Home > Hitachi > Software > Hitachi Command Suite 8 User Guide

Hitachi Command Suite 8 User Guide

Download as PDF Print this page Share this page

Have a look at the manual Hitachi Command Suite 8 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

View all the pages

Add page 101 to Favourites

image text

Enable zoom

• From the Resource Groups pane, select the resource group, and
click Edit Resource Group .
• Click the resource group link, click Actions and select Edit Resource
Group .
3. You can modify the resource group name and description, but not the
storage system.
4. Modify the parity groups, DP pools, LDEVs, ports, or host groups to
reflect your access control requirements.Note: To add or delete DP pool volumes, you must add or delete DP
pools.
5. Click Submit to register this as a task.
6. You can check the progress and result of the task on the Tasks & Alerts
tab. Click the task name to view details of the task.
Result
Depending on how you initiated your edit (see step 2), the resource group is
displayed and you can confirm your changes, or you will be in the Resource
Groups pane and can click the resource group link to confirm your changes.
Related tasks
•
Creating resource groups on page 100
•
Assigning resource groups and roles to a user group on page 129
Related references
•
Access control examples on page 96
Deleting resource groups If resource groups are no longer needed, you can delete the resource groups.
Procedure 1. On the Administration tab, select Resource Groups .
2. Select the resource groups to delete.
The storage system default resource groups, All Resources, and resource
pools cannot be deleted.
3. Click Delete Resource Groups .
4. Click Submit .
Result
The resource groups you deleted no longer appear in the list of resource
groups.
Setting up users and access control101Hitachi Command Suite User Guide

Add page 102 to Favourites

image text

Enable zoom

							About user groupsA user group consists of one or more users having the same permissions
(role) for the same resources. An external authentication group can also be used as a user group. There are also built-in resource and user groups for
administrative convenience.
For a user group, one or more resource groups are added, and a role assigned for each resource group. The types of roles are:
• Admin
• Modify
• View
• Custom
User group members will be able to work with each resource group according
to the assigned role (permissions) for the resource group. For example, a
user group member with view access to a resource group can monitor, but not change the resource. Also note the following:
• A user can belong to multiple user groups, each with assigned resource groups and roles
• A resource group can be registered to multiple user groups
If hosts and volumes are managed as logical groups that correspond to
businesses or organizations and the logical groups are registered as private logical groups, only users who belong to the same user group will be able to
use the logical groups.
The default (built-in) user groups assigned to the All Resources resource group (also built-in) are:
• AdminGroup (role: Admin and the permission for creating resource groups)
• ModifyGroup (role: Modify)
• ViewGroup (role: View)
• PeerGroup (role: Peer. This user group cannot be assigned to a resource group)Note:  If Hitachi Compute Systems Manager (HCSM) v8.1 or later is installed
on the HCS management server with Device Manager, the following user groups are created:
• HCSM_AdminGroup
• HCSM_ModifyGroup • HCSM_ViewGroup
Two special case user group assignments exist:
• The built-in account (user ID: HaUser) used by Device Manager agents and file servers is set to the PeerGroup immediately after the installation is
completed, but can be set to another group later. To assign the Peer role to
a user, register the user in PeerGroup.
102Setting up users and access controlHitachi Command Suite User Guide

Add page 103 to Favourites

image text

Enable zoom

• Authorized groups that have been registered to Hitachi Command Suiteproducts can be used as user groups. Roles assigned to authorized groups
are also applied to users who belong to nested groups.
For a Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM storage system, if different roles are set as follows, the role set
for each resource group is applied to all resource groups within the same
storage system.
• When multiple resource groups in the same storage system are assigned to one user group, and a different role has been set for each resource
group.
• When a user belongs to multiple user groups, and a different role has been set for the resource groups in the same storage system.
If the storage system is not a Virtual Storage Platform G1000, Virtual Storage Platform, or Unified Storage VM, the previous scenario does not apply. For example, in the following figure, User A and User B can access each resource
group (RG) with the following roles, respectively.
User A can access RG1, RG2, and RG3 with the Admin, Audit LogAdministrator (View & Modify) and Security Administrator (View Only) roles. User B can access RG3 with the Security Administrator (View & Modify) role,and access RG4 with the View role.
Some special cases apply:
• If a user has the Storage Administrator (Provisioning), Modify, or higher roles for parity groups or the LDEV ID of a DP pool volume, and an unusedLDEV ID is assigned to this user, they can create a volume.
• If a user has the Storage Administrator (Provisioning), Modify, or higher roles for ports, and an unused Host Group ID is assigned to this user, theycan allocate new volumes by using that Host Group ID.
Setting up users and access control103Hitachi Command Suite User Guide

Add page 104 to Favourites

image text

Enable zoom

• If the LDEV ID of a DP volume is assigned to a user, this user can view theDP pool to which the DP volume belongs and the DP pool volumes thatcompose the DP pool. If the LDEV ID of a DP pool volume is assigned to
this user, they can view the pool to which the DP pool volume belongs.
• If a parity group is assigned to a user, this user can view all volumes that belong to the parity group from a list of volumes that appears whendisplaying the parity group information. If a parity group is not assigned toa user and only the LDEV IDs of the volumes belonging to the parity group are assigned to this user, they cannot view that parity group.Note: The roles above determine the operation permissions of Device
Manager and the Tiered Storage Manager GUI. For users of the Tiered
Storage Manager CLI, operating permissions are granted by assigning the desired roles of All Resources and Device Manager to the user groups to
which the users belong, and then setting the Tiered Storage Manager
permissions required to execute commands for each user. For details about the permissions required to execute each command, see the Hitachi
Command Suite Tiered Storage Manager CLI Reference Guide .
Related concepts
•
About access control on page 94
Related tasks •
Creating user groups on page 127
User group roles In Device Manager and Tiered Storage Manager (GUI), permissions aregranted by assigning resource groups and roles to users in a user group.
For other HCS products, permissions are granted by setting permissions for each user. For example, this method can be used for granting permissions for
the Device Manager GUI and CLI operations and for the Tiered Storage Manager GUI. For users of the Tiered Storage Manager CLI, permissions are granted by assigning the desired roles of All Resources and Device Manager
to the user groups to which the users belong, and then setting the Tiered
Storage Manager permissions required to execute commands for each user.
The table below describes roles and the tasks that can be performed when
those roles are assigned.
By specifying roles, resources that belong to a resource group for which a
user has permission to reference or operate on are displayed. The user can
perform operations or reference information for the displayed resources.
Roles can be set for an external authentication group, just like for other user groups, when the external authentication group is used as a user group. By
default, the View role for All Resources is set.
104Setting up users and access controlHitachi Command Suite User Guide

Add page 105 to Favourites

image text

Enable zoom

							Table 4-2  User permissions by roleRoleDevice Manager TasksTiered Storage Manager TasksAdminThe user can register resources to be
managed, change settings, and view
information.
If the user is assigned to All Resources, the
user can manage resource groups.The user can create, edit, and delete
tiers, perform operations from the
Mobility tab, and perform migration
tasks.ModifyThe user can register resources to be
managed, change settings, and view
information.The user can create, edit, and delete
tiers, perform operations from the
Mobility tab, and perform migration
tasks.ViewThe user can view (reference) managed
resources.The user can view (reference)
information about tiers, information in
the Mobility tab, and list migration tasks.PeerThis role applies only to Device Manager
agents and file servers and cannot be
assigned to resource groups and cannot be
used to log in to HCS products.
The Peer role cannot be assigned in
combination with any permissions other than
the User Management permissions.Not applicable.CustomFor VSP G1000, more granular roles are available and are referred to as custom roles.
The Admin, Modify, and View roles are broad in scope, while custom roles are more
specific. When selecting permissions for a user group associated with a default user
group or user-defined resource group, multiple custom roles can be selected in
combination to determine user capabilities. For users assigned to an All Resources built-
in group, custom roles are not available as the built-in groups grant Admin, Modify, or
View permissions only.
Related references
•
Custom roles  on page 105
•
Required roles and resource groups by function  on page 108
Custom roles Custom roles provide granular permissions for performing general HCS tasks,as well as additional tasks specific to Hitachi Virtual Storage Platform G1000.The custom roles available include Storage, Security, Audit Log, and Supportroles.
The table below describes additional VSP G1000 tasks (functions) and the required custom roles when selecting System GUI from menus or application panes to open Hitachi Device Manager - Storage Navigator.
Note that to use custom roles, they must be assigned to resource groupswith users. The following custom roles can be assigned to both the VSP
G1000 default resource group for broad access to storage resources, and to user-defined resource groups for specific access to storage resources:
• Storage Administrator (Provisioning) • Storage Administrator (Performance Management)
Setting up users and access control105Hitachi Command Suite User Guide

Add page 106 to Favourites

image text

Enable zoom

							• Storage Administrator (Local Copy)• Storage Administrator (Remote Copy)
Storage, security, and audit log custom roles not in the list above are generally for tasks concerning the storage system as a whole, such assecurity and auditing. These roles are assigned to the VSP G1000 defaultresource group only.Note:  Custom roles cannot be assigned to users in the All Resources built-in
resource groups as these groups permit View, Modify, or Admin permissions only.
Table 4-3  Custom roles
Custom role (permission)FunctionsStorage Administrator (Provisioning) 1Allows provisioning related operations:
• Configuring caches
• Configuring LDEVs, pools, and virtual volumes
• Formatting and shredding LDEVs
• Configuring external volumes
• Creating and deleting quorum disks used in a global- active device environment
• Configuring alias volumes for Compatible PAV. • Configuring Dynamic Provisioning
• Creating and deleting global-active device pairs
• Configuring host groups, paths, and WWNs
• Configuring Volume Migration except splitting Volume Migration pairs when using CCI
• Configuring access attributes for LDEVs
• Configuring LUN securityStorage Administrator (Performance
Management) 1Allows performance monitoring:
• Configuring monitoring
• Starting and stopping monitoringStorage Administrator (Local Copy) 1Allows pair operations for local copy:
• Performing pair operations for local copy
• Configuring environmental settings for local copy • Splitting Volume Migration pairs when using CCIStorage Administrator (Remote Copy) 1Allows remote copy operations:
• Remote copy operations in general
• Managing global-active device pairs (except for creation and deletion)Storage Administrator (Initial
Configuration) 1Allows initial configuration of storage systems:
• Configuring settings for storage systems
• Configuring settings for SNMP
• Configuring settings for e-mail notification
• Configuring settings for license keys
• Viewing, deleting, and downloading storage configuration reports
• Acquiring all the information about the storage system and refreshingStorage Administrator (System
Resource Management) 1Allows configuring various storage system resources:
• Configuring settings for CLPR106Setting up users and access controlHitachi Command Suite User Guide

Add page 107 to Favourites

image text

Enable zoom

							Custom role (permission)Functions• Configuring settings for MP Blade• Deleting tasks and releasing exclusive locks of resources
• Completing SIMs
• Configuring attributes for ports
• Configuring LUN security
• Configuring Server Priority Manager
• Configuring tiering policiesSecurity Administrator (View & Modify)For global-active device:
• Setting the reserved attribute for a volume to be used in a global-active device pair
With the exception of user management, allows
management of encryption keys and authentication for
storage systems:
• Creating an encryption key, configuring encryption
• Viewing and switching the location at which to create an encryption key
• Backing up and restoring an encryption key
• Deleting an encryption key that is backed up on the key management server
• Viewing and changing the password policies for backing up an encryption key on the management
client
• Configuring the certificate used for SSL communication on the management client 2
.
• Configuring the Fibre Channel authentication (FC-SP)Security Administrator (View Only)Allows viewing of storage system encryption keys and
authentication settings:
• Viewing information about encryption settings
• Viewing information about encryption keys on the key management serverAudit Log Administrator (View &
Modify)Allows management of storage system audit logs:
• Configuring audit log settings
• Downloading audit logsAudit Log Administrator (View Only)Allows viewing of audit log settings for storage systems
and downloading of audit logs:
• Viewing storage audit log settings
• Downloading audit logsSupport Personnel 3
,4Allows configuration from the SVP by service
representatives:
• Downloading dump files using the FD Dump toolNotes: 1. Custom roles also apply to general tasks performed on the Virtual Storage Platform G1000,
such as:
• Refreshing storage system information
• Registering storage systems and hosts
• Managing tasks, logical groups, and storage tiers
• Displaying information
• Downloading components
2. When a user account for logging in to the SVP or Command Control Interface (CCI) is
authenticated by HCS, if the user account created in HCS is assigned the Security
Administrator (View & Modify) role, that user account can be used to open the Tool Panel andSetting up users and access control107Hitachi Command Suite User Guide

Add page 108 to Favourites

image text

Enable zoom

							Custom role (permission)Functionsconfigure the certificate. For details about this procedure, see the Hitachi Command Suite
Administrator Guide .
3. When a user account for logging in to the SVP or Command Control Interface (CCI) is
authenticated by HCS, if the user account created in HCS is assigned the Support Personnel
role, that user account be used to log in to the SVP and perform tasks.
4. When a user account for logging in to the SVP or Command Control Interface (CCI) is
authenticated by HCS, if the user account created in HCS is assigned the Support Personnel
role, that user account be used to open the Tool Panel and download dump files. For details about this procedure, see the  Hitachi Command Suite Administrator Guide .
Related concepts
•
About access control  on page 94
Related references •
User group roles  on page 104
•
Required roles and resource groups by function  on page 108
Required roles and resource groups by function The following tables show the resource groups and roles that are required to
perform each function of Device Manager or Tiered Storage Manager.
The first table below lists HCS functions, and the required resource groups
and roles to perform the function.
The second table lists additional HCS functions for the VSP G1000, and the required custom roles or roles to perform the functions.
Note:  This topic describes only the operations that can be performed from
the GUI. For the operations that can be performed by using CLI, see the
manuals  Hitachi Command Suite CLI Reference Guide  and Hitachi Command
Suite Tiered Storage Manager CLI Reference Guide .
The following headings are used to group related or similar functions in the
table below:
• Access Control • Downloads
• Link and Launch
• Storage Systems
• Hosts
• LUN Paths, HBAs, Host Modes
• Data Collection Tasks • HCS Tasks• System Tasks
• Alerts
• Search & Reports (CSV)
• Volumes
108Setting up users and access controlHitachi Command Suite User Guide

Add page 109 to Favourites

image text

Enable zoom

							• Volumes - global-active device pairs
• External Storage Systems
• Pools/Tiers
• File Servers • File Servers - HNAS
• File Servers - HDI and HNAS F
• Replication
• Virtual ID
• Mobility (migration)
• Resources of virtual storage machines • AnalyticsNote:  For custom roles, a hyphen (-) indicates that the task (function)
cannot be performed with a custom role.
Table 4-4  Required resource groups and roles for performing functions
FunctionResource Group
Required RolesAdmin, Modify, ViewCustom (VSP G1000)Access Control (Administration tab, resource groups) (Resources tab, logical groups)Assign resources and
roles to user groupsAll ResourcesAdmin
You must have User
Management Admin
permission.-Create, delete, or edit
resource groupsAll ResourcesAdmin-Create, edit, or delete
public logical groupAnyAdmin or ModifyOne of the following:
Storage Administrator
(Provisioning)
Storage Administrator
(Performance
Management)
Storage Administrator
(Local Copy)
Storage Administrator
(Remote Copy)
Storage Administrator
(Initial Configuration)
Storage Administrator
(System Resource
Management)Create, edit, or delete
private logical groupAnyAnyDownloads (Tools menu)Setting up users and access control109Hitachi Command Suite User Guide

Add page 110 to Favourites

image text

Enable zoom

							FunctionResource Group
Required RolesAdmin, Modify, ViewCustom (VSP G1000)Download related
programsAnyAdmin or ModifyOne of the following:
Storage Administrator
(Provisioning)
Storage Administrator
(Performance
Management)
Storage Administrator
(Local Copy)
Storage Administrator
(Remote Copy)
Storage Administrator
(Initial Configuration)
Storage Administrator
(System Resource
Management)Link and LaunchLaunch other HCS
products.Any
When starting Element
Manager, the resource
group to which the
target resource
belongsAnyStorage Systems (Resources & Administration tabs)Add storage systemsAll ResourcesAdmin-Edit storage systems
(storage system name,
IP address, host name,
user name, or
password)All ResourcesAdmin or Modify-Refresh storage
systemsResource group to
which the resources of
the target system
belongAdmin or ModifyOne of the following:
Storage Administrator
(Provisioning)
Storage Administrator
(Performance
Management)
Storage Administrator
(Local Copy)
Storage Administrator
(Remote Copy)
Storage Administrator
(Initial Configuration)110Setting up users and access controlHitachi Command Suite User Guide

All Hitachi manuals Comments (0)