Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

About user and group accounts


HCP uses system-level user and group accounts to control access to these interfaces:

HCP System Management Console

Tenant Management Console for managing the default tenant and namespace

HCP management API for creating and managing tenants

HCP metadata query API for querying the default namespace

Search Console to search in the default namespace

NoteWebHelp.png

Note: System-level user and group accounts do not control access to stored data and metadata other than through the metadata query API and Search Console.

User accounts

An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the HCP System Management Console.

When you create a user account, you specify a username and password. You also associate roles with the account and specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.

You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.

Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.

An HCP system can have at most 200 system-level user accounts.

Group accounts

An HCP group account is a representation of an Active Directory group. The group account enables AD users in the AD group to access one or more of the interfaces listed above. You create and manage group accounts in the HCP System Management Console.

When you create a group account, you associate roles with it. When an AD user accesses HCP, that user has all the roles associated with all the group accounts that correspond to AD groups to which the user belongs.

An HCP system can have at most 100 system-level group accounts.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Roles and permissions


A role is a named collection of permissions that are granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.

You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.

TipWebHelp.png

Tip: Before associating roles with a user or group account, make sure the permissions granted by those roles are consistent with the job functions of the user or group of users for whom you’re creating the account.

NoteWebHelp.png

Note:  An AD user can be added to an AD group while that user is using the System Management Console. If the AD group corresponds to an existing HCP group account, the user may not automatically get the roles associated with that group account for up to eight hours. To get the roles immediately, the user needs to log out of the System Management Console and then log back in. If the user is also currently using the Tenant Management Console or Namespace Browser, logging out of either of those interfaces has the same effect.

Alternatively, you can force the roles to be recognized immediately by clearing the AD cache. For information on this, see Clearing the Active Directory cache.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Available roles


The roles that you can associate with a user or group account are:

Monitor — Grants permission to use the System Management Console to view the HCP system status and most aspects of the system configuration, including tenant configurations. The monitor role does not grant permission to view user or group accounts.

Administrator — Grants permission to use the System Management Console to view the HCP system status, perform most system configuration activities, create and manage tenants, and download the HCP internal logs. The administrator role does not grant permission to view or configure user or group accounts.

Security — Grants permission to use the System Management Console to view the HCP system status, create and manage user accounts, configure remote authentication, modify system security settings, configure syslog and SNMP logging and email notification, and view security events in the system log.

Compliance — Grants permission to use the Tenant Management Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to use the System Management Console to view the HCP system status. Using the Tenant Management Console is possible only for the default tenant and for HCP tenants that are configured to allow system-level users to manage them and search their namespaces (see Tenant-level administration).

Service — Grants permission to use the System Management Console to view the HCP system status and perform advanced system reconfiguration and management activities. The service role does not grant permission to view or configure user or group accounts.

ImportantWebHelp.png

Important: You should perform activities restricted to the service role only after consulting your authorized HCP service provider.

Search — Grants permission to use the metadata query API and Search Console to query or search the default namespace and any namespaces owned by HCP tenants that are configured to allow system-level users to manage them and search their namespaces. (see Tenant-level administration).

NoteWebHelp.png

Note: To use the metadata query API or Search Console for access only to the HCP namespaces owned by a specific tenant, a user must have a tenant-level user account or an AD user account that’s recognized at the tenant level. For more information on these accounts, see Managing a Tenant and Its Namespaces.

The monitor, administrator, security, and compliance roles also grant access to use the HCP management API for specific activities. For more information, see HCP Management API Reference.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Tenant-level administration


Tenants, except the default tenant, have their own user and group accounts that can enable access to the Tenant Management Console and HCP management API. The roles available for these accounts are monitor, system, security, and compliance. Tenant security administrators define tenant-level user and group accounts in the Tenant Management Console.

HCP system-level users with the monitor, administrator, security, or compliance role automatically have access to the Tenant Management Console and HCP management API functions for the default tenant. The default tenant does not have user or group accounts of its own.

A tenant-level user with the administrator role can configure an HCP tenant to allow system-level users to manage it and search its namespaces. This enables system-level users with the monitor, administrator, security, or compliance role to log into the Tenant Management Console or use the HCP management API for the tenant. System-level users with the monitor or administrator role can also access the Tenant Management Console directly from the System Management Console. For the default tenant, access by system-level users is enabled automatically and cannot be disabled.

NoteWebHelp.png

Note: If a tenant-level user account has the same username and password as your system-level user account, you cannot use your system-level account to log into the Tenant Management Console for that tenant. You can, however, access that Console directly from the System Management Console, in which case, you are still using your system-level user account.

After accessing the Tenant Management Console or HCP management API for a tenant that is configured to allow system-level users to manage it and search its namespaces, system-level users can perform the activities allowed by the tenant-level roles that correspond to their system-level roles.

An AD user can belong to AD groups for which corresponding HCP group accounts exist at both the system and tenant levels. When such a user accesses the Tenant Management Console, that user has the roles associated with both the applicable system-level group accounts and the applicable tenant-level group accounts.

When logged into the Search Console for the default tenant, system-level users with the search role can search the namespaces owned by HCP tenants that are configured to allow system-level users to search their namespaces. These system users can also use the metadata query API to query those namespaces.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Permissions granted by roles


The following tables show the user permissions that each role grants for the System Management, Search, and Tenant Management Consoles.

System Management and Search Console permissions

The table below lists the permissions that apply to the System Management and Search Consoles. Checkmarks indicate the permissions granted by each role.

 

 

Role

Permission

Monitor

Administrator

Security

Service

Compliance

Search

Create, view, modify, delete, and otherwise manage user accounts

 

 

 

 

 

Create, view, modify, and delete group accounts

 

 

 

 

 

Specify message text for the System Management and Search Console login pages

 

 

 

 

 

Configure support for Active Directory

 

 

 

 

 

Clear the Active Directory cache

 

 

 

 

 

View and modify the RADIUS server configuration

 

 

 

 

 

View the system overview

 

Stop and restart the system

 

 

 

 

View the system hardware status

 

View individual nodes

 

Stop and restart individual nodes

 

 

 

 

Eject the CD tray from a node

 

 

 

 

 

Remove a node from the HCP system

 

 

 

 

 

View storage pools, components, and volumes

 

 

 

 

Create, modify, retire, and delete storage pools, components, and volumes

 

 

 

 

 

View networks

 

 

 

Set global IP mode support for front-end networks

 

 

 

 

 

Modify the [hcp_system] and [hcp_backend] networks

 

 

 

 

 

Enable creation of user-defined networks

 

 

 

 

 

Create, modify, and delete user-defined networks

 

 

 

 

 

Enable the [hcp_management] network          

Create, modify, and delete tenants

 

 

 

 

 

View the tenant list

 

 

 

 

View individual tenants, including tenant settings

 

 

 

 

Reset tenant security

 

 

 

 

 

View metadata query engine and HDDS search facility settings

 

 

 

 

Modify the metadata query engine and HDDS search facility settings

 

 

 

 

 

Select a search facility for the Search Console

 

 

 

 

 

View service statuses and configurations

 

 

 

 

Modify service configurations and manage service activity, including configuring and managing data migrations, replication links, and erasure coding topologies

 

 

 

 

 

Start, stop, enable, and disable services

 

 

 

 

 

View the current service schedule

 

 

 

 

Create, modify, activate, and delete service schedules

 

 

 

 

 

View service plans

 

 

 

 

Create, modify, retire, and delete service plans

 

 

 

 

 

Assign service plans to tenants

 

 

 

 

 

Start, stop, enable, and disable services

 

 

 

 

 

View network security settings

 

 

 

 

Modify network security settings

 

 

 

 

 

View the current SSL server certificate

 

 

 

 

Manage SSL server certificates

 

 

 

 

 

View and modify System Management Console security settings

 

 

 

 

 

View and modify HCP management API security settings

 

 

 

 

 

View and modify Search Console security settings

 

 

 

 

 

View the systemwide permission mask

 

 

 

 

Modify the systemwide permission mask

 

 

 

 

 

View HCP system log messages about all events except security events

 

 

 

View HCP system log messages about security events

 

 

 

 

 

View the syslog configuration

 

 

Modify the syslog configuration and test syslog connections

 

 

 

 

View SNMP settings

 

 

Modify SNMP settings and test SNMP connections

 

 

 

 

View email notification settings

 

 

Modify email notification settings and test email server connections

 

 

 

 

View the Hitachi Device Manager connection configuration

 

 

 

 

Configure the Hitachi Device Manager connection

 

 

 

 

 

Monitor system resource usage

 

 

 

 

Generate chargeback reports

 

 

 

 

Add comments to the HCP internal logs

 

 

 

 

Download the HCP internal logs

 

 

 

 

 

Modify the system DNS settings, time settings, serial number, HTTP persistent connection timeout interval, custom thread count for replication, and SNMP broken-link reporting interval

 

 

 

 

 

Enable creation of the default tenant and namespace

 

 

 

 

 

Make back-end switches known to HCP

 

 

 

 

 

Commit an HCP system upgrade

 

 

 

 

 

Use the Search Console for the default tenant

 

 

 

 

 

Change your own locally authenticated password in the System Management Console

 

Change your own locally authenticated password in the Search Console

 

 

 

 

 

View HCP documentation from the System Management Console

 

View HCP documentation from the Search Console

 

 

 

 

 

Renewing the Storage license

 

 

 

 

 

Optimize for cloud

 

 

 

 

 

Update and create networks

 

 

 

 

 

Download the HCP system logs for diagnostics          
Add comments to HCP system logs          
Configure AD authenticated CIFS support.          
View and modify AD domain controller filter          
Setting the tenant management and data networks          
Upload and download encryption keys          

Tenant Management Console permissions

The table below lists the permissions that apply to the Tenant Management Console. Checkmarks indicate the permissions granted by each role.

 

 

Role

Permission

Monitor

Administrator

Security

Compliance

View the user account list (HCP tenants only)

 

View the full definition of individual user accounts (HCP tenants only)

 

 

 

View the description, allow namespace management property, and data access permissions for individual user accounts (HCP tenants only)

 

 

Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions (HCP tenants only)

 

 

 

Modify the allow namespace management property and manage data access permissions for user accounts (HCP tenants only)

 

 

 

View the group account list (HCP tenants only)

 

View the full definition of individual group accounts (HCP tenants only)

 

 

 

View the description, allow namespace management setting, and data access permissions for individual group accounts (HCP tenants only)

 

 

Create, associate roles with, and delete group accounts, (HCP tenants only)

 

 

 

Modify the allow namespace management setting and manage data access permissions for group accounts (HCP tenants only)

 

 

 

Specify message text for the Tenant Management and Search Console login pages (HCP tenants only)

 

 

 

View the tenant overview

Modify the tenant contact information, permission mask, and description

 

 

 

Allow or disallow access to the Tenant Management Console by HCP system-level users (HCP tenants only)

 

 

 

View and modify Tenant Management Console security settings (HCP tenants only)

 

 

 

View and modify HCP management API security settings (HCP tenants only)

 

 

 

View and modify Search Console security settings (HCP tenants only)

 

 

 

View content classes and content properties

 

 

Create, modify, and delete content classes and content properties

 

 

 

View namespace associations with content classes

 

 

Modify namespace associations with content classes

 

 

 

View tenant log messages about all events except compliance and security events

View tenant log messages about compliance events

 

 

 

View tenant log messages about security events

 

 

 

View syslog and SNMP logging options

 

 

Enable or disable syslog and SNMP logging

 

 

 

View email notification settings

 

 

Modify email notification settings

 

 

 

Generate chargeback reports (HCP tenants only)

 

 

Create and delete namespaces (HCP tenants only)

 

 

 

View the namespace list (HCP tenants only)

 

View namespace overviews

 

Modify namespace names and quotas (HCP tenants only)

 

 

 

View namespace permission masks and descriptions

 

Modify namespace permission masks and descriptions

 

 

 

View namespace owners (HCP namespaces only)

 

Change namespace owners (HCP namespaces only)

 

 

 

View the tags associated with namespaces (HCP namespaces only)

 

 

Modify the tags associated with namespaces (HCP namespaces only)

 

 

 

View namespace default retention settings (HCP namespaces only)

 

Modify namespace default retention settings (HCP namespaces only)

 

 

 

View namespace default shred settings (HCP namespaces only)

 

Modify namespace default shred settings (HCP namespaces only)

 

 

 

View namespace default index settings (HCP namespaces only)

 

 

Modify namespace default index settings (HCP namespaces only)

 

 

 

View minimum data access permissions (HCP namespaces only)

 

 

Modify minimum data access permissions (HCP namespaces only)

 

 

 

View namespace ACL settings (HCP namespaces only)

 

 

Manage the use of ACLs in namespaces (HCP namespaces only)

 

 

 

View namespace retention-related settings

 

Modify namespace retention-related settings

 

 

 

View the custom metadata XML checking setting for namespaces

 

 

Modify the custom metadata XML checking setting for namespaces

 

 

 

View namespace object versioning configurations (HCP namespaces only)

 

 

Configure object versioning in namespaces (HCP namespaces only)

 

 

 

View namespace compatibility settings

 

 

Modify namespace compatibility settings

 

 

 

View namespace disposition settings

 

Modify namespace disposition settings

 

 

 

View namespace replication-related settings

 

 

Modify namespace replication-related settings

 

 

 

View the service plans associated with namespaces

 

 

Associate service plans with namespaces

 

 

 

View namespace retention modes

 

 

Modify namespace retention modes

 

 

 

View default settings for namespace creation (HCP namespaces only)

 

 

Modify default settings for namespace creation (HCP namespaces only)

 

 

 

View the maximum number of namespaces per user (HCP namespaces only)

 

 

Modify the maximum number of namespaces per user (HCP namespaces only)

 

 

 

View namespace access protocol configurations

 

 

Configure namespace access protocols for namespaces

 

 

 

View search and indexing options for namespaces

 

 

Modify search and indexing options for namespaces

 

 

 

Reindex namespaces

 

 

 

Monitor replication

 

 

Select namespaces for replication (HCP namespaces only)

 

 

 

View all namespace log messages except messages about compliance events

View namespace log messages about compliance events

 

 

 

View the list of irreparable objects

 

 

Acknowledge irreparable objects

 

 

 

Create, modify, and delete retention classes

 

 

 

View the list of retention classes

 

View individual retention classes

 

Perform privileged delete operations

 

 

 

Download HCP Data Migrator

Change your own locally authenticated password in the Tenant Management Console

View HCP documentation from the Tenant Management Console

Optimize namespaces for cloud

 

 

 

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

User authentication


To use the System Management Console or the Search Console for the default tenant, a user needs to supply a username and password for authentication. User authentication is the process of checking whether the combination of the specified username and password is valid.

For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.

To use the HCP management API with an HCP user account, the user specifies the account credentials in each request. To use the API with a recognized AD user account, applications must use the SPNEGO protocol to negotiate the AD user authentication themselves. For more information on using the management API, see HCP Management API Reference. For more information on SPNEGO, see http://tools.ietf.org/html/rfc4559.

Local authentication

For locally authenticated users, the user account password is stored in the HCP system. At user login, HCP checks the submitted username and password internally.

HCP lets the user into the target Console if these conditions are true:

The combination of the specified username and password is valid.

The user account is enabled.

The user account is associated with a role that grants permission to access the target Console.

If any of these conditions is not true, HCP doesn’t let the user in.

You can change the passwords of locally authenticated users in the System Management Console. These users can also change their own passwords in the System Management Console, if they have access to it, or in the Search Console, if they have access to that.

RADIUS authentication

For RADIUS-authenticated users, the user account password is stored outside the HCP system. At user login, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.

HCP lets the user into the target Console if these conditions are true:

The combination of the specified username and password is valid.

The user account is enabled.

The user account is associated with a role that grants permission to access the target Console.

If any of these conditions is not true, HCP doesn’t let the user in.

All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the System Management Console to set or change the passwords of RADIUS-authenticated users.

For more information on RADIUS authentication, see Configuring connections to RADIUS servers.

Active Directory authentication

For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.

HCP lets an authenticated user into the target Console only if these conditions are true:

The user belongs to at least one AD group for which a corresponding group account exists in HCP.

NoteWebHelp.png

Note: Alternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.

At least one such group account is associated with a role that grants permission to access the target Console.

If either of these conditions is not true, HCP doesn’t let the user in.

All password management for AD-authenticated users is handled by the AD. You cannot use the System Management Console to set or change the passwords of AD-authenticated users.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Starter account


When HCP is first installed, one user account is already defined. The username and password for this account are:

Username: security
Password: Chang3Me!

This account has only the security role and is authenticated locally.

You need to use the security account the first time you log into the System Management Console after HCP is installed. When you log in, you are immediately required to change the password for this account. Then you can create new accounts as needed, including new accounts with the security role.

You can delete the security account as long as at least one other locally authenticated HCP user account has the security role and is enabled.

NoteWebHelp.png

Note: Your authorized HCP service provider may have changed the password and roles for the security account while verifying and completing the installation of the HCP system. If this is the case, you need to get the new password for the security account from the service provider.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.