User management and access control
You can manage users and control access to storage system resources. To perform operations on storage system resources, users must have the appropriate roles (execution permissions) and access permissions for the resources on which the operations are to be performed. Before using the REST API, users with the required roles and access permissions must be created. You must create resource and user groups, assign permissions, and create users before users can perform storage system operations.
Overview of user management and access control
To perform operations on storage system resources, users must have the appropriate roles (execution permissions) and access permissions for the resources on which the operations are to be performed. Before using the REST API, users with the required roles and access permissions must be created.
For storage systems, resource groups and user groups are used to manage the roles and access permissions of users.
Resource group
Resource groups are used to classify and manage resources in the storage system. Only users who have access permissions for a resource group can perform operations on the resources (such as parity groups, LDEVs, and ports) that are added to that resource group.
User group
User groups are used to group users who have the same roles and access permissions for the resources in the storage system. To specify the operations that users in a user group can perform, assign a role to the user group. To specify the resources that the users in a user group can access, assign a resource group to the user group.
Role
Roles are execution permissions for resources. Roles are already set up, and the operations that users of each role can perform on resources are already defined. For details on the roles required to run a particular API request, see the description on that API request.
Users whose accounts were created by using the maintenance utility or Hitachi Device Manager - Storage Navigator can also execute REST API requests. If you want to use other storage management software to create user accounts that can execute REST API requests, specify the user IDs and passwords in accordance with the rules for the REST API.
If you are using Hitachi Device Manager - Storage Navigator, any users, user groups, and resource groups that were created by using the REST API can also be used from Hitachi Device Manager - Storage Navigator.
For details about user management and access control for storage systems, see the System Administrator Guide.
If a user uses the REST API to lock the resources of a storage system, operations on the users, user groups, or resource groups will no longer be able to be performed. In such a case, unlock the resources before performing these operations.
Workflow for user management and access control
This section describes the workflow for creating users who will perform operations on storage systems and for setting access permissions for the resources necessary for those operations.
When using the REST API to create a user, specify a user group to which the user will belong. Assign, in advance, resource groups and roles to the user group based on the types of resources on which the users in that user group can operate and the operation permissions of users in that user group.
The following figure shows the workflow for specifying user and access control settings. If you are using the meta_resource group or built-in user group, you do not need to configure the resource group or the user group.
Set resource groups
Create a resource group, and then add resources such as parity groups, LDEVs, and ports. Group resources by business or organization into units for controlling access.
Set user groups
Create a user group. Assign resource groups and roles based on the types of resources on which the users in that user group can operate and the operation permissions of users in that user group.
Set users
Create a user. Specify the user group to which the user will belong, and then add the user to that user group. The user then can use the resources in the resource groups assigned to the user group according to the assigned roles.
Input rules for user IDs and passwords
When creating users who will perform operations on storage systems from the REST API, specify user IDs and passwords consisting of the characters described in the following table.
If you want to include symbols in a request body, be sure to escape the symbols as required for JSON format.
Item |
Number of characters |
Specifiable characters |
User ID |
1 to 63 characters | You can use the following characters.
|
Password |
6 to 63 characters | You can use the following characters.
|
- When creating a user account that will not be used for the REST API but will be used
for other products such as Storage Navigator, you can use the number of characters in the
userId
anduserPassword
attributes of the API function for creating a user account, and in theuserPassword
attribute of the API function for changing the password of the user.- The
userId
attribute: 1 to 256 characters - The
userPassword
attribute: 6 to 256 characters
- The
- If you use Storage Navigator or another product to create a user account whose password includes a double quotation mark ("), you can use that user account to run the REST API. However, you cannot use the REST API to create a user account whose password includes a double quotation mark or to change a password to one that includes a double quotation mark.
Getting a list of resource groups
The following request gets information about resource groups registered in the storage system. You can also use a query parameter to get information about only certain resources of interest.
-
For this API request and the API request for getting global-active device pair information, you can run a maximum of two concurrent API requests for each storage system. HTTP status code 503 will be returned for any unaccepted requests. In such cases, wait a while, and then run the applicable API requests again.
- To run this API request at the same time as one of
the following API requests, see the notes on the number of concurrent
executions of the applicable API request:
API request for getting volume information
API request for getting port information (when executed with
detailInfoType=logins
specified in the query)API request for getting information about host groups or iSCSI targets
API request for getting a list of external path groups
API request for getting information about a specific external path group
Storage Administrator (View Only)
GET base-URL/v1/objects/resource-groups
Object ID
None.
Query parameters
To filter execution results:
Parameter
Type
Filter condition
lockStatus
string
(Optional) Lock status of the resource group
-
Locked: Gets information about the locked resource groups
-
Unlocked: Gets information about the unlocked resource groups
To get information about only certain types of resources in resource groups:
If you try to get information for a large number of resource groups, processing might take a long time. You can reduce the request processing time by using the following query parameter to get information about only certain resources of interest.
Parameter
Type
Filter condition
attributes
string
(Optional) Type of resource for which information is to be obtained
Information will be obtained about only resources corresponding to the specified attributes.
To specify multiple attributes, separate the attributes by using commas.
You can use this parameter in combination with the
lockStatus
parameter.-
ldevIds: LDEV numbers
-
parityGroupIds: Parity group numbers
-
externalParityGroupIds: External parity group numbers
-
portIds: Port numbers
-
hostGroupIds: Object IDs of host groups or iSCSI targets
If this parameter is omitted, information will be obtained about all of the attributes listed above.
Information about attributes other than those listed above will be obtained regardless of the specification of this parameter.
The following are examples of how to specify these query parameters in various situations.
To get the LDEV numbers of locked resource groups:
?lockStatus=Locked&attributes=ldevIds
To get the port numbers, and the object IDs of host groups or iSCSI targets for all resource groups:
?attributes=portIds,hostGroupIds
-
Body
None.
Body
The following is an example of output when a request is run to get information about all types of resource groups:
{ "data": [ { "resourceGroupId": 4, "resourceGroupName": "devResourceGroup", "lockStatus": "Locked", "lockOwner": "devUser", "lockHost": "esx8061", "virtualStorageId": 0, "ldevIds": [ 12, 13 ], "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-5", "1-6" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] }, { "resourceGroupId": 5, "resourceGroupName": "sales_group_resource", "lockStatus": "Unlocked", "virtualStorageId": 0, "ldevIds": [ 32, 33 ], "parityGroupIds": [ "2-1", "2-2" ], "externalParityGroupIds": [ "1-7", "1-8" ], "portIds": [ "CL3-A" ], "hostGroupIds": [ "CL3-A,1", "CL3-A,2" ] } ] }
The following is an example of output when a request is run with the
attributes
query parameter specified, to get only information about port numbers and the object IDs of host groups or iSCSI targets:{ "data": [ { "resourceGroupId": 4, "resourceGroupName": "devResourceGroup", "lockStatus": "Locked", "lockOwner": "devUser", "lockHost": "esx8061", "virtualStorageId": 0, "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] }, { "resourceGroupId": 5, "resourceGroupName": "sales_group_resource", "lockStatus": "Unlocked", "virtualStorageId": 0, "portIds": [ "CL3-A" ], "hostGroupIds": [ "CL3-A,1", "CL3-A,2" ] } ] }
Attribute
Type
Description
resourceGroupName
string
Resource group name
resourceGroupId
int
Resource group ID
lockStatus
string
Lock status of the resource group
- Locked: The resource group is locked.
- Unlocked: The resource group is unlocked.
selfLock
boolean
Whether the session specified in the Authorization header locked the resource group
- true: The specified session locked the resource group
- false: Another session locked the resource group
This attribute is output if the resource group is locked by a session that was generated by the same user who runs the API.
lockOwner
string
User ID that locked the resource group
This attribute is not output if the resource group is unlocked.
lockHost
string
IP address or name of the host that locked the resource group
IP address or the host name of the GUM is output if the resource group has been locked by the REST API.
This attribute is not output if the resource group is unlocked.
lockSessionId
int
Session ID that locked the resource group
This attribute is output only when the resource group is locked and when a user who belongs to the Administrator user group (built-in user group) runs the API.
virtualStorageId
int
ID of the virtual storage machine that corresponds to the resource group
ldevIds
int[]
LDEV number
parityGroupIds
string[]
Parity group number
externalParityGroupIds
string[]
External parity group number
portIds
string[]
Port number
hostGroupIds
string[]
Object ID of the host group or iSCSI target
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups
Getting information about a specific resource group
The following request gets information about the specified resource group. The obtained information can be used to check the lock status of a resource group, the user ID of the user who locked the resource group, or the name of the host that locked the resource group.
Storage Administrator (View Only)
GET base-URL/v1/objects/resource-groups/object-ID
Object ID
Specify the value of
resourceGroupId
that was obtained by the processing to get information about resource groups.Attribute
Type
Description
resourceGroupId
int
(Required) Resource group ID
Specify a decimal (base 10) number in the range from 0 to 1023.
Query parameters
None.
Body
None.
Body
{ "resourceGroupId": 4, "resourceGroupName": "devResourceGroup", "lockStatus": "Locked", "lockOwner": "devUser", "lockHost": "esx8061", "virtualStorageId": 0, "ldevIds": [ 12, 13 ], "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-5", "1-6" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] }
Attribute
Type
Description
resourceGroupName
string
Resource group name
resourceGroupId
int
Resource group ID
lockStatus
string
Lock status of the resource group
- Locked: The resource group is locked.
- Unlocked: The resource group is unlocked.
selfLock
boolean
Whether the resource group was locked by the session specified in the Authorization header
- true: The specified session locked the resource group.
- false: Another session locked the resource group.
This attribute is output when the resource group is locked by a session that was generated by the same user who runs the API.
lockOwner
string
User ID of the user who locked the resource group
This attribute is output only when the resource group is locked.
lockHost
string
Name of the host that locked the resource group
If the resource group was locked by the REST API, the host name of the GUM is output.
This attribute is output only when the resource group is locked.
lockSessionId
int
Session ID of the session that locked the resource group
This attribute is output only when the resource group is locked and the API was run by one of the following users: the user who belongs to the Administrator user group (built-in user group).
virtualStorageId
int
ID of the virtual storage machine that corresponds to the resource group
ldevIds
int[]
LDEV number
parityGroupIds
string[]
Parity group number
externalParityGroupIds
string[]
External parity group number
portIds
string[]
Port number
hostGroupIds
string[]
Object ID of the host group or iSCSI target
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4
Creating a resource group
The following request creates resource
groups. To add a resource group to a virtual storage machine, you must also specify
the virtualStorageDeviceId
attribute.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/resource-groups
Object ID
None.
Query parameters
None.
Body
{ "resourceGroupName":"devResourceGroup", "virtualStorageId":"2" }
Attribute
Type
Description
resourceGroupName
string
(Required) Resource group name
Specify a name consisting of 1 to 32 characters.
virtualStorageDeviceId
string
(Optional) Storage device ID of the virtual storage machine
This attribute cannot be specified at the same time as the
virtualStorageId
attribute.If this attribute is omitted, the default storage device ID (the same storage device ID as that of the target physical storage system) will be set.
virtualStorageId
int
(Optional) ID of the virtual storage machine that corresponds to the resource group
Specify a decimal (base 10) number in the range from 0 to 7.
This attribute cannot be specified at the same time as the
virtualStorageDeviceId
attribute.If this attribute is omitted, 0 will be set.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the description on job objects.Attribute
Description
affectedResources
URL of the created resource group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X POST --data-binary @./InputParameters.json https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups
Adding a resource to a resource group
The following request adding resources to resource groups.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/resource-groups/object-ID/actions/add-resource/invoke
Object ID
Specify the value of
resourceGroupId
that was obtained by the processing to get information about resource groups.Attribute
Type
Description
resourceGroupId
int
(Required) Resource group ID
Specify a decimal (base 10) number in the range from 1 to 1023.
Query parameters
None.
Body
The following coding example shows how to specify an LDEV number:
{ "parameters": { "ldevIds": [ 2, 3 ], "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-5", "1-6" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] } }
The following coding example shows how to specify a range of LDEV numbers:
{ "parameters": { "startLdevId": 2, "endLdevId": 5, "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-5", "1-6" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] } }
Attribute
Type
Description
parityGroupIds
string[]
(Optional) Parity group number
externalParityGroupIds
string[]
(Optional) External parity group number
portIds
string[]
(Optional) Port number
hostGroupIds
string[]
(Optional) Object ID of the host group or iSCSI target
Specify the value of
hostGroupId
that was obtained by the processing to get information about host groups or iSCSI targets.ldevIds
int[]
(Optional) LDEV number
Specify a value in the range from 0 to 65279. If you specify this attribute, you cannot specify the
startLdevId
attribute or theendLdevId
attribute.startLdevId
int
(Optional) First LDEV number
When specifying a range of LDEVs, specify a value in the range from 0 to 65278. If you specify this attribute, you must also specify the
endLdevId
attribute. If you specify theldevId
attribute, you cannot specify this attribute.endLdevId
int
(Optional) Last LDEV number
When specifying a range of LDEVs, specify a value in the range from 1 to 65279. If you specify this attribute, you must also specify the
startLdevId
attribute. If you specify theldevId
attribute, you cannot specify this attribute.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the description on job objects.Attribute
Description
affectedResources
URL of the resource group to which resources are added
GET base-URL/v1/objects/resource-groups/object-ID/actions/add-resource
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4/actions/add-resource
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4/actions/add-resource/invoke
Removing a resource from a resource group
The following request removes resources that are no longer necessary from resource groups.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/resource-groups/object-ID/actions/remove-resource/invoke
Object ID
Specify the value of
resourceGroupId
that was obtained by the processing to get information about resource groups.Attribute
Type
Description
resourceGroupId
int
(Required) Resource group ID
Specify a decimal (base 10) number in the range from 1 to 1023.
Query parameters
None.
Body
The following coding example shows how to specify an LDEV number:
{ "parameters": { "ldevIds": [ 2, 3 ], "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-5", "1-6" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] } }
The following coding example shows how to specify a range of LDEV numbers:
{ "parameters": { "startLdevId": 2, "endLdevId": 5, "parityGroupIds": [ "1-1", "1-2" ], "externalParityGroupIds": [ "1-7", "1-8" ], "portIds": [ "CL1-A", "CL1-B" ], "hostGroupIds": [ "CL1-A,4", "CL1-A,5", "CL1-A,6" ] } }
Attribute
Type
Description
parityGroupIds
string[]
(Optional) Parity group number
externalParityGroupIds
string[]
(Optional) External parity group number
portIds
string[]
(Optional) Port number
hostGroupIds
string[]
(Optional) Object ID of the host group or iSCSI target
Specify the value of
hostGroupId
that was obtained by the processing to get information about host groups or iSCSI targets.ldevIds
int[]
(Optional) LDEV number
Specify a value in the range from 0 to 65279. If you specify this attribute, you cannot specify the
startLdevId
attribute or theendLdevId
attribute.startLdevId
int
(Optional) First LDEV number
When specifying a range of LDEVs, specify a value in the range from 0 to 65278. If you specify this attribute, you must also specify the
endLdevId
attribute. If you specify theldevId
attribute, you cannot specify this attribute.endLdevId
int
(Optional) Last LDEV number
When specifying a range of LDEVs, specify a value in the range from 1 to 65279. If you specify this attribute, you must also specify the
startLdevId
attribute. If you specify theldevId
attribute, you cannot specify this attribute.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the description on job objects.Attribute
Description
affectedResources
URL of the resource group from which resources were removed
GET base-URL/v1/objects/resource-groups/object-ID/actions/remove-resource
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4/actions/remove-resource
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4/actions/remove-resource/invoke
Deleting a resource group
The following request deletes unnecessary resource groups.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
DELETE base-URL/v1/objects/resource-groups/object-ID
Object ID
Specify the value of
resourceGroupId
that was obtained by the processing to get information about resource groups.Attribute
Type
Description
resourceGroupId
int
(Required) Resource group ID
Specify a decimal (base 10) number in the range from 1 to 1023.
Query parameters
None.
Body
None.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the description on job objects.Attribute
Description
affectedResources
URL of the deleted resource group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X DELETE https://192.0.2.100/ConfigurationManager/v1/objects/resource-groups/4
Getting a list of user groups
The following request gets a list of user groups registered in the target storage system.
Security Administrator (View Only)
GET base-URL/v1/objects/user-groups
Object ID
None.
Query parameters
None.
Body
None.
Body
{ "data": [ { "userGroupObjectId": "devGroup", "userGroupId": "devGroup", "roleNames": [ "Audit Log Administrator (View & Modify)" ], "resourceGroupIds": [ 1, 2, 3 ], "isBuiltIn": false, "hasAllResourceGroup": false }, { "userGroupObjectId": "adminGroup", "userGroupId": "adminGroup", "roleNames": [ "Audit Log Administrator (View & Modify)", "Security Administrator (View & Modify)", "Storage Administrator (Initial Configuration)", "Storage Administrator (Local Copy)", "Storage Administrator (Performance Management)", "Storage Administrator (Provisioning)", "Storage Administrator (Remote Copy)", "Storage Administrator (System Resource Management)" ], "isBuiltIn": false, "hasAllResourceGroup": true } ] }
Attribute
Type
Description
userGroupObjectId
string
The object ID for a user group ID
An encoded character string is output if the user group ID includes reserved characters defined in RFC3986.
userGroupId
string
The user group ID
roleNames
string[]
The role name assigned to the user group
resourceGroupIds
int[]
The IDs of the resource groups assigned to the user group
isBuiltIn
boolean
Information about whether the user group is a built-in user group.
-
true: A built-in user group.
-
false: A user group created by a user.
hasAllResourceGroup
boolean
Information about whether all the resource groups are assigned to the target.
-
true: All the resource groups are assigned.
-
false: The specified resource groups are assigned.
-
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/user-groups
Getting information about a specific user group
The following request gets information about the specified user group.
Security Administrator (View Only)
GET base-URL/v1/objects/user-groups/object-ID
Object ID
Set the
userGroupObjectId
value obtained by getting the information about the user group.Attribute
Type
Description
userGroupObjectId
string
(Required) The object ID for a user group ID
The object ID is case sensitive.
Query parameters
None.
Body
None.
Body
{ "userGroupObjectId": "devGroup", "userGroupId": "devGroup", "roleNames":[ "Security Administrator (View Only)" ], "resourceGroupIds": [ 1, 2, 3 ], "isBuiltIn":false, "hasAllResourceGroup":false }
Attribute
Type
Description
userGroupObjectId
string
The object ID for a user group ID
An encoded character string is output if the user group ID includes reserved characters defined in RFC 3986.
userGroupId
string
The user group ID
roleNames
string[]
The role name assigned to the user group
resourceGroupIds
int[]
The IDs of the resource groups assigned to the user group
isBuiltIn
boolean
Information about whether the user group is a built-in user group.
-
true: A built-in user group.
-
false: A user group created by a user.
hasAllResourceGroup
boolean
Information about whether all the resource groups are assigned to the target.
-
true: All the resource groups are assigned.
-
false: The specified resource groups are assigned.
-
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup
Creating a user group
The following request creates a user group and assigns an appropriate role and resource groups.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/user-groups
Object ID
None.
Query parameters
None.
Body
{ "userGroupId":"devGroup", "roleNames":[ "Storage Administrator (Provisioning)" ], "resourceGroupIds": [ 8, 9 ], "hasAllResourceGroup":false }
Attribute
Type
Description
userGroupId
string
(Required) The user group ID
Specify an ID consisting of 1 to 64 characters.
roleNames
string[]
(Required) The role name
Specify one or more of the following role names. The role names are case sensitive. If you specify multiple role names, delimit the names by commas.
-
Audit Log Administrator (View & Modify)#
-
Audit Log Administrator (View Only)#
-
Security Administrator (View & Modify)#
-
Security Administrator (View Only)#
-
Storage Administrator (Initial Configuration)
-
Storage Administrator (Local Copy)
-
Storage Administrator (Performance Management)
-
Storage Administrator (Provisioning)
-
Storage Administrator (Remote Copy)
-
Storage Administrator (System Resource Management)
-
Storage Administrator (View Only)
-
Support Personnel#
-
User Maintenance#
#: If you specify this role, be sure to specify true for
hasAllResourceGroup
.resourceGroupIds
int[]
(Optional) The resource group IDs
Specify one or more decimal (base 10) numbers within the range of 0 to 1023. If you specify multiple IDs, delimit the IDs by commas. This cannot be specified if the
hasAllResourceGroup
attribute is true.hasAllResourceGroup
boolean
(Required) Information about whether all the resource groups are assigned to the target.
If the roles specified for
roleNames
include any of the following roles, be sure to specify true for this attribute.-
Audit Log Administrator (View & Modify)
-
Audit Log Administrator (View Only)
-
Security Administrator (View & Modify)
-
Security Administrator (View Only)
-
Support Personnel
-
User Maintenance
If the roles specified for
roleNames
does not include any of these roles, be sure to specify false for this attribute.-
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the created user group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X POST --data-binary @./InputParameters.json https://192.0.2.100/ConfigurationManager/v1/objects/user-groups
Changing the user group settings
The following request sets a user group ID and a role of the specified user group.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
PATCH base-URL/v1/objects/user-groups/object-ID
Object ID
Set the
userGroupObjectId
value obtained by getting the information about the user group.Attribute
Type
Description
userGroupObjectId
string
(Required) The object ID for a user group ID
The object ID is case sensitive.
Query parameters
None.
Body
The following coding example shows how to change the user group ID:
{ "userGroupId":"adminGroup" }
The following coding example shows how to change a role:
{ "roleNames":[ "Storage Administrator (Provisioning)", "Storage Administrator (Local Copy)" ] }
Only one attribute can be specified in one request.
Attribute
Type
Description
userGroupId
string
(Optional) The user group ID
Specify an ID consisting of 1 to 64 characters.
hasAllResourceGroup
boolean
(Optional) Information about whether all the resource groups are assigned to the target.
If the roles specified for
roleNames
include any of the following roles, be sure to specify true for this attribute.-
Audit Log Administrator (View & Modify)
-
Audit Log Administrator (View Only)
-
Security Administrator (View & Modify)
-
Security Administrator (View Only)
-
Support Personnel
-
User Maintenance
If the roles specified for
roleNames
does not include any of these roles, be sure to specify false for this attribute.roleNames
string[]
(Optional) The role name
Specify one or more of the following role names. The role names are case sensitive. If you specify multiple role names, delimit the names by commas.
-
Audit Log Administrator (View & Modify)#
-
Audit Log Administrator (View Only)#
-
Security Administrator (View & Modify)#
-
Security Administrator (View Only)#
-
Storage Administrator (Initial Configuration)
-
Storage Administrator (Local Copy)
-
Storage Administrator (Performance Management)
-
Storage Administrator (Provisioning)
-
Storage Administrator (Remote Copy)
-
Storage Administrator (System Resource Management)
-
Storage Administrator (View Only)
-
Support Personnel#
-
User Maintenance#
#: If you specify this role, be sure to specify true for
hasAllResourceGroup
.-
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user group on which settings are changed
None.
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X PATCH https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup
Assigning resource groups to a user group
The following request assigns resource groups to a created user group.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/user-groups/object-ID/actions/add-resource-group/invoke
Object ID
Set the
userGroupObjectId
value obtained by getting the information about the user group.Attribute
Type
Description
userGroupObjectId
string
(Required) The object ID for a user group ID
The object ID is case sensitive.
Query parameters
None.
Body
{ "parameters": { "resourceGroupIds": [ 1, 2 ] } }
Attribute
Type
Description
resourceGroupIds
int[]
(Required) The resource group IDs
Specify one or more decimal (base 10) numbers within the range of 0 to 1023. If you specify multiple IDs, delimit the IDs by commas.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user group to which resource groups are assigned
GET base-URL/v1/objects/user-groups/object-ID/actions/add-resource-group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup/actions/add-resource-group
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup/actions/add-resource-group/invoke
Releasing resource groups assigned to a user group
The following request releases resource groups assigned to a user group.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/user-groups/object-ID/actions/remove-resource-group/invoke
Object ID
Set the
userGroupObjectId
value obtained by getting information about the user group.Attribute
Type
Description
userGroupObjectId
string
(Required) The object ID for a user group ID
The object ID is case sensitive.
Query parameters
None.
Body
{ "parameters": { "resourceGroupIds": [ 1, 2 ] } }
Attribute
Type
Description
resourceGroupIds
int[]
(Required) The resource group IDs
Specify one or more decimal (base 10) numbers within the range of 0 to 1023. If you specify multiple IDs, delimit the IDs by commas.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user group where assignment of resource groups is released
GET base-URL/v1/objects/user-groups/object-ID/actions/remove-resource-group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup/actions/remove-resource-group
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup/actions/remove-resource-group/invoke
Deleting a user group
The following request deletes an unneeded user group. The request cannot delete a user group if the user group is assigned to a user.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
DELETE base-URL/v1/objects/user-groups/object-ID
Object ID
Set the
userGroupObjectId
value obtained by getting the information about the user group.Attribute
Type
Description
userGroupObjectId
string
(Required) The object ID for a user group ID
The object ID is case sensitive.
Query parameters
None.
Body
None.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the deleted user group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X DELETE https://192.0.2.100/ConfigurationManager/v1/objects/user-groups/devGroup
Getting a list of users
The following request gets a list of user information registered on the target storage system.
Security Administrator (View Only)
GET base-URL/v1/objects/users
Object ID
None.
Query parameters
None.
Body
None.
Body
{ "data": [ { "userObjectId": "devUser", "userId": "devUser", "authentication": "local", "userGroupNames": [ "Audit Log Administrator (View Only) User Group", "Storage Administrator (View & Modify) User Group" ], "isBuiltIn": false, "isAccountStatus": true }, { "userObjectId": "adminUser", "userId": "adminUser", "authentication": "local", "userGroupNames": [ "Administrator User Group" ], "isBuiltIn": false, "isAccountStatus": true } ] }
Attribute
Type
Description
userObjectId
string
Object ID of the user ID
If the user ID contains a reserved character defined in RFC 3986, the encoded character string is output.
userId
string
User ID
userGroupNames
string[]
User group name
isBuiltIn
boolean
Whether the user account is built-in
-
true: Indicates a built-in user account
-
false: Indicates that the account is created by the user
isAccountStatus
boolean
Status of the user account -
true: The user account is valid
-
false: The user account is invalid
authentication
string
Set authentication
-
local: Authorized by the storage system
-
external: Authorized by the external authentication server
-
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/users
Getting information about a specific user
The following request gets information about the specified user.
Security Administrator (View Only)
GET base-URL/v1/objects/users/object-ID
Object ID
Specify the
userObjectId
value obtained by getting information about the user.Attribute
Type
Description
userObjectId
string
(Required) Object ID of the user ID
The name is case sensitive.
Query parameters
None.
Body
None.
Body
{ "userObjectId": "devUser", "userId": "devUser", "authentication": "local", "userGroupNames": [ "Audit Log Administrator (View Only) User Group", "Storage Administrator (View & Modify) User Group" ], "isBuiltIn": false, "isAccountStatus": true }
Attribute
Type
Description
userObjectId
string
Object ID of the user ID
If the user ID contains a reserved character defined in RFC 3986, the encoded character string is output.
userId
string
User ID
userGroupNames
string[]
User group name
isBuiltIn
boolean
Whether the user account is built-in
-
true: Indicates a built-in user account
-
false: Indicates that the account is created by the user
isAccountStatus
boolean
Status of the user account -
true: The user account is valid
-
false: The user account is invalid
authentication
string
Set authentication
-
local: Authorized by the storage system
-
external: Authorized by the external authentication server
-
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser
Creating a user account
The following request creates a user account and assigns the user to user groups where appropriate permissions are specified. User accounts created by using the REST API can be used in Hitachi Device Manager - Storage Navigator.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/users
Object ID
None.
Query parameters
None.
Body
{ "userId": "devUser", "authentication": "local", "userPassword":"devPassword", "userGroupNames": [ "Audit Log Administrator (View Only) User Group", "Storage Administrator (View & Modify) User Group" ] }
Attribute
Type
Description
userId
string
(Required) User ID
For details about the number of characters that can be specified for user IDs and the characters that can be used, see the description about input rules for user IDs and passwords.
userPassword
string
(Optional) Password
The password cannot be specified if the
authentication
attribute is external.For details about the number of characters that can be specified for passwords and the characters that can be used, see the description about input rules for user IDs and passwords.
userGroupNames
string[]
(Required) User group name
Specify a name consisting of 1 to 64 characters. You can specify up to 8 group names.
authentication
string
(Required) Set authentication
-
local: Authorized by the storage system
-
external: Authorized by the external authentication server
-
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the created user
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X POST --data-binary @./InputParameters.json https://192.0.2.100/ConfigurationManager/v1/objects/users/
Changing the password of the user
The following request changes the password of a user account that performs operations on the storage system resources. The password cannot be changed for the user who is authorized by the external authentication server.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
PATCH base-URL/v1/objects/users/object-ID
Object ID
Specify the
userObjectId
value obtained by getting information about the user.Attribute
Type
Description
userObjectId
string
(Required) Object ID of the user ID
The name is case sensitive.
Query parameters
None.
Body
{ "userPassword":"userPass" }
Attribute
Type
Description
userPassword
string
(Required) New password
For details about the number of characters that can be specified for passwords and the characters that can be used, see the description about input rules for user IDs and passwords.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user whose password was changed
None.
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X PATCH https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser
Adding users to user groups
To add a user to a user group, assign the user group to the user object.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/users/object-ID/actions/add-user-group/invoke
Object ID
Specify the
userObjectId
value obtained by getting information about the user.Attribute
Type
Description
userObjectId
string
(Required) Object ID of the user ID
The name is case sensitive.
Query parameters
None.
Body
{ "parameters": { "userGroupNames": [ "System User Group" ] } }
Attribute
Type
Description
userGroupNames
string[]
(Required) User group name
Specify a name consisting of 1 to 64 characters.
One user can belong to a maximum of You can specify up to 8 user groups.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user who was added to the user group
GET base-URL/v1/objects/users/object-ID/actions/add-user-group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser/actions/add-user-group
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser/actions/add-user-group/invoke
Removing users from user groups
To remove a user from a user group, specify the user group that is associated with that user, and then release that user group from the user object. If only one user group is associated with a particular user, the user cannot be removed from that user group.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
POST base-URL/v1/objects/users/object-ID/actions/remove-user-group/invoke
Object ID
Specify the
userObjectId
value obtained by getting information about the user.Attribute
Type
Description
userObjectId
string
(Required) Object ID of the user ID
The name is case sensitive.
Query parameters
None.
Body
{ "parameters": { "userGroupNames": [ "System User Group" ] } }
Attribute
Type
Description
userGroupNames
string[]
(Required) User group name
Specify a name consisting of 1 to 64 characters.
One user can belong to a maximum of You can specify up to 8 user groups.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the user who was removed from the user group
GET base-URL/v1/objects/users/object-ID/actions/remove-user-group
For details on the status codes of the request for this operation, see the description on HTTP status codes.
To get an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X GET https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser/actions/remove-user-group
To run the request after getting an action template:
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" --data-binary @./InputParameters.json -X POST https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser/actions/remove-user-group/invoke
Deleting a user account
The following request deletes unnecessary user accounts. Built-in user accounts of the storage system cannot be deleted.
If you locked any resources of the target storage system by using the REST API, you will not be able to use this API function. In such cases, unlock the resources before running the API function.
Security Administrator (View & Modify)
DELETE base-URL/v1/objects/users/object-ID
Object ID
Specify the
userObjectId
value obtained by getting information about the user.Attribute
Type
Description
userObjectId
string
(Required) Object ID of the user ID
The name is case sensitive.
Query parameters
None.
Body
None.
Body
A job object is returned. For details on attributes other than
affectedResources
, see the section explaining job objects.Attribute
Description
affectedResources
URL of the deleted user account
For details on the status codes of the request for this operation, see the description on HTTP status codes.
curl -v -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization:Session d7b673af189048468c5af9bcf3bbbb6f" -X DELETE https://192.0.2.100/ConfigurationManager/v1/objects/users/devUser