Skip to main content
Hitachi Vantara Knowledge

About user and group accounts

HCP uses system-level user and group accounts to control access to these interfaces:

  • HCP System Management Console
  • Tenant Management Console for managing the default tenant and namespace
  • HCP management API for creating and managing tenants
  • HCP metadata query API for querying the default namespace
  • Search Console to search in the default namespace
NoteSystem-level user and group accounts do not control access to stored data and metadata other than through the metadata query API and Search Console.
User accounts

An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the HCP System Management Console.

When you create a user account, you specify a username and password. You also associate roles with the account and specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.

You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.

Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.

An HCP system can have at most 200 system-level user accounts.

Group accounts

An HCP group account is a representation of an Active Directory group. The group account enables AD users in the AD group to access one or more of the interfaces listed above. You create and manage group accounts in the HCP System Management Console.

When you create a group account, you associate roles with it. When an AD user accesses HCP, that user has all the roles associated with all the group accounts that correspond to AD groups to which the user belongs.

An HCP system can have at most 100 system-level group accounts.

Roles and permissions

A role is a named collection of permissions that are granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.

You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.

Before associating roles with a user or group account, make sure the permissions granted by those roles are consistent with the job functions of the user or group of users for whom you’re creating the account.

Note

An AD user can be added to an AD group while that user is using the System Management Console. If the AD group corresponds to an existing HCP group account, the user may not automatically get the roles associated with that group account for up to eight hours. To get the roles immediately, the user needs to log out of the System Management Console and then log back in. If the user is also currently using the Tenant Management Console or Namespace Browser, logging out of either of those interfaces has the same effect.

Alternatively, you can force the roles to be recognized immediately by clearing the AD cache.

Available roles

The roles that you can associate with a user or group account are:

  • Monitor

    Grants permission to use the System Management Console to view the HCP system status and most aspects of the system configuration, including tenant configurations. The monitor role also grants read-only permission to view user and group accounts.

  • Administrator

    Grants permission to use the System Management Console to view the HCP system status, perform most system configuration activities, create and manage tenants, and download the HCP internal logs. The administrator role also grants read-only permission to view user and group accounts. The administrator role does not grant permission to configure user or group accounts.

  • Security

    Grants permission to use the System Management Console to view the HCP system status, create and manage user accounts, configure remote authentication, modify system security settings, configure syslog and SNMP logging and email notification, and view security events in the system log.

  • Compliance

    Grants permission to use the Tenant Management Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to use the System Management Console to view the HCP system status. Using the Tenant Management Console is possible only for the default tenant and for HCP tenants that are configured to allow system-level users to manage them and search their namespaces

  • Service

    Grants permission to use the System Management Console to view the HCP system status and perform advanced system reconfiguration and management activities. The service role does not grant permission to view or configure user or group accounts.

    ImportantYou should perform activities restricted to the service role only after consulting your authorized HCP service provider.
  • Search

    Grants permission to use the metadata query API and Search Console to query or search the default namespace and any namespaces owned by HCP tenants that are configured to allow system-level users to manage them and search their namespaces. To use the metadata query API or Search Console for access only to the HCP namespaces owned by a specific tenant, a user must have a tenant-level user account or an AD user account that’s recognized at the tenant level.

The monitor, administrator, security, and compliance roles also grant access to use the HCP management API for specific activities.

Tenant-level administration

Tenants, except the default tenant, have their own user and group accounts that can enable access to the Tenant Management Console and HCP management API. The roles available for these accounts are monitor, system, security, and compliance. Tenant security administrators define tenant-level user and group accounts in the Tenant Management Console.

HCP system-level users with the monitor, administrator, security, or compliance role automatically have access to the Tenant Management Console and HCP management API functions for the default tenant. The default tenant does not have user or group accounts of its own.

A tenant-level user with the administrator role can configure an HCP tenant to allow system-level users to manage it and search its namespaces. This enables system-level users with the monitor, administrator, security, or compliance role to log into the Tenant Management Console or use the HCP management API for the tenant. System-level users with the monitor or administrator role can also access the Tenant Management Console directly from the System Management Console. For the default tenant, access by system-level users is enabled automatically and cannot be disabled.

Note

If a tenant-level user account has the same username and password as your system-level user account, you cannot use your system-level account to log into the Tenant Management Console for that tenant. You can, however, access that Console directly from the System Management Console, in which case, you are still using your system-level user account.

After accessing the Tenant Management Console or HCP management API for a tenant that is configured to allow system-level users to manage it and search its namespaces, system-level users can perform the activities allowed by the tenant-level roles that correspond to their system-level roles.

An AD user can belong to AD groups for which corresponding HCP group accounts exist at both the system and tenant levels. When such a user accesses the Tenant Management Console, that user has the roles associated with both the applicable system-level group accounts and the applicable tenant-level group accounts.

When logged in to the Search Console for the default tenant, system-level users with the search role can search the namespaces owned by HCP tenants that are configured to allow system-level users to search their namespaces. These system users can also use the metadata query API to query those namespaces.

Permissions granted by role

The following tables show the user permissions that each role grants for the System Management Console, Search Console, and Tenant Management Console.

System Management and Search Console permissions

The following table lists the permissions that apply to the System Management Console and Search Console. Checkmarks indicate the permissions granted by each role.

Role
PermissionMonitorAdministratorSecurityServiceComplianceSearch
View user accounts
View group accounts
Create, modify, delete, and manage user accounts
Create, modify, and delete group accounts
Specify message text for the System Management Console and Search Console login pages
Configure support for Active Directory
Clear the Active Directory cache
View and modify the RADIUS server configuration
View the system overview
Stop and restart the system
View the system hardware status
View individual nodes
Stop and restart individual nodes
Eject the CD tray from a node
Remove a node from the HCP system
View storage pools, components, and volumes
Create, modify, retire, and delete storage pools, components, and volumes
View networks
Set global IP mode support for front-end networks
Modify the [hcp_system] and [hcp_backend] networks
Enable creation of user-defined networks
Create, modify, and delete user-defined networks
Enable the [hcp_management] network
Create, modify, and delete tenants
View the tenant list
View individual tenants, including tenant settings
Reset tenant security
View metadata query engine and HDDS search facility settings
Modify the metadata query engine and HDDS search facility settings
Select a search facility for the Search Console
View service statuses and configurations
Modify service configurations and manage service activity, including configuring and managing data migrations, replication links, and erasure coding topologies
Start, stop, enable, and disable services
View the current service schedule
Create, modify, activate, and delete service schedules
View service plans
Create, modify, retire, and delete service plans
Assign service plans to tenants
Start, stop, enable, and disable services
View network security settings
Modify network security settings
View the current SSL server certificate
Manage SSL server certificates
View and modify System Management Console security settings
View and modify HCP management API security settings
View and modify Search Console security settings
View the systemwide permission mask
Modify the systemwide permission mask
View HCP system log messages about all events except security events
View HCP system log messages about security events
View the syslog configuration
Modify the syslog configuration and test syslog connections
View SNMP settings
Modify SNMP settings and test SNMP connections
View email notification settings
Modify email notification settings and test email server connections
View the Hitachi Device Manager connection configuration
Configure the Hitachi Device Manager connection
Monitor system resource usage
Generate chargeback reports
Add comments to the HCP internal logs
Download the HCP internal logs
Modify the system DNS settings, time settings, serial number, HTTP persistent connection timeout interval, custom thread count for replication, and SNMP broken-link reporting interval
Enable creation of the default tenant and namespace
Make back-end switches known to HCP
Commit an HCP system upgrade
Use the Search Console for the default tenant
Change your own locally authenticated password in the System Management Console
Change your own locally authenticated password in the Search Console
View HCP documentation from the System Management Console
View HCP documentation from the Search Console
Renewing the storage license
Optimize for cloud
Update and create networks
Download the HCP system logs for diagnostics
Add comments to HCP system logs
Configure AD authenticated CIFS support.
View and modify AD domain controller filter
Setting the tenant management and data networks
Upload and download encryption keys
Apply exclusive Hitachi Vantara Support access credentials
View Hitachi Vantara Support access credentials
Tenant Management Console permissions

The following table lists the permissions that apply to the Tenant Management Console. Checkmarks indicate the permissions granted by each role.

Role
PermissionMonitorAdministratorSecurityCompliance
View the user account list (HCP tenants only)
View the full definition of individual user accounts (HCP tenants only)
View the description, allow namespace management property, and data access permissions for individual user accounts (HCP tenants only)
Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions (HCP tenants only)
Modify the allow namespace management property and manage data access permissions for user accounts (HCP tenants only)
View the group account list (HCP tenants only)
View the full definition of individual group accounts (HCP tenants only)
View the description, allow namespace management setting, and data access permissions for individual group accounts (HCP tenants only)
Create, associate roles with, and delete group accounts, (HCP tenants only)
Modify the allow namespace management setting and manage data access permissions for group accounts (HCP tenants only)
Specify message text for the Tenant Management and Search Console login pages (HCP tenants only)
View the tenant overview
Modify the tenant contact information, permission mask, and description
Allow or disallow access to the Tenant Management Console by HCP system-level users (HCP tenants only)
View and modify Tenant Management Console security settings (HCP tenants only)
View and modify HCP management API security settings (HCP tenants only)
View and modify Search Console security settings (HCP tenants only)
View content classes and content properties
Create, modify, and delete content classes and content properties
View namespace associations with content classes
Modify namespace associations with content classes
View tenant log messages about all events except compliance and security events
View tenant log messages about compliance events
View tenant log messages about security events
View syslog and SNMP logging options
Enable or disable syslog and SNMP logging
View email notification settings
Modify email notification settings
Generate chargeback reports (HCP tenants only)
Create and delete namespaces (HCP tenants only)
View the namespace list (HCP tenants only)
View namespace overviews
Modify namespace names and quotas (HCP tenants only)
View namespace permission masks and descriptions
Modify namespace permission masks and descriptions
View namespace owners (HCP namespaces only)
Change namespace owners (HCP namespaces only)
View the tags associated with namespaces (HCP namespaces only)
Modify the tags associated with namespaces (HCP namespaces only)
View namespace default retention settings (HCP namespaces only)
Modify namespace default retention settings (HCP namespaces only)
View namespace default shred settings (HCP namespaces only)
Modify namespace default shred settings (HCP namespaces only)
View namespace default index settings (HCP namespaces only)
Modify namespace default index settings (HCP namespaces only)
View minimum data access permissions (HCP namespaces only)
Modify minimum data access permissions (HCP namespaces only)
View namespace ACL settings (HCP namespaces only)
Manage the use of ACLs in namespaces (HCP namespaces only)
View namespace retention-related settings
Modify namespace retention-related settings
View the custom metadata XML checking setting for namespaces
Modify the custom metadata XML checking setting for namespaces
View namespace object versioning configurations (HCP namespaces only)
Configure object versioning in namespaces (HCP namespaces only)
View namespace compatibility settings
Modify namespace compatibility settings
View namespace disposition settings
Modify namespace disposition settings
View namespace replication-related settings
Modify namespace replication-related settings
View the service plans associated with namespaces
Associate service plans with namespaces
View namespace retention modes
Modify namespace retention modes
View default settings for namespace creation (HCP namespaces only)
Modify default settings for namespace creation (HCP namespaces only)
View the maximum number of namespaces per user (HCP namespaces only)
Modify the maximum number of namespaces per user (HCP namespaces only)
View namespace access protocol configurations
Configure namespace access protocols for namespaces
View search and indexing options for namespaces
Modify search and indexing options for namespaces
Reindex namespaces
Monitor replication
Select namespaces for replication (HCP namespaces only)
View all namespace log messages except messages about compliance events
View namespace log messages about compliance events
View the list of irreparable objects
Acknowledge irreparable objects
Create, modify, and delete retention classes
View the list of retention classes
View individual retention classes
Perform privileged delete operations
Download HCP Data Migrator
Change your own locally authenticated password in the Tenant Management Console
View HCP documentation from the Tenant Management Console
Optimize namespaces for cloud

User authentication

To use the System Management Console or the Search Console for the default tenant, a user needs to supply a username and password for authentication. User authentication is the process of checking whether the combination of the specified username and password is valid.

For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.

To use the HCP management API with an HCP user account, the user specifies the account credentials in each request. To use the API with a recognized AD user account, applications must use the SPNEGO protocol to negotiate the AD user authentication themselves.

Local authentication

For locally authenticated users, the user account password is stored in the HCP system. At user login, HCP checks the submitted username and password internally.

HCP lets the user into the target Console if these conditions are true:

  • The combination of the specified username and password is valid.
  • The user account is enabled.
  • The user account is associated with a role that grants permission to access the target Console.

If any of these conditions is not true, HCP doesn’t let the user in.

You can change the passwords of locally authenticated users in the System Management Console. These users can also change their own passwords in the System Management Console, if they have access to it, or in the Search Console, if they have access to that.

RADIUS authentication

For RADIUS-authenticated users, the user account password is stored outside the HCP system. At user login, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.

HCP lets the user into the target Console if these conditions are true:

  • The combination of the specified username and password is valid.
  • The user account is enabled.
  • The user account is associated with a role that grants permission to access the target Console.

If any of these conditions is not true, HCP doesn’t let the user in.

All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the System Management Console to set or change the passwords of RADIUS-authenticated users.

Active Directory authentication

For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.

HCP lets an authenticated user into the target Console only if these conditions are true:

  • The user belongs to at least one AD group for which a corresponding group account exists in HCP.
    NoteAlternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.
  • At least one such group account is associated with a role that grants permission to access the target Console.

If either of these conditions is not true, HCP doesn’t let the user in.

All password management for AD-authenticated users is handled by the AD. You cannot use the System Management Console to set or change the passwords of AD-authenticated users.

Starter account

When HCP is first installed, one user account is already defined.

The username and password for the predefined user account are:

Username: security
Password: Chang3Me!

This account has only the security role and is authenticated locally.

You need to use the security account the first time you log into the System Management Console after HCP is installed. When you log in, you are immediately required to change the password for this account. Then you can create new accounts as needed, including new accounts with the security role.

You can delete the security account as long as at least one other locally authenticated HCP user account has the security role and is enabled.

NoteYour authorized HCP service provider may have changed the password and roles for the security account while verifying and completing the installation of the HCP system. If this is the case, you need to get the new password for the security account from the service provider.

 

  • Was this article helpful?