Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

About user and group accounts


User and group accounts control access to HCP interfaces. The administrative roles associated with these accounts allow users to use:

The Tenant Management Console

The HCP management API

You need the security role to create, modify, delete, and associate roles with user and group accounts.

The data access permissions associated with user and group accounts allow users to access namespace content through:

Namespace access protocols that require authentication

The Namespace Browser

The HCP metadata query API

The HCP Search Console

You need the administrator role to associate data access permissions with user and group accounts.

The allow namespace management property, which you can assign to a user or group account, allows users to use the HCP management and S3 compatible APIs to:

Create namespaces

List, view and change the versioning status of, and delete namespaces they own

You need the administrator role to assign the allow namespace management property to a user or group account.

User accounts

An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the Tenant Management Console.

When you create a user account, you specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.

When you create a user account, you have the option of associating roles with it and assigning the allow namespace management property. You can change these properties as well associate data access permissions with the account at any time thereafter.

You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.

Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.

NoteWebHelp.png

Note: For HCP user accounts, HCP logs failed namespace access attempts with a given username once an hour. This prevents repeated log messages in the case where an application specifies invalid credentials. The message that’s logged indicates the number of failed attempts that occurred in the past hour.

A tenant can have at most 10,000 HCP user accounts.

Group accounts

An HCP group account is a representation of an Active Directory group. The group account enables AD users in the AD group to access one or more of the interfaces listed above. You create and manage group accounts in the HCP Tenant Management Console.

When you create a group account, you have the option of associating roles with it. You can change these associations and also associate data access permissions with the account at any time thereafter.

A tenant can have at most 100 group accounts.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Administrative roles and permissions


A role is a named collection of permissions that can be granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.

You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.

TipWebHelp.png

Tip: Before associating roles with a user or group account, make sure the permissions granted by those roles are consistent with job functions of the user or group for which you’re creating the account.

NoteWebHelp.png

Note: An AD user can be added to an AD group while that user is using the Tenant Management Console. If the AD group corresponds to an existing HCP group account, the user may not automatically get the roles associated with that group account for up to eight hours. To get the roles immediately, the user needs to log out of the Tenant Management Console and then log back in. If the user is also currently using the HCP System Management Console or the Namespace Browser, logging out of either of those interfaces has the same effect.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Available roles


The roles you can associate with a user or group account are:

Monitor — Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and most aspects of the tenant and namespace configurations. The monitor role does not grant permission to view user or group accounts.

Administrator — Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and perform most tenant and namespace configuration activities. The administrator role also grants permission to associate data access permissions with user and group accounts but not to view or manage any other aspects of user and group accounts.

Security — Grants permission to use the Tenant Management Console to view the status of the tenant, configure Console and HCP management API security, and view security events in the tenant log. The security role also grants permission to create and manage user and group accounts, including associating roles with them but not viewing or managing their data access permissions.

Compliance — Grants permission to use the Tenant Management Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to view tenant status, namespace status, and compliance events in the tenant log.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Permissions granted by roles


In the table below, checkmarks indicate the permissions granted by each role.

 

Role

Permission

Monitor

Administrator

Security

Compliance

View the user account list

 

View the full definition of individual user accounts

 

 

 

View the description, allow namespace management property, and data access permissions for individual user accounts

 

 

Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions

 

 

 

Modify the allow namespace management property and manage data access permissions for user accounts

 

 

 

View the group account list

 

View the full definition of individual group accounts

 

 

 

View the description, allow namespace management property, and data access permissions for individual group accounts

 

 

Create, associate roles with, and delete group accounts

 

 

 

Modify the allow namespace management property and manage data access permissions for group accounts

 

 

 

Specify message text for the Tenant Management and Search Console login pages

 

 

 

View the tenant overview

Modify the tenant contact information, permission mask, and description

 

 

 

Allow or disallow access to the Tenant Management Console by HCP system-level users

 

 

 

View and modify Tenant Management Console security settings

 

 

 

View and modify HCP management API security settings

 

 

 

View and modify Search Console security settings

 

 

 

View content classes and content properties

 

 

Create, modify, and delete content classes and content properties

 

 

 

View namespace associations with content classes

 

 

Modify namespace associations with content classes

 

 

 

View tenant log messages about all events except compliance and security events

View tenant log messages about compliance events

 

 

 

View tenant log messages about security events

 

 

 

View syslog and SNMP logging options

 

 

Enable or disable syslog and SNMP logging

 

 

 

View email notification settings

 

 

Modify email notification settings

 

 

 

Generate chargeback reports

 

 

Create and delete namespaces

 

 

 

View the namespace list

 

View namespace overviews

 

Modify namespace names and quotas

 

 

 

View namespace permission masks and descriptions

 

Modify namespace permission masks and descriptions

 

 

 

View namespace owners

 

Change namespace owners

 

 

 

View the tags associated with namespaces

 

 

Modify the tags associated with namespaces

 

 

 

View namespace default retention settings

 

Modify namespace default retention settings

 

 

 

View namespace default shred settings

 

Modify namespace default shred settings

 

 

 

View namespace default index settings

 

 

Modify namespace default index settings

 

 

 

View minimum data access permissions

 

 

Modify minimum data access permissions

 

 

 

View namespace ACL settings (HCP tenants only)

 

 

Manage the use of ACLs in namespaces

 

 

 

View namespace retention-related settings

 

Modify namespace retention-related settings

 

 

 

View the custom metadata XML checking setting for namespaces

 

 

Modify the custom metadata XML checking setting for namespaces

 

 

 

View namespace object versioning configurations

 

 

Configure object versioning in namespaces

 

 

 

View namespace compatibility settings

 

 

Modify namespace compatibility settings

 

 

 

View namespace disposition settings

 

Modify namespace disposition settings

 

 

 

View namespace replication-related settings

 

 

Modify namespace replication-related settings

 

 

 

View the service plans associated with namespaces

 

 

Associate service plans with namespaces

 

 

 

View namespace DPL settings

 

 

Modify namespace DPL settings

 

 

 

View namespace retention modes

 

 

Modify namespace retention modes

 

 

 

View default settings for namespace creation

 

 

Modify default settings for namespace creation

 

 

 

View the maximum number of namespaces per user

 

 

Modify the maximum number of namespaces per user

 

 

 

View namespace access protocol configurations

 

 

Configure namespace access protocols for namespaces

 

 

 

View search and indexing options for namespaces

 

 

Modify search and indexing options for namespaces

 

 

 

Reindex namespaces

 

 

 

Monitor replication

 

 

Select namespaces for replication

 

 

 

View all namespace log messages except messages about compliance events

View namespace log messages about compliance events

 

 

 

View the list of irreparable objects

 

 

Acknowledge irreparable objects

 

 

 

Create, modify, and delete retention classes

 

 

 

View the list of retention classes

 

View individual retention classes

 

Perform privileged delete operations

 

 

 

Download HCP Data Migrator

Change your own locally authenticated password in the Tenant Management Console

View HCP documentation from the Tenant Management Console

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Data access permissions


Data access permissions allow users to access namespace content and some information about namespaces. These permissions are namespace specific. That is, they are granted separately for individual namespaces.

The data access permissions that can be associated with user and group accounts for any given namespace are:

Browse — Lets users list directory contents.

Read — Lets users:

oView and retrieve objects, including the system and custom metadata for objects

oView and retrieve previous versions of objects

oCheck the existence of objects

oList annotations for objects

For this permission to granted, users must also have browse permission.

Read ACL — Lets users view and retrieve object ACLs.

Write — Lets users:

oAdd objects to the namespace

oModify system metadata (except retention hold)

oAdd or replace custom metadata

Write ACL — Lets users add, replace, and delete object ACLs.

Change owner — Lets users change the owners of objects in the namespace.

Delete — Lets users delete objects, custom metadata, and ACLs from the namespace.

Purge — Lets users delete all versions of an object with a single operation. For this permission to be granted, users must also have delete permission.

Privileged — Lets users:

oDelete or purge objects that are under retention, provided that the user also has delete or purge permission for the applicable namespace

oHold or release objects, provided that the user also has write permission for the applicable namespace

Search — Lets users use the HCP metadata query API and the HCP Search Console to query or search the namespace. For this permission to be granted, users must also have read permission.

Users with any data access permissions for a namespace can view information about that namespace.

NoteWebHelp.png

Note: An AD user can be added to an AD group while that user is using the Namespace Browser. If the AD group corresponds to an existing HCP group account, the user may not automatically get the data access permissions associated with that group account for up to eight hours. To get the data access permissions immediately, the user needs to log out of the Namespace Browser and then log back in. If the user is also currently using the HCP System Management Console or the Tenant Management Console, logging out of either of those interfaces has the same effect.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

User authentication


To use these HCP Console and command-line interfaces, a user needs to supply a username and password for authentication:

Console interfaces:

oTenant Management Console

oNamespace Browser

oHCP Search Console

Command-line interfaces:

oHCP management API

oNamespace access protocols that require authentication

oHCP metadata query API

User authentication is the process of checking whether the combination of the specified username and password is valid.

For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.

A tenant can support one or more of these authentication types. The types supported are set when the tenant is created. HCP system-level administrators can change these settings at any time.

Local authentication

For locally authenticated users, the user account password is stored in the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP checks the username and password internally.

HCP lets the user into the target Console or performs the requested operation if these conditions are true:

The combination of the specified username and password is valid.

The user account is enabled.

For the Tenant Management Console, the user account is associated with at least one role.

For the Search Console, the user account is associated with the search permission.

For the HCP management API, the user account is associated with a role that allows the requested operation.

For a namespace access protocol, the user account is associated with permissions that allow the requested operation.

For the metadata query API, the user account is associated with the search permission.

If any of these conditions is not true, HCP rejects the login or command-line request.

You can change the passwords of locally authenticated users in the Tenant Management Console. These users can also change their own passwords in the Tenant Management Console, if they have access to it, or in the Search Console, if they have access to that.

RADIUS authentication

For RADIUS-authenticated users, the user account password is stored outside the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.

HCP lets the user into the target Console or performs the requested operation if these conditions are true:

The combination of the specified username and password is valid.

The user account is enabled.

For the Tenant Management Console, the user account is associated with at least one role.

For the Search Console, the user account is associated with the search permission.

For a command-line interface, the user account is associated with permissions that allow the requested operation.

If any of these conditions is not true, HCP rejects the login or command-line request.

All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the Tenant Management Console to set or change the passwords of RADIUS-authenticated users.

Connections to RADIUS servers are configured at the HCP system level.

NoteWebHelp.png

Note: RADIUS authentication is not supported for the namespace access protocols or for access to namespace content through any other interface.

Active Directory authentication

For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.

HCP lets an authenticated user into the target Console only if these conditions are true:

The user belongs to at least one AD group for which a corresponding group account exists in HCP.

NoteWebHelp.png

Note: Alternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.

For the Tenant Management Console, at least one such group account is associated with at least one role.

For the Search Console, at least one such group account is associated with the search permission.

If any of these conditions is not true, HCP doesn’t let the user in.

All password management for AD-authenticated users is handled by AD. You cannot use the Tenant Management Console to set or change the passwords of AD-authenticated users.

For the command-line interfaces, applications may use the SPNEGO protocol or the AD authentication header to negotiate the AD user authentication themselves. You cannot submit AD credentials with a cookie in a command line. For more information on SPNEGO, see http://tools.ietf.org/html/rfc4559. To provide credentials using the Active Directory authentication header, you use this format:

Authorization: AD ad-username:ad-password

NoteWebHelp.png

Note: AD authentication is not supported for namespace creation through the S3 compatible API.

TipWebHelp.png

Tip: If the tenant supports both local and AD authentication, consider creating a locally authenticated user account with the security role. This ensures that you can still access the Tenant Management Console in the unlikely event that HCP cannot communicate with AD.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Starter account


When creating a tenant, the HCP system administrator defines either one locally authenticated HCP user account or one HCP group account for it. This starter account has only the security role and no data access permissions. It also does not have the allow namespace management property.

Before you can log into the Tenant Management Console:

If the starter account is an HCP user account, you need to get the username and password for this account from the system administrator. The first time you log in with this account, you are immediately required to change your password.

If the starter account is an HCP group account, you need to get the username and password of an AD user account for a user that belongs to the AD group that corresponds to the starter group account.

After you’ve logged in with the starter account, you can create new accounts as needed, including new accounts with the security role.

You can delete the starter account as long as at least one of these will still exist after you delete the account:

A locally authenticated HCP user account that has the security role and is enabled

An HCP group account that has the security role

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.