Skip to main content
Hitachi Vantara Knowledge

User and group accounts

User and group accounts control access to HCP interfaces. The administrative roles associated with these accounts allow users to use:

  • The Tenant Management Console
  • The HCP management API

You need the security role to create, modify, delete, and associate roles with user and group accounts.

The data access permissions associated with user and group accounts allow users to access namespace content through:

  • Namespace access protocols that require authentication
  • The Namespace Browser
  • The HCP metadata query API
  • The HCP Search Console

You need the administrator role to associate data access permissions with user and group accounts.

The allow namespace management property, which you can assign to a user or group account, allows users to use the HCP management and S3 compatible APIs to:

  • Create namespaces
  • List, view and change the versioning status of, and delete namespaces they own
  • You need the administrator role to assign the allow namespace management property to a user or group account.

User accounts

An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the Tenant Management Console.

When you create a user account, you specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.

When you create a user account, you have the option of associating roles with it and assigning the allow namespace management property. You can change these properties as well associate data access permissions with the account at any time thereafter.

You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.

Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.

NoteFor HCP user accounts, HCP logs failed namespace access attempts with a given username once an hour. This prevents repeated log messages in the case where an application specifies invalid credentials. The message that’s logged indicates the number of failed attempts that occurred in the past hour.

A tenant can have at most 10,000 HCP user accounts.

Group accounts

An HCP group account is a representation of an Active Directory group. The group account enables AD users in the AD group to access one or more of the interfaces listed above. You create and manage group accounts in the HCP Tenant Management Console.

When you create a group account, you have the option of associating roles with it. You can change these associations and also associate data access permissions with the account at any time thereafter.

A tenant can have at most 100 group accounts.

Administrative roles and permissions

A role is a named collection of permissions that can be granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.

You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.

TipBefore associating roles with a user or group account, make sure the permissions granted by those roles are consistent with job functions of the user or group for which you’re creating the account.
NoteAn AD user can be added to an AD group while that user is using the Tenant Management Console. If the AD group corresponds to an existing HCP group account, the user may not automatically get the roles associated with that group account for up to eight hours. To get the roles immediately, the user needs to log out of the Tenant Management Console and then log back in. If the user is also currently using the HCP System Management Console or the Namespace Browser, logging out of either of those interfaces has the same effect.

Available roles

The roles you can associate with a user or group account are:

  • Monitor

    Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and most aspects of the tenant and namespace configurations. The monitor role does not grant permission to view user or group accounts.

  • Administrator

    Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and perform most tenant and namespace configuration activities. The administrator role also grants permission to associate data access permissions with user and group accounts but not to view or manage any other aspects of user and group accounts.

  • Security

    Grants permission to use the Tenant Management Console to view the status of the tenant, configure Console and HCP management API security, and view security events in the tenant log. The security role also grants permission to create and manage user and group accounts, including associating roles with them but not viewing or managing their data access permissions.

  • Compliance

    Grants permission to use the Tenant Management Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to view tenant status, namespace status, and compliance events in the tenant log.

Permissions granted by roles

In the table below, checkmarks indicate the permissions granted by each role.

PermissionRole
MonitorAdministratorSecurityCompliance
View the user account list
View the full definition of individual user accounts
View the description, allow namespace management property, and data access permissions for individual user accounts
Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions
Modify the allow namespace management property and manage data access permissions for user accounts
View the group account list
View the full definition of individual group accounts
View the description, allow namespace management property, and data access permissions for individual group accounts
Create, associate roles with, and delete group accounts
Modify the allow namespace management property and manage data access permissions for group accounts
Specify message text for theTenant Management Console and Search Console login pages
View the tenant overview
Modify the tenant contact information, permission mask, and description
Allow or disallow access to the Tenant Management Console by HCP system-level users
View and modify Tenant Management Console security settings
View and modify HCP management API security settings
View and modify Search Console security settings
View content classes and content properties
Create, modify, and delete content classes and content properties
View namespace associations with content classes
Modify namespace associations with content classes
View tenant log messages about all events except compliance and security events
View tenant log messages about compliance events
View tenant log messages about security events
View syslog and SNMP logging options
Enable or disable syslog and SNMP logging
View email notification settings
Modify email notification settings
Generate chargeback reports
Create and delete namespaces
View the namespace list
View namespace overviews
Modify namespace names and quotas
View namespace permission masks and descriptions
Modify namespace permission masks and descriptions
View namespace owners
Change namespace owners
View the tags associated with namespaces
Modify the tags associated with namespaces
View namespace default retention settings
Modify namespace default retention settings
View namespace default shred settings
Modify namespace default shred settings
View namespace default index settings
Modify namespace default index settings
View minimum data access permissions
Modify minimum data access permissions
View namespace ACL settings (HCP tenants only)
Manage the use of ACLs in namespaces
View namespace retention-related settings
Modify namespace retention-related settings
View the custom metadata XML checking setting for namespaces
Modify the custom metadata XML checking setting for namespaces
View namespace object versioning configurations
Configure object versioning in namespaces
View namespace compatibility settings
Modify namespace compatibility settings
View namespace disposition settings
Modify namespace disposition settings
View namespace replication-related settings
Modify namespace replication-related settings
View the service plans associated with namespaces
Associate service plans with namespaces
View namespace DPL settings
Modify namespace DPL settings
View namespace retention modes
Modify namespace retention modes
View default settings for namespace creation
Modify default settings for namespace creation
View the maximum number of namespaces per user
Modify the maximum number of namespaces per user
View namespace access protocol configurations
Configure namespace access protocols for namespaces
View search and indexing options for namespaces
Modify search and indexing options for namespaces
Reindex namespaces
Monitor replication
Select namespaces for replication
View all namespace log messages except messages about compliance events
View namespace log messages about compliance events
View the list of irreparable objects
Acknowledge irreparable objects
Create, modify, and delete retention classes
View the list of retention classes
View individual retention classes
erform privileged delete operations
Download HCP Data Migrator
Change your own locally authenticated password in the Tenant Management Console
View HCP documentation from the Tenant Management Console

Data access permissions

Data access permissions allow users to access namespace content and some information about namespaces. These permissions are granted separately for individual namespaces.

The data access permissions that can be associated with user and group accounts for any given namespace are:

  • Browse

    List directory contents.

  • Read

    View and retrieve objects, including the system and custom metadata for objects.

    View and retrieve previous versions of objects.

    Check the existence of objects.

    List annotations for objects.

    For this permission to be granted, users must also have browse permission.

  • Read ACL

    View and retrieve object ACLs.

  • Write

    Add objects to the namespace.

    Modify system metadata (except retention hold).

    Add or replace custom metadata.

  • Write ACL

    Add, replace, and delete object ACLs.

  • Change owner

    Change the owners of objects in the namespace.

  • Delete

    Delete objects, custom metadata, and ACLs from the namespace.

  • Purge

    Delete all versions of an object with a single operation. For this permission to be granted, users must also have delete permission.

  • Privileged

    Delete or purge objects that are under retention, provided the user also has delete or purge permission for the applicable namespace

    Hold or release objects, provided the user also has write permission for the applicable namespace

  • Search

    Use the HCP metadata query API and the HCP Search Console to query or search the namespace. For this permission to be granted, users must also have read permission.

Users with any data access permissions for a namespace can view information about that namespace.

NoteAn Active Directory (AD) user can be added to an AD group while the user is using the Namespace Browser. However, if the AD group corresponds to an HCP group account, the data access permissions might not take effect immediately. It could take up to eight hours for the user to get the data access permissions associated with the group account. To get the data access permissions immediately, the user must log out of the Namespace Browser and then log back in. If the user is also currently using the HCP System Management Console or the Tenant Management Console, logging out of either of those interfaces has the same effect.

User authentication

To use these HCP Console and command-line interfaces, a user needs to supply a username and password for authentication:

  • Console interfaces:
    • Tenant Management Console
    • Namespace Browser
    • Search Console
  • Command-line interfaces:
    • HCP management API
    • Namespace access protocols that require authentication
    • HCP metadata query API

User authentication is the process of checking whether the combination of the specified username and password is valid.

For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.

A tenant can support one or more of these authentication types. The types supported are set when the tenant is created. HCP system-level administrators can change these settings at any time.

Local authentication

For locally authenticated users, the user account password is stored in the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP checks the username and password internally.

HCP lets the user into the target Console or performs the requested operation if these conditions are true:

  • The combination of the specified username and password is valid.
  • The user account is enabled.
  • For the Tenant Management Console, the user account is associated with at least one role.
  • For the Search Console, the user account is associated with the search permission.
  • For the HCP management API, the user account is associated with a role that allows the requested operation.
  • For a namespace access protocol, the user account is associated with permissions that allow the requested operation.
  • For the metadata query API, the user account is associated with the search permission.

If any of these conditions is not true, HCP rejects the login or command-line request.

You can change the passwords of locally authenticated users in the Tenant Management Console. These users can also change their own passwords in the Tenant Management Console, if they have access to it, or in the Search Console, if they have access to that.

RADIUS authentication

For RADIUS-authenticated users, the user account password is stored outside the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.

HCP lets the user into the target Console or performs the requested operation if these conditions are true:

  • The combination of the specified username and password is valid.
  • The user account is enabled.
  • For the Tenant Management Console, the user account is associated with at least one role.
  • For the Search Console, the user account is associated with the search permission.
  • For a command-line interface, the user account is associated with permissions that allow the requested operation.

If any of these conditions is not true, HCP rejects the login or command-line request.

All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the Tenant Management Console to set or change the passwords of RADIUS-authenticated users.

Connections to RADIUS servers are configured at the HCP system level.

NoteRADIUS authentication is not supported for the namespace access protocols or for access to namespace content through any other interface.
Active Directory authentication

For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.

HCP lets an authenticated user into the target Console only if these conditions are true:

  • The user belongs to at least one AD group for which a corresponding group account exists in HCP.
    NoteAlternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.
  • For the Tenant Management Console, at least one such group account is associated with at least one role.
  • For the Search Console, at least one such group account is associated with the search permission.

If any of these conditions is not true, HCP doesn’t let the user in.

All password management for AD-authenticated users is handled by AD. You cannot use the Tenant Management Console to set or change the passwords of AD-authenticated users.

For the command-line interfaces, applications may use the SPNEGO protocol or the AD authentication header to negotiate the AD user authentication themselves. You cannot submit AD credentials with a cookie in a command line. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559. To provide credentials using the Active Directory authentication header, you use this format:

Authorization: AD ad-username:ad-password
NoteAD authentication is not supported for namespace creation through the S3 compatible API.
TipIf the tenant supports both local and AD authentication, consider creating a locally authenticated user account with the security role. This ensures that you can still access the Tenant Management Console in the unlikely event that HCP cannot communicate with AD.

Starter account

When creating a tenant, the HCP system administrator defines either one locally authenticated HCP user account or one HCP group account for it. This starter account has only the security role and no data access permissions. It also does not have the allow namespace management property.

Before you can log into the Tenant Management Console:

  • If the starter account is an HCP user account, you need to get the username and password for this account from the system administrator. The first time you log in with this account, you are immediately required to change your password.
  • If the starter account is an HCP group account, you need to get the username and password of an AD user account for a user that belongs to the AD group that corresponds to the starter group account.

After you’ve logged in with the starter account, you can create new accounts as needed, including new accounts with the security role.

You can delete the starter account as long as at least one of these will still exist after you delete the account:

  • A locally authenticated HCP user account that has the security role and is enabled
  • An HCP group account that has the security role

 

  • Was this article helpful?