Managing users and user groups

Last updated
Save as PDF

You can create and modify users by assigning them roles and permissions and by adding them to user groups with Device Manager - Storage Navigator or the maintenance utility.

User administration overview

Device Manager - Storage Navigator provides a rich set of user administration, roles and permissions, and access control features. Administrators can manage users by groups and set up access control by defining who can access what storage resources. For storage systems that do not have an SVP, the maintenance utility provides basic user management capabilities, such as creating, modifying, and deleting user accounts.

You can create and manage users locally or configure the storage system to authenticate users with an existing authentication server, such as LDAP. If you create user accounts in Device Manager - Storage Navigator, you can use the authentication server to allocate user groups to users by configuring the same user group names on the storage system and the authentication server. If you create user accounts in the maintenance utility, users can be authenticated by the authentication server, but user groups are allocated to users based on the configuration in the maintenance utility.

Effective user administration involves the following activities:

Understanding roles and permissions: See Roles and permissions.
Creating user groups: See Creating a new user group.
Creating users and assigning them to user groups: See Creating user accounts.
Creating resource groups and assigning them to user groups: See Managing resource groups.

User groups

Device Manager - Storage Navigator provides several built-in user groups with predefined permissions based on the available roles. You can use these groups to begin managing user permissions and access control immediately. Or you can create your own user groups tailored to meet your unique requirements.

Consider the following when setting up user groups:

When a user is assigned to multiple user groups, the user has the permissions of all the roles in each user group that are enabled on the resource groups assigned to each user group.
You can create two user accounts that are used by the same user playing two roles. For example, you can create user_1 and user_2 that are used by the same person, but user 1 is a security administrator that has access to all resource groups and user_2 is a storage administrator that has access to only one of the resource groups.
All user groups, except for the Storage Administrator groups, have access to all resources in the storage systems (All Resource Groups Assigned is automatically set to Yes).
If you deleted all the roles except the Storage Administrator, you will need to add all required resource groups to the user group because the Storage Administrator role does not have access to all resources by default. See Changing assigned resource groups.
All user groups must have resource groups assigned in order to perform operations on the storage system.

Roles and permissions

The following table lists all of the available user roles and shows the permissions that each role provides to the users. Custom user roles are not supported.

ImportantThe Support Personnel group and the Support Personnel (Vendor Only) role contain permissions to perform maintenance on the storage system. Assign this role only to the accounts used by support personnel from vendors responsible for maintenance.

The roles for Hitachi Storage Advisor Embedded users are:

Storage Administrator (Initial Configuration)
Storage Administrator (System Resource Management)
This role is not required when the DKCMAIN firmware version is 93-06-3x or earlier.
Storage Administrator (Provisioning)
Storage Administrator (Local Backup Management)
Storage Administrator (Remote Backup Management)
Security Administrator (View and Modify)
Maintenance (User)

Role	Permissions
Security Administrator (View Only)	Viewing information about user accounts and encryption settings Viewing information about the encryption key in the key SVP Viewing information about the external authentication by the maintenance utility Viewing information about the cloud connection settings
Security Administrator (View & Modify)	Configuring user accounts Creating encryption keys and configuring encryption settings Viewing and switching where encryption keys are generated Backing up and restoring encryption keys Deleting encryption keys backed up in the key SVP Viewing and changing the password policy for backing up encryption keys on the management client Connection to the external server Backing up and restoring connection configuration to the external server Configuring the certificate used for the SSL communication Configuring the fibre channel authentication (FC-SP) Configuring resource groups Editing virtual management settings Setting reserved attributes for global-active device Configuring external authentication by the maintenance utility Setting up and clearing the cloud connection settings
Audit Log Administrator (View Only)	Viewing audit log information and downloading audit logs
Audit Log Administrator (View & Modify)	Configuring audit log settings and downloading audit logs
Storage Administrator (View Only)	Viewing storage system information
Storage Administrator (Initial Configuration)	Configuring settings for storage systems Configuring settings for SNMP Configuring settings for e-mail notification Configuring settings for license keys Viewing, deleting, and downloading storage configuration reports Acquiring all the information about the storage system and updating Device Manager - Storage Navigator window by clicking Refresh All
Storage Administrator (System Resource Management)	Configuring settings for CLPR Configuring settings for MP unit Deleting tasks and releasing exclusive locks of resources Configuring LUN security Configuring namespace security using CCI Configuring Server Priority Manager Configuring tiering policies Remote copy operations in general
Storage Administrator (Provisioning)	Configuring caches Creating parity groups Configuring volumes, pools, and virtual volumes Formatting and shredding volumes Configuring external volumes Configuring Dynamic Provisioning Configuring host groups, paths, and WWN Configuring NVM subsystems, namespaces, paths, and host NQNs using CCI Configuring Volume Migration except splitting Volume Migration pairs when using CCI Configuring access attributes for volumes Configuring LUN security Configuring namespace security using CCI Creating and deleting quorum disk used with global-active device Creating and deleting global-active device pairs Editing virtual management settings Setting reserved attributes for global-active device.
Storage Administrator (Performance Management)	Configuring monitoring Starting and stopping monitoring
Storage Administrator (Local Copy)	Performing pair operations for local copy Configuring environmental settings for local copy Splitting Volume Migration pairs when using CCI
Storage Administrator (Remote Copy)	Remote copy operations in general Performing operations on existing global-active device pairs (pair creation and pair deletion are not allowed)
Support Personnel (Vendor Only)	Normally, this role is for service representatives. Configuring the SVP
Support Personnel (User)	Viewing storage system status Installing OS security patches Updating operating systems Performing basic maintenance

Built-in user groups

You can assign users to one or more built-in user groups and custom user groups. You cannot change roles or resource groups set to the built-in groups, but you can create custom user groups according to the needs of your storage environment.

The following table shows all the built-in groups, and their built-in roles and resource groups.

Built-in group	Role	Resource group
Administrator	Security Administrator (View & Modify) Audit Log Administrator (View & Modify) Storage administrator (Initial Configuration) Storage Administrator (System Resource Management) Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy)	All Resource Groups Assigned
System	Security Administrator (View & Modify) Audit Log Administrator (View & Modify) Storage Administrator (Initial Configuration) Storage Administrator (System Resource Management) Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy)	All Resource Groups Assigned
Security Administrator (View Only)	Security Administrator (View Only) Audit Log Administrator (View Only) Storage Administrator (View Only)	All Resource Groups Assigned
Security Administrator (View & Modify)	Security Administrator (View & Modify) Audit Log Administrator (View & Modify) Storage Administrator (View Only)	All Resource Groups Assigned
Audit Log Administrator (View Only)	Audit Log Administrator (View Only) Storage Administrator (View Only)	All Resource Groups Assigned
Audit Log Administrator (View & Modify)	Audit Log Administrator (View & Modify) Storage Administrator (View Only)	All Resource Groups Assigned
Storage Administrator (View Only)	Storage Administrator (View Only)	meta_resource
Storage Administrator (View & Modify)	Storage Administrator (Initial Configuration) Storage Administrator (System Resource Management) Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy)	meta_resource
Support Personnel	Storage Administrator (Initial Configuration) Storage Administrator (System Resource Management) Storage Administrator (Provisioning) Storage Administrator (Performance Management) Storage Administrator (Local Copy) Storage Administrator (Remote Copy) Support Personnel	All Resource Groups Assigned

Creating a new user group

You can customize a user group, as long as it supports your storage system.

This section explains how administrators can create a user group.

A user group name consists of 1 to 64 characters including alphanumeric characters, spaces, and the following symbols:

! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~

The system can support a maximum of 32 user groups, including the nine built-in user groups.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

In the Administration tree, select User Groups.
In the User Groups tab, click Create User Groups to open the Create User Group window.
Enter a user group name.
If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.
Click Next to open the Assign Roles window.
Select the roles to assign to the user group, and click Add.
Click Next to open the Assign Resource Groups window.
Select the resource groups to assign to the user group, and click Add. If you select a role other than the storage administrator in the Assign Roles window, you do not need to select resource groups because all the resource groups are assigned automatically.
Click Finish to finish and confirm settings.
Click Next to add another user.
Check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Changing a user group name

You can change the name of a user group by using Hitachi Device Manager - Storage Navigator.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
The names of built-in groups cannot be changed.
A user group name consists of 1 to 64 characters including alphanumeric characters (ASCII), spaces and the following symbols:
# $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~

Procedure

In the Administration tree, select User Groups.
In the User Groups tab, select the user group.
Click More Actions Edit User Group.
In the Edit User Group window, enter a new user group name.
If you use an authorization server, click Check and verify that the entered user group name is registered in the authorization server.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.

Changing user group permissions

You can change the permissions that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
The permissions of a built-in group cannot be changed.

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
In the User Groups tab, select the user group whose permission you want to change.
Click the Roles tab.
Click Edit Role Assignment.
In the Edit Role Assignment window, change roles to be assigned to the user group.
- Select roles to add, and then click Add.
- Select a role to remove, and then click Remove.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens.

Changing assigned resource groups

You can change the resource groups that are assigned to user groups by using Hitachi Device Manager - Storage Navigator.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
Create a resource group to be assigned to the user group in advance.
You cannot change the resource groups of a user group that has All Resource Groups Assigned set to Yes
You cannot change resource groups of a built-in group.

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select a user group to change the resource group.
Select the Resource Groups tab.
Click Edit Resource Group Assignment to open the Edit Resource Group Assignment window.
In the Edit Resource Group Assignment window, change resource groups to be assigned to the user group.
- Select the resource group to add, and click Add.
- Select the resource group to remove, and click Remove.
Click Finish.
In the Confirm window, check the settings and enter a task name in Task Name.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to display the status of the task.

Deleting a user group

You do not have to retain a user group for the life of the project. You can delete it at any time by using Hitachi Device Manager - Storage Navigator.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
You cannot delete a built-in user group.
You cannot delete a user group if the users in it belong to only the user group to be deleted.

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
In the User Groups tab, select the user-created user groups that you want to delete.
Click More Actions Delete User Groups.
Check the settings, then click Apply.

User accounts

When adding a new user, you need to add it to a user group with desired permissions. You can use one of the built-in user group or a custom user group.

For more information about roles, permissions, and user groups, see Roles and permissions.

You will need to use the local administrator account created during the initial setup step, or create administrator accounts using the procedures described in this chapter as needed to access the storage system temporarily when the management software is not available.

Important

Create more than one user account in case the system administrator is not available when the management software becomes unavailable, or when someone else needs to access the system. This is also helpful if multiple users need to access Device Manager - Storage Navigator to use storage features that are not available in the management software.
Create user accounts that do not have the "Support Personnel (Vendor Only)" role to prevent unauthorized access to the functions available to service representatives. Users that have the "Support Personnel (Vendor Only)" role can perform the same operations as service representatives.

Creating user accounts

When you create a user account, you register the user to the applicable user groups with appropriate permissions. The storage system supports a maximum of 20 user accounts, including the built-in user accounts. To prevent unauthorized access to the storage system, users must change their password immediately after logging in for the first time.

Important After the user accounts have been created, back up the user account information. If a controller failure or other problem occurs, recover from the failure and then restore the backup file. You will be able to use the user account information again after the backup file is restored.

The following tables specify the character requirements for logging in to Device Manager - Storage Navigator and CCI.

User name and password for Device Manager - Storage Navigator
Item	Length in characters	Characters that can be used
User name	1-256	Alphanumeric characters The following symbols: # $ % & ' * + - . / = ? @ ^ _ ` { \| } ~
Password	6-256	Alphanumeric characters All symbols

User name and password for logging in to CCI
Item	Length in characters	Characters that can be used
User name	1-63	Alphanumeric characters The following symbols: - . @ _ When CCI is installed on a UNIX computer, forward slashes (/) can also be used.
Password	6-63	Alphanumeric characters The following symbols: , - . @ _: When CCI is installed on a Windows computer, back slashes (\) can also be specified. When CCI is installed on a UNIX computer, forward slashes (/) can also be used.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
You or an authorized technical support representative can log in to Device Manager - Storage Navigator and CCI with user accounts that are created in Device Manager - Storage Navigator.

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select a user group to which to add a user. This is dependent on which permissions you want to give to the user.
Support representatives must have the Support Personnel (Vendor Only) role to log in.
On the Roles tab, confirm that the displayed permissions are appropriate for the user.
The roles for Hitachi Storage Advisor Embedded users are:
- Storage Administrator (Initial Configuration)
- Storage Administrator (Provisioning)
- Storage Administrator (Local Backup Management)
- Security Administrator (View and Modify)
- (VSP E series) Maintenance (User)
On the Users tab, click Create.
Enter the user name.
Select Enable or Disable for the account.
If you select Disable, the user of this account is disabled and cannot log in to Device Manager - Storage Navigator.
To use an authentication server, select External. To authenticate users with only Device Manager - Storage Navigator, select Local.
If you select Local, enter the password for this user account in two places.
You can use all alphanumeric characters and symbols for the password. The password must be between 6 and 256 characters.
Click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If Go to tasks window for status is checked, the Tasks window opens to display the status of the task.

Changing user passwords using HDvM - SN

Security administrators with the View & Modify role can change the password of Device Manager - Storage Navigator (HDvM - SN) users using HDvM - SN.

TipIf the user has a local user account for the authentication server, the security administrator can use the authentication server, if desired, to change the user's password. After the password is changed, the user can use the new password both on the authentication server and in HDvM - SN.

Caution

When using management software (for example, Ops Center, Hitachi Command Suite), you might need to change the password information registered in the software. For details, see the documentation for the software product.
Do not use HDvM - SN to operate on user accounts that are used for communication with the storage systems registered in the Storage Device List window. Use maintenance utility to change passwords for such users.
If you change the password of a user who is currently logged in to HDvM - SN, the user must log out and then log back in using the new password to continue operations.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
The target user must have a local user account for HDvM - SN.

Procedure

In the HDvM - SN Administration tree, select User Groups.
On the User Groups tab, select the user group to which the user belongs.
On the User tab, select the user whose password you want to change, and then click Change Password.
In the Change Password dialog box, specify the new password for the user in the two password fields, and then click Finish.
In the Confirm window, check the settings and enter a task name in Task Name or accept the default name.
If you want the Tasks window to open automatically after you click Apply, make sure Go to tasks window for status is checked.
Click Apply.
The task is now registered. If Go to tasks window for status was checked, the Tasks window now opens.

Changing user permissions

You can change user permissions by changing membership in the user group. A user can belong to multiple user groups.

For example, if you want to change the role of the user who manages security to the performance management role, add this user to the Storage Administrator (Performance Management) role group and then remove the user from the Security Administrator (View & Modify) role group.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.
The user whose permissions you want to change must belong to at least one user group.
A user account can belong to up to 8 user groups.
A user group can contain a maximum of 20 user accounts, including the built-in user accounts.

Adding a user

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, select the user group that has the role you want the user to have, and then add or remove users.
To add users to the selected groups:
1. Click Add Users.
2. In the Add Users window, select a user and click Add.
To remove users from the selected groups:
1. In the Remove Users window, select one or more users.
2. Click More Actions > Remove Users.
Click Finish.
In the Confirm window, check the settings. If the Task Name field is empty, enter a task name.
Click Apply. The task is now registered. If you selected the Go to tasks window for status check box, the Tasks window opens to show the status of the task.

Enabling and disabling user accounts

To allow or prevent a user from logging in to Device Manager - Storage Navigator, follow the steps below.

CautionDo not select any user account used to connect to a storage system that is registered in the Storage Device List window. For details, see the Hardware Reference Guide for your storage system.

Before you begin

Log into an account that is different from the user whose account that you want to disable.
You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

In the Device Manager - Storage Navigator Administration tree, click User Groups.
On the User Group tab, select the user group.
On the Users tab, select a user.
Click Edit User.
Click the Account Status check box.
Click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Deleting user accounts

Security Administrators can delete a user account when the account is no longer in use. Built-in user accounts cannot be deleted.

Caution Do not select any user account used to connect to a storage system that is registered in the Storage Device List window. For details, see the Hardware Reference Guide for your storage system.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

In the Device Manager - Storage Navigator Administration tree, select User Groups.
On the User Groups tab, click a user group to which a user belongs.
On the Users tab, select the user whose account you want to delete.
Click More Actions Delete Users.
In the Delete Users window, select the user to be deleted, then click Finish.
In the Confirm window, check the settings.
Click Apply. The task is now registered. If the Go to tasks window for status check box is checked, the Tasks window opens to show the status of the task.

Unlocking a user account

A user account is automatically locked after three unsuccessful login attempts to Device Manager - Storage Navigator or Command Control Interface. The account is locked for 60 seconds. If necessary, you can release the locked status before the lock times out.

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

In the Administration tree, select User Groups.
On the User Groups tab, click a user group to which the locked-out user belongs.
On the User tab, select the user you want to unlock.
On the User tab, click More Actions Release Lockout.
The Release Lockout window opens.
Specify a task name, and then click Apply.

Managing resource groups

You can divide a provisioned storage system into resource groups that allow you to manage the storage system as multiple virtual private storage systems. Configuring resource groups involves creating resource groups, moving storage system resources into the resource groups, and assigning resource groups to user groups.

About resource groups

A storage system can connect to multiple hosts and be shared by multiple divisions in a company or by multiple companies. Many storage administrators from different organizations can access the storage system. Managing the entire storage system can become complex and difficult. Potential problems are that private data might be accessed by other users, or a volume in one organization might be accidentally destroyed by a storage administrator in another organization.

To avoid such problems, use Hitachi Resource Partition Manager software to set up resource groups that allow you to manage one storage system as multiple virtual private storage systems. The storage administrator in each resource group can access only their assigned resources. Resource groups prevent the risk of data leakage or data destruction by another storage administrator in another resource group.

The following resources can be assigned to resource groups.

LDEV IDs
Parity groups
External volumes
Ports

Note

Before you create LDEVs, you can reserve the desired number of LDEV IDs and assign them to a resource group for future use.

meta_resource

The meta_resource group is the resource group consisting of the resources that exist on the storage system (other than external volumes) before Resource Partition Manager is installed. By default, all existing resources initially belong to the meta_resource group to ensure compatibility with older software when a system is upgraded to include Resource Partition Manager.

Resource lock

When a task is being processed on a resource, all of the resource groups assigned to the logged-on user are locked for exclusive access. When a resource is locked, a status indicator appears on the Device Manager - Storage Navigator status bar. To view information about the locked resource, click Resource Locked.

NoteOpening a Device Manager - Storage Navigator secondary window (such as Basic Information Display) or performing an operation from the service processor (SVP) locks all of the resource groups in the storage system.

Resource access requirements for Device Manager - Storage Navigator operations

When you log on to Device Manager - Storage Navigator, your user access privileges determine the resources you can view and the operations you can perform. User access privileges are determined by the user groups to which a user belongs and the resources assigned to those user groups. To perform an operation on the storage system, you must have access to the resources (for example, volumes, pools, ports) that are required for the operation.

These tables specify the resource access requirements for Device Manager - Storage Navigator operations.

Access requirements for Data Retention Utility

This table specifies the resource access requirements for Data Retention Utility operations.

Operation name	Condition
Set access attributes	The specified LDEV must be assigned to users.

Access requirements for Dynamic Provisioning and Dynamic Tiering

This table specifies the resource access requirements for Dynamic Provisioning and Dynamic Tiering operations.

Operation name	Condition
Create LDEVs	If DP-VOLs are created, these items must be assigned to the Storage Administrator group that is permitted to manage them. LDEV ID Pool-VOL of the pool
Delete LDEVs	If DP-VOLs are deleted, these items must be assigned to the Storage Administrator group that is permitted to manage them. LDEV ID Pool-VOL of the pool
Create pools Expand pools	Volumes to be specified as pool-VOLs must be assigned to the Storage Administrator group permitted to manage them. All the volumes that are specified when creating a pool must belong to the same resource group.
Edit pools Delete pools	Pool-VOLs of the specified pool must be assigned to the Storage Administrator group permitted to manage them.
Expand V-VOLs	You can expand only the DP-VOLs that are assigned to the Storage Administrator group permitted to manage them.
Reclaim zero pages Stop reclaiming zero pages	You can reclaim or stop reclaiming zero pages only for the DP-VOLs that are assigned to the Storage Administrator group permitted to manage them.

Access requirements for Encryption License Key

This table specifies the resource access requirements for Encryption License Key operations.

Operation name	Condition
Edit encryption keys	When you specify a parity group and open the Edit Encryption window, the specified parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them. When you open the Edit Encryption window without specifying a parity group, more than one parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them.

Operation name

Condition

Edit encryption keys

When you specify a parity group and open the Edit Encryption window, the specified parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them.

When you open the Edit Encryption window without specifying a parity group, more than one parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them.

Access requirements for Performance Monitor

This table specifies the resource access requirements for Performance Monitor operations.

Operation name	Condition
Add to ports	The specified ports must be assigned to the Storage Administrator group permitted to manage them.
Add new monitored WWNs
Edit WWNs

Access requirements for

This table specifies the resource access requirements for operations.

Operation name	Condition
Edit Ports	Specified ports must be assigned to the user.
Add Remote Connection	Specified ports must be assigned to the user.
Edit Remote Connection Options	Operation can be performed with no conditions.
Create Pairs	Primary volumes must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user.
Split Pairs	Specified primary volumes or secondary volumes must be assigned to the user.
Resync Pairs	Primary volumes must be assigned to the user.
Delete Pairs	Specified volumes must be assigned to the user. If primary volumes are specified, the ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user.
Edit Pair Options	Primary volumes must be assigned to the user.
Add Remote Paths	Specified ports must be assigned to the user.
Remove Remote Paths	Specified ports must be assigned to the user.
Edit Remote Connection Options	Ports of remote paths that are connected to a specified remote storage must be assigned to the user.
Remove Remote Connections	Ports of remote paths that are connected to a specified remote storage must be assigned to the user.
Force Delete Pairs	Specified primary volumes or secondary volumes must be assigned to the user.

Access requirements for

This table specifies the resource access requirements for operations.

Operation name	Condition
Edit Ports	Specified ports must be assigned to the user.
Add Remote Connection	Specified ports must be assigned to the user.
Add Remote Paths	Specified ports must be assigned to the user.
Create Journals	All LDEVs that are specified when creating a journal must belong to the same resource group. Volumes to be assigned to a journal must be assigned to the user.
Assign Journal Volumes	Volumes to be assigned to a journal must be assigned to the user. All volumes to be assigned to a journal must belong to a same resource group to which the existing journal volumes belong.
Assign MP Unit	Journal volumes must be assigned to the user.
Edit Remote Connection Options	Operation can be performed with no conditions.
Create Pairs	Journal volumes for pair volumes and primary volumes must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user.
Split Pairs	Specified primary volumes or secondary volumes must be assigned to the user.
Split Mirrors	All data volumes configured to a mirror must be assigned to the user.
Resync Pairs	Primary volumes must be assigned to the user.
Resync Mirrors	All data volumes configured to a mirror must be assigned to the user.
Delete Pairs	Specified volumes or secondary volume must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user.
Delete Mirrors	All data volumes configured to a mirror must be assigned to the user.
Edit Pair Options	Primary volumes must be assigned to the user.
Force Delete Pairs	Specified volumes must be assigned to the user.
Edit Journal Options	All data volumes consisting of the specified journal must be assigned to the user. Journal volumes must be assigned to the user.
Edit Mirror Options	All data volumes configuring the specified journal must be assigned to the user. Journal volumes must be assigned to the user.
Remove Journals	Journal volumes must be assigned to the user.
Edit Remote Connection Options	Ports of remote paths that are connected to a specified remote storage must be assigned to the user.
Remove Remote Paths	Specified ports must be assigned to the user.
Move LDEVs to other resource groups	When you move LDEVs used for journal volumes to other resource groups, you must specify all the journal volumes of the journal to which the LDEVs belong.
Assign Remote Command Devices	Journal volumes must be assigned to the user. Specified remote command devices must be assigned to the user.
Release Remote Command Devices	Journal volumes must be assigned to the user. Specified remote command devices must be assigned to the user.

Access requirements for Universal Volume Manager

This table specifies the resource access requirements for Universal Volume Manager operations.

Operation name	Condition
Add external volumes	When creating an external volume, a volume is created in the resource group where the port belongs. When you specify a path group and open the Add External Volumes window, all the ports that compose the path group must be assigned to the Storage Administrator group permitted to manage them.
Delete external volumes	The specified external volume and all the LDEVs allocated to that external volume must be assigned to the Storage Administrator group permitted to manage them.
Disconnect external storage systems	All the external volumes belonging to the specified external storage system and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them.
Reconnect external storage systems	All the external volumes belonging to the specified external storage system and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them.
Disconnect external volumes	The specified external volumes and all the LDEVs allocated to those external volume must be assigned to the Storage Administrator group permitted to manage them.
Reconnect external volumes	The specified external volumes and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them.
Edit external volumes	The specified external volumes must be assigned to the Storage Administrator group permitted to manage them.
Assign MP Unit	The specified external volumes and all the ports of the external paths connecting the external volumes must be assigned to the Storage Administrator group permitted to manage them.
Disconnect external paths	Ports of the specified external paths and all the external volumes connecting with the external path must be assigned to the Storage Administrator group permitted to manage them. When you specify By Ports, all the external paths connecting with the specified ports and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By External WWNs, all the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them.
Reconnect external paths	Ports of the specified external paths and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By Ports, all the external paths connecting with the specified ports and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By External WWNs, all the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them.
Edit external WWNs	All the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them.
Edit external path configuration	Ports of all the external paths composing the specified path group and all the external volumes that belong to the path group must be assigned to the Storage Administrator group permitted to manage them.

Access requirements for

This table specifies the resource access requirements for operations.

Operation name	Condition
Create LDEVs	When you specify a parity group and open the Create LDEVs window, the parity group must be assigned to the Storage Administrator group permitted to manage them. When you create an internal or external volumes, the parity groups to which the LDEVs belong and the IDs of the new LDEVs must be assigned to the Storage Administrator group permitted to manage them.
Delete LDEVs	When deleting an internal or external volume, the deleted LDEV and parity groups where the LDEV belongs must be assigned to the Storage Administrator group permitted to manage them.
Edit LDEVs	The specified LDEV must be assigned to the Storage Administrator group permitted to manage them.
Restore LDEVs	When you specify LDEVs and open the Restore LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Restore LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them.
Block LDEVs	When you specify LDEVs and open the Block LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Block LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them.
Format LDEVs	When you specify LDEV and open the Format LDEVs window, the specified LDEV must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Format LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them.
Delete Parity Groups	When deleting a parity group, the parity group to be deleted must be assigned to the Storage Administrator group permitted to manage them.
Format Parity Groups	When you specify a parity group and open the Format Parity Groups window, the specified parity group must be assigned to the Storage Administrator group permitted to manage them.

Access requirements for Virtual Partition Manager

This table specifies the resource access requirements for Virtual Partition Manager operations.

Operation name	Condition
Migrate parity groups	When you specify virtual volumes, the specified LDEV must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group, the specified parity group must be assigned to the Storage Administrator group permitted to manage them.

Operation name

Condition

Migrate parity groups

When you specify virtual volumes, the specified LDEV must be assigned to the Storage Administrator group permitted to manage them.

When you specify a parity group, the specified parity group must be assigned to the Storage Administrator group permitted to manage them.

Access requirements for Volume Retention Manager

This table specifies the resource access requirements for Volume Retention Manager operations.

Operation name	Condition
Set access attributes	The specified LDEV must be assigned to users.

Access requirements for Volume Shredder

This table specifies the resource access requirements for Volume Shredder operations.

Operation name	Condition
Shred LDEVs	When you specify LDEVs and open the Shred LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Shred LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them.

Operation name

Condition

Shred LDEVs

When you specify LDEVs and open the Shred LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them.

When you specify a parity group and open the Shred LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them.

Examples

The following examples illustrate how you can configure resource groups on your storage system.

Resource groups sharing a port

If you have a limited number of ports, you can still operate a storage system effectively by sharing ports using resource groups.

The following example shows the system configuration of an in-house division providing virtual private storage system for two divisions. Divisions A and B each use their own assigned parity group, but share a port between the two divisions. The shared port is managed by the system division.

The Security Administrator in the system division creates resource groups for each division in the storage system and assigns them to the respective divisions. The Storage Administrator in Division A can manage the resource groups for Division A but cannot access the resource groups for Division B. In the same manner, the Storage Administrator in Division B can manage the resource groups for Division B but cannot access the resource groups for Division A.

The Security Administrator creates a resource group for managing the common resources, and the Storage Administrator in the system division manages the port that is shared between Divisions A and B. The Storage Administrators in Divisions A and B cannot manage the shared port belonging to the resource group for common resources management.

Configuration workflow for resource groups sharing a port

The system division forms a plan about the resource group creation and assignment of the resources.
The Security Administrator creates the resource groups.
The Security Administrator creates the user groups.
The Security Administrator assigns the resource groups to the user groups.
The Storage Administrator in the system division sets a port.
The Security Administrator assigns resources to the resource groups.
The Security Administrator assigns the Storage Administrators to the appropriate user groups.

After the above procedures, the Storage Administrators in Divisions A and B can manage the resource groups assigned to their own division.

Resource groups not sharing ports

If you assign ports to each resource group without sharing, performance can be maintained on a different port even if the bulk of I/O is issued from one side port.

The following shows a system configuration example of an in-house system division providing the virtual private storage system for two divisions. Divisions A and B each use individual assigned ports and parity groups. In this example, they do not share a port.

Configuration workflow for resource groups not sharing a port

The system division forms a plan about creating resource groups and the assigning resources to the groups.
The Security Administrator creates the resource groups.
The Security Administrator creates the user groups.
The Security Administrator assigns the resource groups to user groups.
The Storage Administrator in the system division sets ports.
The Security Administrator assigns resources to the resource groups.
The Security Administrator assigns each Storage Administrator to each user group.

After the above procedures, the Storage Administrators in Divisions A and B can access the resource groups allocated to their own division.

Resource group assignments

All resource groups are normally assigned to the Security Administrator and the Audit Log Administrator.

Each resource group has a designated Storage Administrator who can access only their assigned resources and cannot access other resources.

All resource groups to which all resources in the storage system belong can be assigned to a user group. Configure this in Device Manager - Storage Navigator by setting All Resource Groups Assigned to Yes.

A user who has All Resource Groups Assigned set to Yes can access all resources in the storage system. For example, if a user is a Security Administrator (with View & Modify privileges) and a Storage Administrator (with View and Modify privileges) and All Resource Groups Assigned is Yes on that user account, the user can edit the storage for all the resources.

If allowing this access becomes a problem with security on the storage system, then register the following two user accounts and use these different accounts for different purposes.

A user account for a Security Administrator where All Resource Groups Assigned is set to Yes.
A user account for a Storage Administrator who does not have all resource groups assigned and has only some of the resource groups assigned.

Resource group rules, restrictions, and guidelines

Rules

The maximum number of resource groups that can be created on a storage system is 1023.

If you are providing a virtual private storage system to different companies, you should not share parity groups, external volumes, or pools if you want to limit the capacity that can be used by each user. When parity groups, external volumes, or pools are shared between multiple users, and if one user uses too much capacity of the shared resource, the other users might not be able to create an LDEV.

Creating resource groups

When you create a resource group, you enter a name and assign the desired resources (parity groups, LDEVs, ports, host groups, and iSCSI targets) to the new group. You can create more than one resource group at a time.

Before you begin

You must have Security Administrator (View & Modify) role to perform this task.

Procedure

In the Explorer pane, expand the Storage Systems tree, click the Administration tab, and then select Resource Groups.
In the Explorer pane, expand the Storage Systems tree, and then click the Administration tab.
Select Resource Groups, and then click Create Resource Groups.
In the Create Resource Groups window, enter the name for the new group, select the desired resources for the new group, and click Add to add the new group to list of resource groups to be added.

Naming guidelines:
- A resource group name can use alphanumeric characters, spaces, and the following symbols: ! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~
- The characters in a resource group name are case-sensitive.
- Duplicate occurrences of the same name are not allowed.
- You cannot use the following names: meta_resource
Repeat the previous step for each new resource group to be added. If you need to remove a group from the list of resource groups to be added, select the group, and click Remove.

NoteThe maximum number of resource groups that can be created on a storage system is 1023.
When you are finished configuring new resource groups in the Create Resource Groups window, click Next.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.

Adding resources to a resource group

You can add resources to, remove resources from, and rename existing resource groups.

Note the following restrictions for editing resource groups:

Only resources allocated to meta_resource can be added to resource groups.
Resources removed from a resource group are returned to meta_resource.
No resource can be added to or removed from meta_resource.
The name of the meta_resource group cannot be changed or used for any resource group other than the meta_resource group.
The system does not allow duplicate names.
LDEVs with the same pool ID or journal ID cannot be added to multiple resource groups or partially removed from a resource group. For example, if two LDEVs belong to the same pool, you must allocate both to the same resource group. You cannot allocate them separately.
You cannot partially remove LDEVs with the same pool ID or journal ID from a resource group. If LDEV1 and LDEV2 belong to the same pool, you cannot remove LDEV1 leave only LDEV2 in the resource group.

Use the sort function to sort the LDEVs by pool ID or journal ID. Then select the IDs and add or remove them all at once.
Host groups that belong to the initiator port cannot be added to a resource group.
To add or delete DP pool volumes, you must first add or delete DP pools.

Before you begin

You must have Security Administrator (View & Modify) role to perform this task.

Procedure

In the Explorer pane, click the Administration tab, and then select Resource Groups.
Select the desired resource group (check the box next to the name of the resource group) to display the resource information for the resource group.
- To change the name of the selected resource group, click Edit Resource Group, and enter the new name.
- To add resources to the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, click Add Resources, and follow the instructions on the Add Resources window.
- To remove resources from the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, select the resources to be removed, and then click Remove Resources.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.

Deleting resource groups

You can delete a resource group only when the resource group does not contain any resources and is not assigned to any user groups.

The following resource groups cannot be deleted:

meta_resource
A resource group that is assigned to a user group
A resource group that has resources assigned to it
Resource groups included in different resource groups cannot be removed at the same time.

Before you begin

The Security Administrator (View & Modify) role is required to perform this task.

Procedure

In the Explorer pane, expand the Storage Systems tree, click the Administration tab, select Resource Groups.
Click the check box of a Resource Group Name.
Click Delete Resource Groups.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.

Unlocking a user account

Before you begin

You must have the Security Administrator (View & Modify) role to perform this task.

Procedure

In the Administration tree, select User Groups.
On the User Groups tab, click a user group to which the locked-out user belongs.
On the User tab, select the user you want to unlock.
On the User tab, click More Actions Release Lockout.
The Release Lockout window opens.
Specify a task name, and then click Apply.

Quick Links

User administration overview

User groups

Roles and permissions

Built-in user groups

Creating a new user group

Changing a user group name

Changing user group permissions

Changing assigned resource groups

Deleting a user group

User accounts

Creating user accounts

Changing user passwords using HDvM - SN

Changing user permissions

Enabling and disabling user accounts

Deleting user accounts

Unlocking a user account

Managing resource groups

About resource groups

Resource access requirements for Device Manager - Storage Navigator operations

Access requirements for Data Retention Utility

Access requirements for Dynamic Provisioning and Dynamic Tiering

Access requirements for Encryption License Key

Access requirements for Performance Monitor

Access requirements for

Access requirements for

Access requirements for Universal Volume Manager

Access requirements for

Access requirements for Virtual Partition Manager

Access requirements for Volume Retention Manager

Access requirements for Volume Shredder

Examples

Resource groups sharing a port

Resource groups not sharing ports

Resource group assignments

Resource group rules, restrictions, and guidelines

Creating resource groups

Adding resources to a resource group

Deleting resource groups

Unlocking a user account