Hitachi Command Suite 8 User Guide

							Related concepts
•
About registering and removing file servers  on page 75
Discovering, registering, and adding management targets81Hitachi Command Suite User Guide 
						

							82Discovering, registering, and adding management targetsHitachi Command Suite User Guide 
						

							4
Setting up users and access controlThis module describes how to control access to managed resources.□
Setting up users and access control
□
About user accounts and controlling access to resources
□
Creating and managing user accounts
□
Controlling access to resources
Setting up users and access control83Hitachi Command Suite User Guide 
						

							Setting up users and access controlAfter users are registered, you can limit the scope of allowed operations for
each user by configuring access control settings for users and storage
resources.
To set access control you will need to create resource groups and user
groups, then assign the resource groups and roles to the user groups.
Related concepts
•
About user accounts and controlling access to resources  on page 84
•
About access control  on page 94
About user accounts and controlling access to resources Hitachi Command Suite provides built-in user accounts and the ability to addadditional local user accounts and users from external authentication servers.
You grant controlled access to storage resources by adding new users to user groups with assigned resource groups and roles (permissions). Built-in
resource groups and user groups exist for administrative convenience.
The following two built-in user accounts are created when Hitachi Command Suite is installed. You will see them when you view the list of user accounts.
Additional user accounts will also be listed as you add them.
• The System account (default password:  manager) is a fully-privileged
administrator account, and is used to manage all HCS functionality, including HCS user accounts, user groups, and resource groups.
• The HaUser account (default password:  haset) is the default user account
used by Device Manager agents and exclusive account of management
software for file servers. The default role for the HaUser account is Peer
and the PeerGroup is set for the HaUser account. The HaUser account belongs to PeerGroup as soon as the installation completes.
84Setting up users and access controlHitachi Command Suite User Guide 
						

							Log in with the System account to access user management functionality onthe Administration tab to create local HCS user accounts. While creating useraccounts, you can list available applications (as installed on the management
server) and set user permissions for those applications. You must add users
to at least one, or more, resource groups to determine the storage they can access. Together, application permissions and resource group/user group
membership determine the scope of what each user can do in HCS.
Note the following when managing Virtual Storage Platform G1000:
• Enable user authentication in HCS so that user accounts are authenticated when they log in to CCI and the SVP so that user accounts can be centrally
managed.
• SSL communication  must be configured between the Device Manager
server and the storage system. Also, you might need to add firewall
exceptions between the Device Manager server and the storage system.
For details on implementing SSL communication and adding firewall exceptions between the Device Manager server and the storage system,
see the  Hitachi Command Suite Administrator Guide .
• User accounts should be created with user names and passwords compatible with HCS and the Virtual Storage Platform G1000 components.
• If a user account that is used to perform operations by using CCI or the SVP is already registered in Hitachi Device Manager - Storage Navigator,
also register that user account in HCS.
• Create an administrator user account for Hitachi Device Manager - Storage Navigator that can be used if HCS is not available.Note:  If HCS authentication of user accounts is disabled when logging into
CCI or SVP, you must specify the same user account information and access
control to storage resources in both HCS and Hitachi Device Manager -
Storage Navigator.
You can also manage user accounts by linking to an external authentication
server, such as an LDAP directory server, RADIUS server, or Kerberos server.
However, the built-in accounts (System and HaUser) cannot be authenticated
on an external authentication server. The HCS user account used to connect
to external authentication servers and external authorization servers is
managed as a Windows Active Directory (authorization) group. Permissions
that are specified for authorized groups are also applied to users who belong
to nested groups.
Application permissions
After adding basic user information such as username, password, email, and
description, set permissions for available applications, such as:
• Tier management (CLI) • Replication management
• Performance management
Setting up users and access control85Hitachi Command Suite User Guide 
						

							Permissions include View, Execute, Modify, and Admin. These permissions
control what the user can do on the related tabs, and possibly elsewhere.
Users can assist in user management tasks by selecting the admin
permission for the User Management application. The user will be able to
assist in:
• Specifying user settings • Creating user groups for Device Manager and Tiered Storage Manager
• Assigning resources and roles to user groups
• Reporting user, and user group information in CSV format • Specifying security settings (such as locking an account)
Resource groups and User groups The resource group All Resources is a built-in group (created by default) and contains the built-in user groups called AdminGroup, ModifyGroup,
PeerGroup, and ViewGroup. Adding a user to ViewGroup would allow a user
to see all registered storage systems and related underlying detail such as
parity groups. Putting the user in ModifyGroup enables task related buttons and tasks listed under General Tasks, allowing the user to work with
resources. Essentially, as a member of an All Resources group, you have
access to the Device Manager GUI and Tiered Storage Manager GUI
elements.
Additionally, each storage system has a resource group named Default ResourceGroup. If you have three registered storage systems you would seethree of these groups in addition to All Resources listed. This group is used to
provide Admin, Modify, or View permissions (roles) to one or more users in a user-defined user group so they have access to the specific resources of the
storage system. In other words, instead of placing a user in the All Resources
group, you can place them in one or more storage system resource groups
and narrow the scope of what they can view or manage. To do this, you must
create a named user-defined group and edit the resource group to add the
user-defined group and one or more users, whose permissions (roles) can be
set independently as you add them. Additionally, if the default resource group
is for a Virtual Storage Platform G1000, you can select Custom roles which
are more specific, such as roles for provisioning, or copy pair management
and tasks. Mulitiple roles can be combined.
For very specific control over access to resources, consider creating user-
defined resource groups. You can identify specific parity groups and LDEVs
that members of your user-defined user group can access. As with default
resource groups, for a Virtual Storage Platform G1000, you can select
Custom roles.Tip:  For details about the required permissions for executing each command
of the Tiered Storage Manager CLI, see the  Hitachi Command Suite Tiered
Storage Manager CLI Reference Guide.86Setting up users and access controlHitachi Command Suite User Guide 
						

							Related tasks
•
Creating a user account  on page 87
Related references
•
User ID and password policies  on page 87
Creating and managing user accounts Create user accounts and assign permissions.
Creating a user account All users not allowed to log in with the System account require a user account
for access to HCS.
A user account consists of general user profile information (User ID,
Password, Full Name, E-mail, and Description).
Procedure 1. On the  Administration  tab, click Users and Permissions .
This will launch a user management window.
2. Click  Users  to display the current user list.
3. Click  Add User  and specify user profile information.
4. Click  OK.
Result
The user list is re-displayed and will include the new user.
Related tasks
•
Editing the profile for a user account  on page 88
•
Deleting user accounts  on page 94
Related references
•
User ID and password policies  on page 87
User ID and password policies User IDs and passwords must adhere to specific requirements.
The User ID and password requirements for HCS, the SVP, and CommandControl Interface (CCI) vary.
When using HCS as an authentication server for Virtual Storage Platform G1000, User IDs and passwords must be valid for both HCS and the SVP, and
for HCS and CCI.
Setting up users and access control87Hitachi Command Suite User Guide 
						

							Table 4-1  HCS, SVP, and CCI login account requirementsComponentItemLengthRequirementsHCSUser ID1-256A-Z, a-z, 0-9
! # $ % & ' ( ) * + - . = @ \ ^ _ |Password1-256Same as aboveSVPUser ID1-128Alphanumeric (ASCII code) characters
! # $ % & ' - . @ ^ _Password6-127Alphanumeric (ASCII code) characters
! # $ % & ' ( ) * + - . = @ \ ^ _ |CCIUser ID1-63Alphanumeric (ASCII code) characters
- . @ _Password6-63Alphanumeric (ASCII code) characters
- . @ _Note:  When using a Windows computer for CCI, you can also specify a
backslash ( \ ) for both the User ID and password.
If using external authentication servers such as LDAP (and others), note the
following:
• User IDs and passwords must be valid for the external authentication server and Hitachi Command Suite products.
A password policy can be configured from the Administration tab to enforce stronger passwords. If using external authentication, the password
enforcement must be compatible.
Related concepts
•
About user accounts and controlling access to resources  on page 84
Related tasks
•
Creating a user account  on page 87
•
Changing the password for a user account  on page 89
•
Changing your own password  on page 90
•
Configuring external authentication for users  on page 91
•
Configuring external authentication for groups  on page 92
Editing the profile for a user account Modify the name, email address, and description for a user account.
Procedure 1. On the  Administration  tab, click Users and Permissions .
88Setting up users and access controlHitachi Command Suite User Guide 
						

							This will launch a user management window.
2. Click  Users , select the target user by clicking the  User-ID link, and click
Edit Profile .
3. Edit the profile information for the user, and then click  OK.
The user profile is displayed.
4. Confirm the updated user profile information.
Related tasks
•
Changing permissions for a user account  on page 90
•
Editing your own user profile  on page 89
Editing your own user profile As your user attributes change, you will need to update your user profile.
Procedure 1. On the  Administration  tab, click User Profile .
Your user information is displayed.
2. Click  Edit Profile .
3. Edit the profile information and click  OK.
4. Confirm that the updated user profile information appears in the  Users
area.
Related tasks
•
Changing your own password  on page 90
Changing the password for a user account As user passwords expire or are compromised, they can be changed.
Procedure 1. On the  Administration  tab, click Users and Permissions .
This will launch a user management window.
2. Click  Users , select the target user by clicking the  User-ID link, and click
Change Password .
3. Enter the new password and verify it.
4. Click  OK.
5. Confirm that the user account can log in with the new password.
Related tasks •
Changing your own password  on page 90
Related references
•
User ID and password policies  on page 87
Setting up users and access control89Hitachi Command Suite User Guide 
						

							Changing your own passwordAs your password expires or is compromised, it will need to be changed.
Procedure 1. On the  Administration  tab, click User Profile .
Your information is displayed.
2. Click  Change Password .
3. Type the new password and verify it.
4. Click  OK.
5. Log in with your new password.
Result
Your password is changed.
Related concepts
•
About user accounts and controlling access to resources  on page 84
Related tasks •
Changing the password for a user account  on page 89
Related references •
User ID and password policies  on page 87
Changing permissions for a user account To grant a user new permissions or remove existing permissions, changepermission settings in the user account.
Tip:  For a user of Device Manager or Tiered Storage Manager (GUI), specify
a role for the user group which is assigned to the user, instead of granting
user permissions.
Procedure
1. On the  Administration  tab, click Users and Permissions .
This will launch a user management window.
2. Click  Users , select the target user by clicking the  User-ID link, and click
Change Permission .
3. Edit the permissions and click  OK.
The user account is re-displayed, including granted permission.
4. Verify the correct user permissions are selected.
Result
The user permissions are changed.
90Setting up users and access controlHitachi Command Suite User Guide