User and group accounts
User and group accounts control access to HCP interfaces. The administrative roles associated with these accounts allow users to use:
- The Tenant Management Console
- The HCP management API
You need the security role to create, modify, delete, and associate roles with user and group accounts.
The data access permissions associated with user and group accounts allow users to access namespace content through:
- Namespace access protocols that require authentication
- The Namespace Browser
- The HCP metadata query API
- The HCP Search Console
You need the administrator role to associate data access permissions with user and group accounts.
The allow namespace management property, which you can assign to a user or group account, allows users to use the HCP management and S3 compatible APIs to:
- Create namespaces
- List, view and change the versioning status of, and delete namespaces they own
- You need the administrator role to assign the allow namespace management property to a user or group account.
User accounts
An HCP user account is a set of credentials that gives a user access to one or more of the interfaces listed above. You create and manage user accounts in the Tenant Management Console.
When you create a user account, you specify whether the user credentials are authenticated locally or by RADIUS. Additionally, for locally authenticated users, you specify whether the account password must be changed the next time the account is used to access one of the Consoles.
When you create a user account, you have the option of associating roles with it and assigning the allow namespace management property. You can change these properties as well associate data access permissions with the account at any time thereafter.
You can enable and disable user accounts, as needed. While an account is disabled, it cannot be used to access any of the applicable interfaces. You might decide to disable an account, for example, while the user for whom you created it is on vacation.
Multiple people can use the same user account concurrently for the same or different interfaces. To prevent this from happening, you should create a separate account for each user, and users should keep their passwords confidential.
A tenant can have at most 10,000 HCP user accounts.
Group accounts
An HCP group account is a representation of an Active Directory group. The group account enables AD users in the AD group to access one or more of the interfaces listed above. You create and manage group accounts in the HCP Tenant Management Console.
When you create a group account, you have the option of associating roles with it. You can change these associations and also associate data access permissions with the account at any time thereafter.
A tenant can have at most 100 group accounts.
Administrative roles and permissions
A role is a named collection of permissions that can be granted to a user either through an HCP user account or through one or more HCP group accounts. Each permission in a role lets the user perform some specific interaction or set of interactions with the HCP system. Roles generally correspond to job functions.
You can associate any number of roles with a user or group account. The account user then has all the permissions granted by each of those roles.
Available roles
The roles you can associate with a user or group account are:
Monitor
Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and most aspects of the tenant and namespace configurations. The monitor role does not grant permission to view user or group accounts.
Administrator
Grants permission to use the Tenant Management Console to view the status of the tenant and its namespaces and perform most tenant and namespace configuration activities. The administrator role also grants permission to associate data access permissions with user and group accounts but not to view or manage any other aspects of user and group accounts.
Security
Grants permission to use the Tenant Management Console to view the status of the tenant, configure Console and HCP management API security, and view security events in the tenant log. The security role also grants permission to create and manage user and group accounts, including associating roles with them but not viewing or managing their data access permissions.
Compliance
Grants permission to use the Tenant Management Console to work with retention classes and retention-related settings and perform privileged deletes, as well as to view tenant status, namespace status, and compliance events in the tenant log.
Permissions granted by roles
In the table below, checkmarks indicate the permissions granted by each role.
Permission | Role | |||
Monitor | Administrator | Security | Compliance | |
View the user account list | ✓ | ✓ | ✓ | • |
View the full definition of individual user accounts | • | ✓ | • | |
View the description, allow namespace management property, and data access permissions for individual user accounts | ✓ | ✓ | • | • |
Create, associate roles with, delete, and otherwise manage user accounts, except modifying the allow namespace management property and data access permissions | • | ✓ | ✓ | • |
Modify the allow namespace management property and manage data access permissions for user accounts | • | ✓ | • | |
View the group account list | ✓ | ✓ | ✓ | |
View the full definition of individual group accounts | • | • | ✓ | |
View the description, allow namespace management property, and data access permissions for individual group accounts | ✓ | ✓ | • | • |
Create, associate roles with, and delete group accounts | • | ✓ | ||
Modify the allow namespace management property and manage data access permissions for group accounts | • | ✓ | • | |
Specify message text for theTenant Management Console and Search Console login pages | • | ✓ | ||
View the tenant overview | ✓ | ✓ | ✓ | ✓ |
Modify the tenant contact information, permission mask, and description | • | ✓ | • | • |
Allow or disallow access to the Tenant Management Console by HCP system-level users | • | ✓ | • | • |
View and modify Tenant Management Console security settings | • | • | ✓ | • |
View and modify HCP management API security settings | • | • | ✓ | • |
View and modify Search Console security settings | • | • | ✓ | • |
View content classes and content properties | ✓ | ✓ | • | • |
Create, modify, and delete content classes and content properties | • | ✓ | • | • |
View namespace associations with content classes | ✓ | ✓ | • | • |
Modify namespace associations with content classes | • | ✓ | • | • |
View tenant log messages about all events except compliance and security events | ✓ | ✓ | ✓ | ✓ |
View tenant log messages about compliance events | • | • | ✓ | |
View tenant log messages about security events | • | • | ✓ | • |
View syslog and SNMP logging options | ✓ | ✓ | • | • |
Enable or disable syslog and SNMP logging | • | ✓ | • | • |
View email notification settings | ✓ | ✓ | • | • |
Modify email notification settings | • | ✓ | • | • |
Generate chargeback reports | ✓ | ✓ | • | • |
Create and delete namespaces | • | ✓ | • | • |
View the namespace list | ✓ | ✓ | • | ✓ |
View namespace overviews | ✓ | ✓ | • | ✓ |
Modify namespace names and quotas | • | ✓ | • | • |
View namespace permission masks and descriptions | ✓ | ✓ | • | ✓ |
Modify namespace permission masks and descriptions | • | ✓ | • | • |
View namespace owners | ✓ | ✓ | • | ✓ |
Change namespace owners | • | ✓ | • | • |
View the tags associated with namespaces | ✓ | ✓ | • | • |
Modify the tags associated with namespaces | • | ✓ | • | • |
View namespace default retention settings | ✓ | ✓ | • | ✓ |
Modify namespace default retention settings | • | • | • | ✓ |
View namespace default shred settings | ✓ | ✓ | • | ✓ |
Modify namespace default shred settings | • | • | • | ✓ |
View namespace default index settings | ✓ | ✓ | • | • |
Modify namespace default index settings | • | ✓ | • | • |
View minimum data access permissions | ✓ | ✓ | • | • |
Modify minimum data access permissions | • | ✓ | • | • |
View namespace ACL settings (HCP tenants only) | ✓ | ✓ | • | • |
Manage the use of ACLs in namespaces | • | ✓ | • | • |
View namespace retention-related settings | ✓ | ✓ | • | ✓ |
Modify namespace retention-related settings | • | • | • | ✓ |
View the custom metadata XML checking setting for namespaces | ✓ | ✓ | • | • |
Modify the custom metadata XML checking setting for namespaces | • | ✓ | • | • |
View namespace object versioning configurations | ✓ | ✓ | • | • |
Configure object versioning in namespaces | • | ✓ | • | • |
View namespace compatibility settings | ✓ | ✓ | • | • |
Modify namespace compatibility settings | • | ✓ | • | • |
View namespace disposition settings | ✓ | ✓ | • | ✓ |
Modify namespace disposition settings | • | • | • | ✓ |
View namespace replication-related settings | ✓ | ✓ | • | • |
Modify namespace replication-related settings | • | ✓ | • | • |
View the service plans associated with namespaces | ✓ | ✓ | • | • |
Associate service plans with namespaces | • | ✓ | • | • |
View namespace DPL settings | ✓ | ✓ | • | • |
Modify namespace DPL settings | • | ✓ | • | • |
View namespace retention modes | ✓ | ✓ | • | • |
Modify namespace retention modes | • | ✓ | • | • |
View default settings for namespace creation | ✓ | ✓ | • | • |
Modify default settings for namespace creation | • | ✓ | • | • |
View the maximum number of namespaces per user | ✓ | ✓ | • | • |
Modify the maximum number of namespaces per user | • | ✓ | • | • |
View namespace access protocol configurations | ✓ | ✓ | • | • |
Configure namespace access protocols for namespaces | • | ✓ | • | • |
View search and indexing options for namespaces | ✓ | ✓ | • | • |
Modify search and indexing options for namespaces | • | ✓ | • | • |
Reindex namespaces | • | ✓ | • | • |
Monitor replication | ✓ | ✓ | • | • |
Select namespaces for replication | • | ✓ | • | • |
View all namespace log messages except messages about compliance events | ✓ | ✓ | ✓ | ✓ |
View namespace log messages about compliance events | • | • | • | ✓ |
View the list of irreparable objects | ✓ | ✓ | • | • |
Acknowledge irreparable objects | ✓ | • | ||
Create, modify, and delete retention classes | • | • | • | ✓ |
View the list of retention classes | ✓ | ✓ | • | ✓ |
View individual retention classes | ✓ | ✓ | ✓ | |
erform privileged delete operations | • | ✓ | ||
Download HCP Data Migrator | ✓ | ✓ | ✓ | ✓ |
Change your own locally authenticated password in the Tenant Management Console | ✓ | ✓ | ✓ | ✓ |
View HCP documentation from the Tenant Management Console | ✓ | ✓ | ✓ | ✓ |
Data access permissions
Data access permissions allow users to access namespace content and some information about namespaces. These permissions are granted separately for individual namespaces.
The data access permissions that can be associated with user and group accounts for any given namespace are:
Browse
List directory contents.
Read
View and retrieve objects, including the system and custom metadata for objects.
View and retrieve previous versions of objects.
Check the existence of objects.
List annotations for objects.
For this permission to be granted, users must also have browse permission.
Read ACL
View and retrieve object ACLs.
Write
Add objects to the namespace.
Modify system metadata (except retention hold).
Add or replace custom metadata.
Write ACL
Add, replace, and delete object ACLs.
Change owner
Change the owners of objects in the namespace.
Delete
Delete objects, custom metadata, and ACLs from the namespace.
Purge
Delete all versions of an object with a single operation. For this permission to be granted, users must also have delete permission.
Privileged
Delete or purge objects that are under retention, provided the user also has delete or purge permission for the applicable namespace
Hold or release objects, provided the user also has write permission for the applicable namespace
Search
Use the HCP metadata query API and the HCP Search Console to query or search the namespace. For this permission to be granted, users must also have read permission.
Users with any data access permissions for a namespace can view information about that namespace.
User authentication
To use these HCP Console and command-line interfaces, a user needs to supply a username and password for authentication:
- Console interfaces:
- Tenant Management Console
- Namespace Browser
- Search Console
- Command-line interfaces:
- HCP management API
- Namespace access protocols that require authentication
- HCP metadata query API
User authentication is the process of checking whether the combination of the specified username and password is valid.
For user accounts defined in HCP, the system supports local and RADIUS authentication. User accounts defined in AD must be authenticated by AD. RADIUS and AD authentication are types of remote authentication.
A tenant can support one or more of these authentication types. The types supported are set when the tenant is created. HCP system-level administrators can change these settings at any time.
For locally authenticated users, the user account password is stored in the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP checks the username and password internally.
HCP lets the user into the target Console or performs the requested operation if these conditions are true:
- The combination of the specified username and password is valid.
- The user account is enabled.
- For the Tenant Management Console, the user account is associated with at least one role.
- For the Search Console, the user account is associated with the search permission.
- For the HCP management API, the user account is associated with a role that allows the requested operation.
- For a namespace access protocol, the user account is associated with permissions that allow the requested operation.
- For the metadata query API, the user account is associated with the search permission.
If any of these conditions is not true, HCP rejects the login or command-line request.
You can change the passwords of locally authenticated users in the Tenant Management Console. These users can also change their own passwords in the Tenant Management Console, if they have access to it, or in the Search Console, if they have access to that.
For RADIUS-authenticated users, the user account password is stored outside the HCP system. When a user submits the account username and password either on a login page for a Console or with a cookie in a command line, HCP securely sends the submitted username and password to a RADIUS server. That server checks whether the username and password are valid and sends the result to HCP.
HCP lets the user into the target Console or performs the requested operation if these conditions are true:
- The combination of the specified username and password is valid.
- The user account is enabled.
- For the Tenant Management Console, the user account is associated with at least one role.
- For the Search Console, the user account is associated with the search permission.
- For a command-line interface, the user account is associated with permissions that allow the requested operation.
If any of these conditions is not true, HCP rejects the login or command-line request.
All password management for RADIUS-authenticated users is handled by the RADIUS server. You cannot use the Tenant Management Console to set or change the passwords of RADIUS-authenticated users.
Connections to RADIUS servers are configured at the HCP system level.
For AD-authenticated users, the username and password for the user account are stored in AD. If the user is signed into a Windows client, HCP relies on Windows to have already validated the username and password with AD (this is single sign-on). However, if the user provides an AD username and password on the System Management Console or Search Console login page, HCP securely sends the specified username and password to AD for authentication.
HCP lets an authenticated user into the target Console only if these conditions are true:
- The user belongs to at least one AD group for which a corresponding group account exists in HCP.NoteAlternatively, the user can belong to an AD group that’s nested at any level under another group for which a corresponding HCP group account exists. In this case, however, any parent groups that are defined in a domain other than the user’s domain must be universal.
- For the Tenant Management Console, at least one such group account is associated with at least one role.
- For the Search Console, at least one such group account is associated with the search permission.
If any of these conditions is not true, HCP doesn’t let the user in.
All password management for AD-authenticated users is handled by AD. You cannot use the Tenant Management Console to set or change the passwords of AD-authenticated users.
For the command-line interfaces, applications may use the SPNEGO protocol or the AD authentication header to negotiate the AD user authentication themselves. You cannot submit AD credentials with a cookie in a command line. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559. To provide credentials using the Active Directory authentication header, you use this format:
Authorization: AD ad-username:ad-password
Starter account
When creating a tenant, the HCP system administrator defines either one locally authenticated HCP user account or one HCP group account for it. This starter account has only the security role and no data access permissions. It also does not have the allow namespace management property.
Before you can log into the Tenant Management Console:
- If the starter account is an HCP user account, you need to get the username and password for this account from the system administrator. The first time you log in with this account, you are immediately required to change your password.
- If the starter account is an HCP group account, you need to get the username and password of an AD user account for a user that belongs to the AD group that corresponds to the starter group account.
After you’ve logged in with the starter account, you can create new accounts as needed, including new accounts with the security role.
You can delete the starter account as long as at least one of these will still exist after you delete the account:
- A locally authenticated HCP user account that has the security role and is enabled
- An HCP group account that has the security role