Managing resource groups
You can divide a provisioned storage system into resource groups that allow you to manage the storage system as multiple virtual private storage systems. Configuring resource groups involves creating resource groups, moving storage system resources into the resource groups, and assigning resource groups to user groups.
For information on creating user groups and adding users, see Managing users and user groups.
About resource groups
A storage system can connect to multiple hosts and be shared by multiple divisions in a company or by multiple companies. Many storage administrators from different organizations can access the storage system. Managing the entire storage system can become complex and difficult. Potential problems are that private data might be accessed by other users, or a volume in one organization might be accidentally destroyed by a storage administrator in another organization.
To avoid such problems, use Hitachi Resource Partition Manager software to set up resource groups that allow you to manage one storage system as multiple virtual private storage systems. The storage administrator in each resource group can access only their assigned resources. Resource groups prevent the risk of data leakage or data destruction by another storage administrator in another resource group.
The following resources can be assigned to resource groups.
- LDEV IDs
- Parity groups
- External volumes
- Ports
Before you create LDEVs, you can reserve the desired number of LDEV IDs and assign them to a resource group for future use.
The meta_resource group is the resource group consisting of the resources that exist on the storage system (other than external volumes) before Resource Partition Manager is installed. By default, all existing resources initially belong to the meta_resource group to ensure compatibility with older software when a system is upgraded to include Resource Partition Manager.
When a task is being processed on a resource, all of the resource groups assigned to the logged-on user are locked for exclusive access. When a resource is locked, a status indicator appears on the
Device Manager - Storage Navigator status bar. To view information about the locked resource, click
Resource Locked.
Resource access requirements for Device Manager - Storage Navigator operations
When you log on to Device Manager - Storage Navigator, your user access privileges determine the resources you can view and the operations you can perform. User access privileges are determined by the user groups to which a user belongs and the resources assigned to those user groups. To perform an operation on the storage system, you must have access to the resources (for example, volumes, pools, ports) that are required for the operation.
These tables specify the resource access requirements for Device Manager - Storage Navigator operations.
Access requirements for Data Retention Utility
This table specifies the resource access requirements for Data Retention Utility operations.
|
Operation name |
Condition |
|
Set access attributes |
The specified LDEV must be assigned to users. |
Access requirements for Dynamic Provisioning and Dynamic Tiering
This table specifies the resource access requirements for Dynamic Provisioning and Dynamic Tiering operations.
|
Operation name |
Condition |
|
Create LDEVs |
If DP-VOLs are created, these items must be assigned to the Storage Administrator group that is permitted to manage them.
|
|
Delete LDEVs |
If DP-VOLs are deleted, these items must be assigned to the Storage Administrator group that is permitted to manage them.
|
|
Create pools Expand pools |
Volumes to be specified as pool-VOLs must be assigned to the Storage Administrator group permitted to manage them. All the volumes that are specified when creating a pool must belong to the same resource group. |
|
Edit pools Delete pools |
Pool-VOLs of the specified pool must be assigned to the Storage Administrator group permitted to manage them. |
|
Expand V-VOLs |
You can expand only the DP-VOLs that are assigned to the Storage Administrator group permitted to manage them. |
|
Reclaim zero pages Stop reclaiming zero pages |
You can reclaim or stop reclaiming zero pages only for the DP-VOLs that are assigned to the Storage Administrator group permitted to manage them. |
Access requirements for Encryption License Key
This table specifies the resource access requirements for Encryption License Key operations.
|
Operation name |
Condition |
|
Edit encryption keys |
When you specify a parity group and open the Edit Encryption window, the specified parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them. When you open the Edit Encryption window without specifying a parity group, more than one parity group and LDEVs carved from the parity group must be assigned to the Storage Administrator group permitted to manage them. |
Access requirements for Performance Monitor
This table specifies the resource access requirements for Performance Monitor operations.
|
Operation name |
Condition |
|
Add to ports |
The specified ports must be assigned to the Storage Administrator group permitted to manage them. |
|
Add new monitored WWNs | |
|
Edit WWNs |
Access requirements for
This table specifies the resource access requirements for operations.
|
Operation name |
Condition |
|
Edit Ports |
Specified ports must be assigned to the user. |
|
Add Remote Connection |
Specified ports must be assigned to the user. |
|
Edit Remote Connection Options |
Operation can be performed with no conditions. |
|
Create Pairs |
Primary volumes must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user. |
|
Split Pairs |
Specified primary volumes or secondary volumes must be assigned to the user. |
|
Resync Pairs |
Primary volumes must be assigned to the user. |
|
Delete Pairs |
Specified volumes must be assigned to the user. If primary volumes are specified, the ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user. |
|
Edit Pair Options |
Primary volumes must be assigned to the user. |
|
Add Remote Paths |
Specified ports must be assigned to the user. |
|
Remove Remote Paths |
Specified ports must be assigned to the user. |
|
Edit Remote Connection Options |
Ports of remote paths that are connected to a specified remote storage must be assigned to the user. |
|
Remove Remote Connections |
Ports of remote paths that are connected to a specified remote storage must be assigned to the user. |
|
Force Delete Pairs |
Specified primary volumes or secondary volumes must be assigned to the user. |
Access requirements for
This table specifies the resource access requirements for operations.
|
Operation name |
Condition |
|
Edit Ports |
Specified ports must be assigned to the user. |
|
Add Remote Connection |
Specified ports must be assigned to the user. |
|
Add Remote Paths |
Specified ports must be assigned to the user. |
|
Create Journals |
All LDEVs that are specified when creating a journal must belong to the same resource group. Volumes to be assigned to a journal must be assigned to the user. |
|
Assign Journal Volumes |
Volumes to be assigned to a journal must be assigned to the user. All volumes to be assigned to a journal must belong to a same resource group to which the existing journal volumes belong. |
|
Assign MP Unit |
Journal volumes must be assigned to the user. |
|
Edit Remote Connection Options |
Operation can be performed with no conditions. |
|
Create Pairs |
Journal volumes for pair volumes and primary volumes must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user. |
|
Split Pairs |
Specified primary volumes or secondary volumes must be assigned to the user. |
|
Split Mirrors |
All data volumes configured to a mirror must be assigned to the user. |
|
Resync Pairs |
Primary volumes must be assigned to the user. |
|
Resync Mirrors |
All data volumes configured to a mirror must be assigned to the user. |
|
Delete Pairs |
Specified volumes or secondary volume must be assigned to the user. Ports of remote paths that are connected with the primary volume in the remote storage must be assigned to the user. |
|
Delete Mirrors |
All data volumes configured to a mirror must be assigned to the user. |
|
Edit Pair Options |
Primary volumes must be assigned to the user. |
|
Force Delete Pairs |
Specified volumes must be assigned to the user. |
|
Edit Journal Options |
All data volumes consisting of the specified journal must be assigned to the user. Journal volumes must be assigned to the user. |
|
Edit Mirror Options |
All data volumes configuring the specified journal must be assigned to the user. Journal volumes must be assigned to the user. |
|
Remove Journals |
Journal volumes must be assigned to the user. |
|
Edit Remote Connection Options |
Ports of remote paths that are connected to a specified remote storage must be assigned to the user. |
|
Remove Remote Paths |
Specified ports must be assigned to the user. |
|
Move LDEVs to other resource groups |
When you move LDEVs used for journal volumes to other resource groups, you must specify all the journal volumes of the journal to which the LDEVs belong. |
|
Assign Remote Command Devices |
Journal volumes must be assigned to the user. Specified remote command devices must be assigned to the user. |
|
Release Remote Command Devices |
Journal volumes must be assigned to the user. Specified remote command devices must be assigned to the user. |
Access requirements for Universal Volume Manager
This table specifies the resource access requirements for Universal Volume Manager operations.
|
Operation name |
Condition |
|
Add external volumes |
When creating an external volume, a volume is created in the resource group where the port belongs. When you specify a path group and open the Add External Volumes window, all the ports that compose the path group must be assigned to the Storage Administrator group permitted to manage them. |
|
Delete external volumes |
The specified external volume and all the LDEVs allocated to that external volume must be assigned to the Storage Administrator group permitted to manage them. |
|
Disconnect external storage systems |
All the external volumes belonging to the specified external storage system and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them. |
|
Reconnect external storage systems |
All the external volumes belonging to the specified external storage system and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them. |
|
Disconnect external volumes |
The specified external volumes and all the LDEVs allocated to those external volume must be assigned to the Storage Administrator group permitted to manage them. |
|
Reconnect external volumes |
The specified external volumes and all the LDEVs allocated to those external volumes must be assigned to the Storage Administrator group permitted to manage them. |
|
Edit external volumes |
The specified external volumes must be assigned to the Storage Administrator group permitted to manage them. |
|
Assign MP Unit |
The specified external volumes and all the ports of the external paths connecting the external volumes must be assigned to the Storage Administrator group permitted to manage them. |
|
Disconnect external paths |
Ports of the specified external paths and all the external volumes connecting with the external path must be assigned to the Storage Administrator group permitted to manage them. When you specify By Ports, all the external paths connecting with the specified ports and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By External WWNs, all the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them. |
|
Reconnect external paths |
Ports of the specified external paths and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By Ports, all the external paths connecting with the specified ports and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them. When you specify By External WWNs, all the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with those external paths must be assigned to the Storage Administrator group permitted to manage them. |
|
Edit external WWNs |
All the ports of the external paths connecting to the specified external WWN and all the external volumes connecting with the external paths must be assigned to the Storage Administrator group permitted to manage them. |
|
Edit external path configuration |
Ports of all the external paths composing the specified path group and all the external volumes that belong to the path group must be assigned to the Storage Administrator group permitted to manage them. |
Access requirements for
This table specifies the resource access requirements for operations.
|
Operation name |
Condition |
|
Create LDEVs |
When you specify a parity group and open the Create LDEVs window, the parity group must be assigned to the Storage Administrator group permitted to manage them. When you create an internal or external volumes, the parity groups to which the LDEVs belong and the IDs of the new LDEVs must be assigned to the Storage Administrator group permitted to manage them. |
|
Delete LDEVs |
When deleting an internal or external volume, the deleted LDEV and parity groups where the LDEV belongs must be assigned to the Storage Administrator group permitted to manage them. |
|
Edit LDEVs |
The specified LDEV must be assigned to the Storage Administrator group permitted to manage them. |
|
Restore LDEVs |
When you specify LDEVs and open the Restore LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Restore LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them. |
|
Block LDEVs |
When you specify LDEVs and open the Block LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Block LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them. |
|
Format LDEVs |
When you specify LDEV and open the Format LDEVs window, the specified LDEV must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Format LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them. |
|
Delete Parity Groups |
When deleting a parity group, the parity group to be deleted must be assigned to the Storage Administrator group permitted to manage them. |
|
Format Parity Groups |
When you specify a parity group and open the Format Parity Groups window, the specified parity group must be assigned to the Storage Administrator group permitted to manage them. |
Access requirements for Virtual Partition Manager
This table specifies the resource access requirements for Virtual Partition Manager operations.
|
Operation name |
Condition |
|
Migrate parity groups |
When you specify virtual volumes, the specified LDEV must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group, the specified parity group must be assigned to the Storage Administrator group permitted to manage them. |
Access requirements for Volume Retention Manager
This table specifies the resource access requirements for Volume Retention Manager operations.
|
Operation name |
Condition |
|
Set access attributes |
The specified LDEV must be assigned to users. |
Access requirements for Volume Shredder
This table specifies the resource access requirements for Volume Shredder operations.
|
Operation name |
Condition |
|
Shred LDEVs |
When you specify LDEVs and open the Shred LDEVs window, the specified LDEVs must be assigned to the Storage Administrator group permitted to manage them. When you specify a parity group and open the Shred LDEVs window, the specified parity group and all the LDEVs in the parity group must be assigned to the Storage Administrator group permitted to manage them. |
Examples
The following examples illustrate how you can configure resource groups on your storage system.
Resource groups sharing a port
If you have a limited number of ports, you can still operate a storage system effectively by sharing ports using resource groups.
The following example shows the system configuration of an in-house division providing virtual private storage system for two divisions. Divisions A and B each use their own assigned parity group, but share a port between the two divisions. The shared port is managed by the system division.
The Security Administrator in the system division creates resource groups for each division in the storage system and assigns them to the respective divisions. The Storage Administrator in Division A can manage the resource groups for Division A but cannot access the resource groups for Division B. In the same manner, the Storage Administrator in Division B can manage the resource groups for Division B but cannot access the resource groups for Division A.
The Security Administrator creates a resource group for managing the common resources, and the Storage Administrator in the system division manages the port that is shared between Divisions A and B. The Storage Administrators in Divisions A and B cannot manage the shared port belonging to the resource group for common resources management.
- The system division forms a plan about the resource group creation and assignment of the resources.
- The Security Administrator creates the resource groups.
- The Security Administrator creates the user groups.
- The Security Administrator assigns the resource groups to the user groups.
- The Storage Administrator in the system division sets a port.
- The Security Administrator assigns resources to the resource groups.
- The Security Administrator assigns the Storage Administrators to the appropriate user groups.
After the above procedures, the Storage Administrators in Divisions A and B can manage the resource groups assigned to their own division.
Resource groups not sharing ports
If you assign ports to each resource group without sharing, performance can be maintained on a different port even if the bulk of I/O is issued from one side port.
The following shows a system configuration example of an in-house system division providing the virtual private storage system for two divisions. Divisions A and B each use individual assigned ports and parity groups. In this example, they do not share a port.
The Security Administrator in the system division creates resource groups for each division in the storage system and assigns them to the respective divisions. The Storage Administrator in Division A can manage the resource groups for Division A but cannot access the resource groups for Division B. In the same manner, the Storage Administrator in Division B can manage the resource groups for Division B but cannot access the resource groups for Division A.
- The system division forms a plan about creating resource groups and the assigning resources to the groups.
- The Security Administrator creates the resource groups.
- The Security Administrator creates the user groups.
- The Security Administrator assigns the resource groups to user groups.
- The Storage Administrator in the system division sets ports.
- The Security Administrator assigns resources to the resource groups.
- The Security Administrator assigns each Storage Administrator to each user group.
After the above procedures, the Storage Administrators in Divisions A and B can access the resource groups allocated to their own division.
Resource group assignments
All resource groups are normally assigned to the Security Administrator and the Audit Log Administrator.
Each resource group has a designated Storage Administrator who can access only their assigned resources and cannot access other resources.
All resource groups to which all resources in the storage system belong can be assigned to a user group. Configure this in Device Manager - Storage Navigator by setting All Resource Groups Assigned to Yes.
A user who has All Resource Groups Assigned set to Yes can access all resources in the storage system. For example, if a user is a Security Administrator (with View & Modify privileges) and a Storage Administrator (with View and Modify privileges) and All Resource Groups Assigned is Yes on that user account, the user can edit the storage for all the resources.
If allowing this access becomes a problem with security on the storage system, then register the following two user accounts and use these different accounts for different purposes.
- A user account for a Security Administrator where All Resource Groups Assigned is set to Yes.
- A user account for a Storage Administrator who does not have all resource groups assigned and has only some of the resource groups assigned.
Resource group rules, restrictions, and guidelines
- The maximum number of resource groups that can be created on a storage system is 1023.
If you are providing a virtual private storage system to different companies, you should not share parity groups, external volumes, or pools if you want to limit the capacity that can be used by each user. When parity groups, external volumes, or pools are shared between multiple users, and if one user uses too much capacity of the shared resource, the other users might not be able to create an LDEV.
Creating resource groups
When you create a resource group, you enter a name and assign the desired resources (parity groups, LDEVs, ports, host groups, and iSCSI targets) to the new group. You can create more than one resource group at a time.
Before you begin
You must have Security Administrator (View & Modify) role to perform this task.
Procedure
In the Explorer pane, expand the Storage Systems tree, click the Administration tab, and then select Resource Groups.
In the Explorer pane, expand the Storage Systems tree, and then click the Administration tab.
Select Resource Groups, and then click Create Resource Groups.
In the Create Resource Groups window, enter the name for the new group, select the desired resources for the new group, and click Add to add the new group to list of resource groups to be added.
Naming guidelines:
- A resource group name can use alphanumeric characters, spaces, and the following symbols: ! # $ % & ' ( ) + - . = @ [ ] ^ _ ` { } ~
- The characters in a resource group name are case-sensitive.
- Duplicate occurrences of the same name are not allowed.
-
You cannot use the following names:
meta_resource
Repeat the previous step for each new resource group to be added. If you need to remove a group from the list of resource groups to be added, select the group, and click Remove.
NoteThe maximum number of resource groups that can be created on a storage system is 1023.When you are finished configuring new resource groups in the Create Resource Groups window, click Next.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.
Adding resources to a resource group
You can add resources to, remove resources from, and rename existing resource groups.
Note the following restrictions for editing resource groups:
- Only resources allocated to meta_resource can be added to resource groups.
- Resources removed from a resource group are returned to meta_resource.
- No resource can be added to or removed from meta_resource.
- The name of the meta_resource group cannot be changed or used for any resource group other than the meta_resource group.
- The system does not allow duplicate names.
- LDEVs with the same pool ID or journal ID cannot be added to multiple resource groups or partially removed from a resource group. For example, if two LDEVs belong to the same pool, you must allocate both to the same resource group. You cannot allocate them separately.
You cannot partially remove LDEVs with the same pool ID or journal ID from a resource group. If LDEV1 and LDEV2 belong to the same pool, you cannot remove LDEV1 leave only LDEV2 in the resource group.
Use the sort function to sort the LDEVs by pool ID or journal ID. Then select the IDs and add or remove them all at once.
- Host groups that belong to the initiator port cannot be added to a resource group.
-
To add or delete DP pool volumes, you must first add or delete DP pools.
Before you begin
You must have Security Administrator (View & Modify) role to perform this task.
Procedure
In the Explorer pane, click the Administration tab, and then select Resource Groups.
Select the desired resource group (check the box next to the name of the resource group) to display the resource information for the resource group.
- To change the name of the selected resource group, click Edit Resource Group, and enter the new name.
- To add resources to the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, click Add Resources, and follow the instructions on the Add Resources window.
- To remove resources from the selected resource group, select the Parity Groups, LDEVs, Ports, or Host Groups / iSCSI Targets tab, select the resources to be removed, and then click Remove Resources.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.
Deleting resource groups
You can delete a resource group only when the resource group does not contain any resources and is not assigned to any user groups.
The following resource groups cannot be deleted:
meta_resource- A resource group that is assigned to a user group
- A resource group that has resources assigned to it
- Resource groups included in different resource groups cannot be removed at the same time.
Before you begin
The Security Administrator (View & Modify) role is required to perform this task.
Procedure
In the Explorer pane, expand the Storage Systems tree, click the Administration tab, select Resource Groups.
Click the check box of a Resource Group Name.
Click Delete Resource Groups.
Enter a task name or accept the default, and then click Submit.
If you select View task status, the Tasks & Alerts tab opens.