, or Unified Storage VM.
Procedure 1. On the Administration tab, in the Administration pane, select
Resource Groups .
2. Click Create Resource Group .
3. Enter a name and description, and select the storage system providing
the resources.
4. Using the tabs, specify the parity groups, DP pools, LDEVs, ports, or host
groups (or a mix of resources) for the resource group.
5. Click Submit to register this as a task.
6. You can check the progress and result of the task on the Tasks & Alerts
tab. Click the task name to view details of the task.
Result
The new resource group is displayed, and can be assigned to an existing user
group using the Edit User Group button. You can also assign resource groups when creating new user groups with Create User Group.
Related tasks
•
Editing a resource group on page 100
•
Assigning resource groups and roles to a user group on page 129
•
Deleting resource groups on page 101
Related references •
Access control examples on page 96
•
Prerequisites for creating resource groups on page 99
Editing a resource group You can edit storage system resources in an existing resource group.
Information about resource groups can be modified to reflect changing access control requirements.
Procedure 1. On the Administration tab, in the Administration pane, select
Resource Groups .
2. To edit a resource group, do one of the following:
100Setting up users and access controlHitachi Command Suite User Guide

All Hitachi manuals Comments (0)