Managing users and user groups
You can create and modify users by assigning them roles and permissions, and by adding them to user groups with Storage Navigator.
User administration overview
Device Manager - Storage Navigator provides a rich set of user administration, roles and permissions, and access control features. Administrators can manage users by groups and set up access control by defining who can access what storage resources .
User groups
Hitachi Storage Navigator provides several built-in user groups with predefined permissions based on the available roles. You can use these groups to begin managing user permissions and access control immediately. Or you can create your own user groups tailored to meet your unique requirements.
Consider the following when setting up user groups:
- When a user is assigned to multiple user groups, the user has the permissions of all the roles in each user group that are enabled on the resource groups assigned to each user group.
- You can create two user accounts that are used by the same user playing two roles. For example, you can create user_1 and user_2 that are used by the same person, but user 1 is a security administrator that has access to all resource groups and user_2 is a storage administrator that has access to only one of the resource groups.
- All user groups, except for the Storage Administrator groups, have access to all resources in the storage systems (All Resource Groups Assigned is automatically set to Yes).
- If you deleted all the roles except the Storage Administrator, you will need to add all required resource groups to the user group because the Storage Administrator role does not have access to all resources by default. See Changing assigned resource groups.
- All user groups must have resource groups assigned in order to perform operations on the storage system.
Roles and permissions
The following table shows all the roles that are available for use and the permissions that each role provides to the users. You cannot create a custom role.
Role |
Permissions |
Security Administrator (View Only) |
|
Security Administrator (View & Modify) |
|
Audit Log Administrator (View Only) |
|
Audit Log Administrator (View & Modify) |
|
Storage Administrator (View Only) |
|
Storage Administrator (Initial Configuration) |
|
Storage Administrator (System Resource Management) |
|
Storage Administrator (Provisioning) |
|
Storage Administrator (Performance Management) |
|
Storage Administrator (Local Copy) |
|
Storage Administrator (Remote Copy) |
|
Support Personnel2 (Vendor Only) |
Configuring the SVP
|
Notes:
|
Built-in user groups
The following table shows all the built-in groups, and their built-in roles and resource groups.
Built-in group |
Role |
Resource group |
Administrator |
|
All Resource Groups Assigned |
System |
|
All Resource Groups Assigned |
Security Administrator (View Only) |
|
All Resource Groups Assigned |
Security Administrator (View & Modify) |
|
All Resource Groups Assigned |
Audit Log Administrator (View Only) |
|
All Resource Groups Assigned |
Audit Log Administrator (View & Modify) |
|
All Resource Groups Assigned |
Storage Administrator (View Only) |
|
meta_resource |
Storage Administrator (View & Modify) |
|
meta_resource |
Support Personnel |
|
All Resource Groups Assigned |
Creating a new user group
You can customize a user group, as long as it supports your storage system.
This section explains how administrators can create a user group.
A user group name consists of 1 to 64 characters including alphanumeric characters, spaces, and the following symbols:
! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~
The system can support a maximum of 256 user groups, including the built-in user groups.Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
Procedure
In the Administration tree, select User Groups.
In the User Groups tab, click Create User Groups to open the Create User Group window.
Enter a user group name.
If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.
Click Next to open the Assign Roles window.
Select the roles to assign to the user group, and click Add.
Click Next to open the Assign Resource Groups window.
Select the resource groups to assign to the user group, and click Add. If you select a role other than the storage administrator in the Assign Roles window, you do not need to select resource groups because all the resource groups are assigned automatically.
Click Finish to finish and confirm settings.
Click Next to add another user.Check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.
Changing a user group name
You can change the name of a user group by using Hitachi Device Manager - Storage Navigator.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- The names of built-in groups cannot be changed.
- A user group name consists of 1 to 64 characters including alphanumeric characters (ASCII), spaces and the following symbols:
# $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~
Procedure
In the Administration tree, select User Groups.
In the User Groups tab, select the user group.
Click
.In the Edit User Group window, enter a new user group name.
If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.
Changing user group permissions
You can change the permissions that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- The permissions of a built-in group cannot be changed.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
In the User Groups tab, select the user group whose permission you want to change.
Click the Roles tab.
Click Edit Role Assignment.
In the Edit Role Assignment window, change roles to be assigned to the user group.
- Select roles to add, and then click Add.
- Select a role to remove, and then click Remove.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens.
Changing assigned resource groups
You can change the resource groups that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.
See Managing resource groups for more information about resource groups.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- Create a resource group to be assigned to the user group in advance.
- You cannot change the resource groups of a user group that has All Resource Groups Assigned set to Yes
- You cannot change resource groups of a built-in group.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select a user group to change the resource group.
Select the Resource Groups tab.
Click Edit Resource Group Assignment to open the Edit Resource Group Assignment window.
In the Edit Resource Group Assignment window, change resource groups to be assigned to the user group.
- Select the resource group to add, and click Add.
- Select the resource group to remove, and click Remove.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.
Deleting a user group
You do not have to retain a user group for the life of the project. You can delete it at any time by using Hitachi Device Manager - Storage Navigator.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- You cannot delete a built-in user group.
- You cannot delete a user group if the users in it belong to only the user group to be deleted.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
In the User Groups tab, select the user-created user groups that you want to delete.
Click
.Check the settings, then click Apply.
User accounts
When adding a new user, you need to add it to a user group with desired permissions. You can use one of the built-in user group or a custom user group.
For more information about roles, permissions, and user groups, see Roles and permissions.
You will need to use the local administrator account created during the initial setup step, or create administrator accounts using the procedures described in this chapter as needed to access the storage system temporarily when the management software is not available.
It is prudent to create more than one user account in case the system administrator is not available when the management software becomes unavailable, or when someone else needs to access the system. This is also helpful if multiple users need to access Device Manager - Storage Navigator to use storage features that are not available in the management software.
Creating user accounts
You must create a user account and register the account to a user group with appropriate permissions.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- You or an authorized technical support representative can log in to Device Manager - Storage Navigator and CCI with user accounts that are created in Device Manager - Storage Navigator.
- Support representatives must have the Support Personnel (Vendor Only) role to log in.
- The system can support a maximum of 512 user accounts, including the built-in user accounts.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select a user group to which to add a user. This is dependent on which permissions you want to give to the user.
On the Roles tab, confirm that the displayed permissions are appropriate for the user.
On the Users tab, click Create User.
Enter a name.
Select Enable or Disable for the account. If you select Disable, the user of this account is disabled and cannot log in to Device Manager - Storage Navigator.
To use an authentication server, select External. To authenticate users with only Device Manager - Storage Navigator, select Local.
If you select Local, enter the password for this user account in two places.
For a password, all alphanumeric characters and symbols can be used. The length must be between 6 and 256.Click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.
Changing user passwords
You can change or reissue passwords for other users by using Device Manager - Storage Navigator.
Before you begin
- Security administrators with View & Modify roles can change user passwords on Device Manager - Storage Navigator.
- If the target user has a local user account for Device Manager - Storage Navigator, the security administrator can use Device Manager - Storage Navigator to change the target user's password.
- If the target user has a local user account for the authentication server, the security administrator can use the authentication server to change the target user's password. After the password is changed, the target user can use the new password on both the authentication server and Device Manager - Storage Navigator.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select the user group to which the user belongs.
On the User tab, select the user whose password you want to change.
In the User tab, click Change Password.
In the Change Password dialog box, specify a new password for the user in the two password fields.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.
Changing user permissions
You can change user permissions by changing membership in the user group. A user can belong to multiple user groups.
For example, if you want to change the role of the user who manages security to the performance management role, add this user to the Storage Administrator (Performance Management) role group and then remove the user from the Security Administrator (View & Modify) role group.
Before you begin
- You must have the Security Administrator (View & Modify) role to perform this task.
- The user whose permissions you want to change must belong to at least one user group.
- A user group can contain a maximum of 512 user accounts, including the built-in user accounts.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select the user group that has the role you want the user to have, and then add or remove users.
To add users to the selected groups:Click Add Users.
In the Add Users window, select a user and click Add.
In the Remove Users window, select one or more users.
Click More Actions > Remove Users.
Click Finish.
In the Confirm window, check the settings. If the Task Name field is empty, enter a task name.
Click Apply. The task is now registered. If you selected the Go to tasks window for status check box, the Tasks window opens to show the status of the task.
Enabling and disabling user accounts
To allow or prevent a user from logging in to Device Manager - Storage Navigator, follow the steps below.
Before you begin
- Log into an account that is different from the user whose account that you want to disable.
- You must have the Security Administrator (View & Modify) role to perform this task.
Procedure
In the Device Manager - Storage Navigator Administration tree, click User Groups.
On the User Group tab, select the user group.
On the Users tab, select a user.
Click Edit User.
Click the Account Status check box, then click Disable.
Click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.
Deleting user accounts
Security Administrators can delete a user account when the account is no longer in use. Built-in user accounts cannot be deleted.
Before you begin
You must have the Security Administrator (View & Modify) role to perform this task.
Procedure
In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, click a user group to which a user belongs.
On the Users tab, select the user whose account you want to delete.
Click
.In the Delete Users window, select the user to be deleted, then click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.
Unlock a user account
If a user attempting to log in to Device Manager - Storage Navigator or Command Control Interface enters an incorrect username or password three times, the system sets the login status to locked, preventing further login attempts for 60 seconds. If necessary, you can release the locked status before the lock times out.
Before you begin
You must have the Security Administrator (View & Modify) role to perform this task.
Procedure
In the Administration tree, select User Groups.
On the User Groups tab, click a user group to which the locked-out user belongs.
On the User tab, select the user you want to unlock.
On the User tab, click .
The Release Lockout window opens.Specify a task name, and then click Apply.