Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Managing users and user groups

You can create and modify users by assigning them roles and permissions, and by adding them to user groups with Storage Navigator.

User administration overview

Device Manager - Storage Navigator provides a rich set of user administration, roles and permissions, and access control features. Administrators can manage users by groups and set up access control by defining who can access what storage resources .

User groups

Hitachi Storage Navigator provides several built-in user groups with predefined permissions based on the available roles. You can use these groups to begin managing user permissions and access control immediately. Or you can create your own user groups tailored to meet your unique requirements.

Consider the following when setting up user groups:

  • When a user is assigned to multiple user groups, the user has the permissions of all the roles in each user group that are enabled on the resource groups assigned to each user group.
  • You can create two user accounts that are used by the same user playing two roles. For example, you can create user_1 and user_2 that are used by the same person, but user 1 is a security administrator that has access to all resource groups and user_2 is a storage administrator that has access to only one of the resource groups.
  • All user groups, except for the Storage Administrator groups, have access to all resources in the storage systems (All Resource Groups Assigned is automatically set to Yes).
  • If you deleted all the roles except the Storage Administrator, you will need to add all required resource groups to the user group because the Storage Administrator role does not have access to all resources by default. See Changing assigned resource groups.
  • All user groups must have resource groups assigned in order to perform operations on the storage system.

Roles and permissions

The following table shows all the roles that are available for use and the permissions that each role provides to the users. You cannot create a custom role.

Note The Support Personnel group and the Support Personnel (Vendor Only) role contain permissions to perform maintenance. Assign this role only to the accounts used by support personnel from vendors responsible for maintenance.

Role

Permissions

Security Administrator (View Only)

  • Viewing information about user accounts and encryption settings
  • Viewing information about the encryption key in the key management server

Security Administrator (View & Modify)

  • Configuring user accounts
  • Creating encryption keys and configuring encryption settings
  • Viewing and switching where encryption keys are generated
  • Backing up and restoring encryption keys
  • Deleting encryption keys backed up in the key management server
  • Viewing and changing the password policy for backing up encryption keys on the management client
  • Connection to the external server
  • Backing up and restoring connection configuration to the external server
  • Configuring the certificate used for the SSL communication
  • Configuring resource groups
  • Editing virtual management settings
  • Setting reserved attributes for global-active device
  • TLS security setting
  • CSR creation and self-signed certificate creation

Audit Log Administrator (View Only)

  • Viewing audit log information and downloading audit logs

Audit Log Administrator (View & Modify)

  • Configuring audit log settings and downloading audit logs

Storage Administrator (View Only)

  • Viewing storage system information

Storage Administrator (Initial Configuration)

  • Configuring settings for storage systems
  • Configuring settings for SNMP
  • Configuring settings for e-mail notification
  • Configuring settings for license keys
  • Viewing, deleting, and downloading storage configuration reports
  • Acquiring all the information about the storage system and updating Device Manager - Storage Navigator window by clicking Refresh All

Storage Administrator (System Resource Management)

  • Configuring settings for CLPR
  • Configuring settings for MP unit
  • Deleting tasks and releasing exclusive locks of resources
  • Completing SIMs1
  • Configuring attributes for ports
  • Configuring LUN security
  • Configuring Server Priority Manager
  • Configuring tiering policies

Storage Administrator (Provisioning)

  • Configuring caches
  • Configuring LDEVs, pools, and virtual volumes
  • Formatting and shredding LDEVs
  • Configuring external volumes
  • Configuring alias volumes for Compatible PAV
  • Configuring Dynamic Provisioning
  • Configuring host groups, paths, and WWN
  • Configuring Volume Migration except splitting Volume Migration pairs when using CCI
  • Configuring access attributes for LDEVs
  • Configuring LUN security
  • Creating and deleting quorum disk used with global-active device
  • Creating and deleting global-active device pairs
  • Completing SIMs1
  • Editing virtual management settings
  • Setting reserved attributes for global-active device.

Storage Administrator (Performance Management)

  • Configuring monitoring
  • Starting and stopping monitoring

Storage Administrator (Local Copy)

  • Performing pair operations for local copy
  • Configuring environmental settings for local copy
  • Splitting Volume Migration V2 pairs when using CCI

Storage Administrator (Remote Copy)

  • Remote copy operations in general
  • Operating global-active device pairs (except for creation and deletion)

Support Personnel2 (Vendor Only)

Configuring the SVP

  • Normally, this role is for service representatives.
  • Downloading dump files using the Dump tool
Notes:

  1. Completing SIMs is permitted for users who are assigned to both the Storage Administrator (System Resource Management) role and Storage Administrator (Provisioning) role.
  2. Normally, the Support Personnel role is reserved for service representatives. However, if the role is assigned to a user account, dump files can be downloaded using the Dump tool.

Built-in user groups

You can assign users to one or more built-in user groups and custom user groups. You cannot change roles or resource groups set to the built-in groups, but you can create custom user groups according to the needs of your storage environment.

The following table shows all the built-in groups, and their built-in roles and resource groups.

Built-in group

Role

Resource group

Administrator

  • Security Administrator (View & Modify)
  • Audit Log Administrator (View & Modify)
  • Storage administrator (Initial Configuration)
  • Storage Administrator (System Resource Management)
  • Storage Administrator (Provisioning)
  • Storage Administrator (Performance Management)
  • Storage Administrator (Local Copy)
  • Storage Administrator (Remote Copy)

All Resource Groups Assigned

System

  • Security Administrator (View & Modify)
  • Audit Log Administrator (View & Modify)
  • Storage Administrator (Initial Configuration)
  • Storage Administrator (System Resource Management)
  • Storage Administrator (Provisioning)
  • Storage Administrator (Performance Management)
  • Storage Administrator (Local Copy)
  • Storage Administrator (Remote Copy)

All Resource Groups Assigned

Security Administrator (View Only)

  • Security Administrator (View Only)
  • Audit Log Administrator (View Only)
  • Storage Administrator (View Only)

All Resource Groups Assigned

Security Administrator (View & Modify)

  • Security Administrator (View & Modify)
  • Audit Log Administrator (View & Modify)
  • Storage Administrator (View Only)

All Resource Groups Assigned

Audit Log Administrator (View Only)

  • Audit Log Administrator (View Only)
  • Storage Administrator (View Only)

All Resource Groups Assigned

Audit Log Administrator (View & Modify)

  • Audit Log Administrator (View & Modify)
  • Storage Administrator (View Only)

All Resource Groups Assigned

Storage Administrator (View Only)

  • Storage Administrator (View Only)

meta_resource

Storage Administrator (View & Modify)

  • Storage Administrator (Initial Configuration)
  • Storage Administrator (System Resource Management)
  • Storage Administrator (Provisioning)
  • Storage Administrator (Performance Management)
  • Storage Administrator (Local Copy)
  • Storage Administrator (Remote Copy)

meta_resource

Support Personnel

  • Storage Administrator (Initial Configuration)
  • Storage Administrator (System Resource Management)
  • Storage Administrator (Provisioning)
  • Storage Administrator (Performance Management)
  • Storage Administrator (Local Copy)
  • Storage Administrator (Remote Copy)
  • Support Personnel

All Resource Groups Assigned

Creating a new user group

You can customize a user group, as long as it supports your storage system.

This section explains how administrators can create a user group.

A user group name consists of 1 to 64 characters including alphanumeric characters, spaces, and the following symbols:

! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~

The system can support a maximum of 256 user groups, including the built-in user groups.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

  1. In the Administration tree, select User Groups.

  2. In the User Groups tab, click Create User Groups to open the Create User Group window.

  3. Enter a user group name.

  4. If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.

  5. Click Next to open the Assign Roles window.

  6. Select the roles to assign to the user group, and click Add.

  7. Click Next to open the Assign Resource Groups window.

  8. Select the resource groups to assign to the user group, and click Add. If you select a role other than the storage administrator in the Assign Roles window, you do not need to select resource groups because all the resource groups are assigned automatically.

  9. Click Finish to finish and confirm settings.

    Click Next to add another user.
  10. Check the settings and enter a task name in Task Name.

  11. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Changing a user group name

You can change the name of a user group by using Hitachi Device Manager - Storage Navigator.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • The names of built-in groups cannot be changed.
  • A user group name consists of 1 to 64 characters including alphanumeric characters (ASCII), spaces and the following symbols:

    # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~

Procedure

  1. In the Administration tree, select User Groups.

  2. In the User Groups tab, select the user group.

  3. Click More Actions Edit User Group.

  4. In the Edit User Group window, enter a new user group name.

  5. If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.

  6. Click Finish.

  7. In the Confirm window, check the settings and enter a task name in Task Name.

  8. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.

Changing user group permissions

You can change the permissions that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • The permissions of a built-in group cannot be changed.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. In the User Groups tab, select the user group whose permission you want to change.

  3. Click the Roles tab.

  4. Click Edit Role Assignment.

  5. In the Edit Role Assignment window, change roles to be assigned to the user group.

    • Select roles to add, and then click Add.
    • Select a role to remove, and then click Remove.
  6. Click Finish.

  7. In the Confirm window, check the settings and enter a task name in Task Name.

  8. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens.

Changing assigned resource groups

You can change the resource groups that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.

See Managing resource groups for more information about resource groups.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • Create a resource group to be assigned to the user group in advance.
  • You cannot change the resource groups of a user group that has All Resource Groups Assigned set to Yes
  • You cannot change resource groups of a built-in group.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. On the User Groups tab, select a user group to change the resource group.

  3. Select the Resource Groups tab.

  4. Click Edit Resource Group Assignment to open the Edit Resource Group Assignment window.

  5. In the Edit Resource Group Assignment window, change resource groups to be assigned to the user group.

    • Select the resource group to add, and click Add.
    • Select the resource group to remove, and click Remove.
  6. Click Finish.

  7. In the Confirm window, check the settings and enter a task name in Task Name.

  8. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.

Deleting a user group

You do not have to retain a user group for the life of the project. You can delete it at any time by using Hitachi Device Manager - Storage Navigator.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • You cannot delete a built-in user group.
  • You cannot delete a user group if the users in it belong to only the user group to be deleted.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. In the User Groups tab, select the user-created user groups that you want to delete.

  3. Click More Actions Delete User Groups.

  4. Check the settings, then click Apply.

User accounts

When adding a new user, you need to add it to a user group with desired permissions. You can use one of the built-in user group or a custom user group.

For more information about roles, permissions, and user groups, see Roles and permissions.

You will need to use the local administrator account created during the initial setup step, or create administrator accounts using the procedures described in this chapter as needed to access the storage system temporarily when the management software is not available.

It is prudent to create more than one user account in case the system administrator is not available when the management software becomes unavailable, or when someone else needs to access the system. This is also helpful if multiple users need to access Device Manager - Storage Navigator to use storage features that are not available in the management software.

Creating user accounts

You must create a user account and register the account to a user group with appropriate permissions.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • You or an authorized technical support representative can log in to Device Manager - Storage Navigator and CCI with user accounts that are created in Device Manager - Storage Navigator.
  • Support representatives must have the Support Personnel (Vendor Only) role to log in.
  • The system can support a maximum of 512 user accounts, including the built-in user accounts.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. On the User Groups tab, select a user group to which to add a user. This is dependent on which permissions you want to give to the user.

  3. On the Roles tab, confirm that the displayed permissions are appropriate for the user.

  4. On the Users tab, click Create User.

  5. Enter a name.

  6. Select Enable or Disable for the account. If you select Disable, the user of this account is disabled and cannot log in to Device Manager - Storage Navigator.

  7. To use an authentication server, select External. To authenticate users with only Device Manager - Storage Navigator, select Local.

  8. If you select Local, enter the password for this user account in two places.

    For a password, all alphanumeric characters and symbols can be used. The length must be between 6 and 256.
  9. Click Finish.

  10. In the Confirm window, check the settings.

  11. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.

Changing user passwords

You can change or reissue passwords for other users by using Device Manager - Storage Navigator.

CautionWhen using Hitachi Command Suite, you need to change information, such as passwords, registered in Hitachi Command Suite. For details, see the section describing how to change storage system settings in the Hitachi Command Suite User Guide.

Before you begin

  • Security administrators with View & Modify roles can change user passwords on Device Manager - Storage Navigator.
  • If the target user has a local user account for Device Manager - Storage Navigator, the security administrator can use Device Manager - Storage Navigator to change the target user's password.
  • If the target user has a local user account for the authentication server, the security administrator can use the authentication server to change the target user's password. After the password is changed, the target user can use the new password on both the authentication server and Device Manager - Storage Navigator.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. On the User Groups tab, select the user group to which the user belongs.

  3. On the User tab, select the user whose password you want to change.

  4. In the User tab, click Change Password.

  5. In the Change Password dialog box, specify a new password for the user in the two password fields.

  6. Click Finish.

  7. In the Confirm window, check the settings and enter a task name in Task Name.

  8. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Changing user permissions

You can change user permissions by changing membership in the user group. A user can belong to multiple user groups.

For example, if you want to change the role of the user who manages security to the performance management role, add this user to the Storage Administrator (Performance Management) role group and then remove the user from the Security Administrator (View & Modify) role group.

Before you begin

  • You must have the Security Administrator (View & Modify) role to perform this task.
  • The user whose permissions you want to change must belong to at least one user group.
  • A user group can contain a maximum of 512 user accounts, including the built-in user accounts.
Adding a user

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. On the User Groups tab, select the user group that has the role you want the user to have, and then add or remove users.

    To add users to the selected groups:
    1. Click Add Users.

    2. In the Add Users window, select a user and click Add.

    To remove users from the selected groups:
    1. In the Remove Users window, select one or more users.

    2. Click More Actions > Remove Users.

  3. Click Finish.

  4. In the Confirm window, check the settings. If the Task Name field is empty, enter a task name.

  5. Click Apply. The task is now registered. If you selected the Go to tasks window for status check box, the Tasks window opens to show the status of the task.

Enabling and disabling user accounts

To allow or prevent a user from logging in to Device Manager - Storage Navigator, follow the steps below.

Before you begin

  • Log into an account that is different from the user whose account that you want to disable.
  • You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, click User Groups.

  2. On the User Group tab, select the user group.

  3. On the Users tab, select a user.

  4. Click Edit User.

  5. Click the Account Status check box, then click Disable.

  6. Click Finish.

  7. In the Confirm window, check the settings.

  8. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Deleting user accounts

Security Administrators can delete a user account when the account is no longer in use. Built-in user accounts cannot be deleted.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

  1. In the Device Manager - Storage Navigator Administration tree, select User Groups.

  2. On the User Groups tab, click a user group to which a user belongs.

  3. On the Users tab, select the user whose account you want to delete.

  4. Click More Actions Delete Users.

  5. In the Delete Users window, select the user to be deleted, then click Finish.

  6. In the Confirm window, check the settings.

  7. Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Unlock a user account

If a user attempting to log in to Device Manager - Storage Navigator or Command Control Interface enters an incorrect username or password three times, the system sets the login status to locked, preventing further login attempts for 60 seconds. If necessary, you can release the locked status before the lock times out.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

  1. In the Administration tree, select User Groups.

  2. On the User Groups tab, click a user group to which the locked-out user belongs.

  3. On the User tab, select the user you want to unlock.

  4. On the User tab, click More Actions Release Lockout.

    The Release Lockout window opens.
  5. Specify a task name, and then click Apply.