Skip to main content

We've Moved!

Product Documentation has moved to docs.hitachivantara.com
Hitachi Vantara Knowledge

Setting up user accounts and permissions

Use the maintenance utility to create and manage user accounts for Storage Advisor Embedded.

User accounts and permissions

You can set up a user account for using Storage Advisor Embedded and managing a storage system.

A user's operating permissions are set based on the role assigned to the user group to which the user belongs.

To use Storage Advisor Embedded to manage a storage system, you need to register the user in the Administrator user group (a built-in user group) and the Maintenance user group (a built-in user group).

Even if a user account was created by using another management tool, such as the storage system REST API, the account can be used in Storage Advisor Embedded if registered in a user group to which all of the following roles have been assigned:

  • Storage Administrator (Initial Configuration)
  • Storage Administrator (Provisioning)
  • Storage Administrator (Local Copy)
  • User Maintenance

Creating user accounts

You can create a user and assign that user to one or more of the available user groups, depending on what the user needs to accomplish in Storage Advisor Embedded.

Before you begin

Obtain the following information:

  • User name

    Specify a value consisting of 1 to 63 characters, using only the following characters:

    Alphanumeric characters and symbols

    ! # $ % & ' * + - . / = ? @ ^ _ ` { | } ~

  • Password

    Specify a value consisting of 6 to 63 characters, using only the following characters:

    Alphanumeric characters and ASCII symbols which can be keyed in except space

    ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

Procedure

  1. In the navigation bar, click GUID-86A03C30-5E3C-4836-88C3-5B6794E8056F-low.gif (Settings), and then select User Administration.

  2. In the maintenance utility, click Create User.

  3. Specify the required information to create a user account.

    Select Administrator User Group and Maintenance User Group as the user groups.

    Note

    To check the roles set for a user group, click the name of the user group and select the Roles tab.

    GUID-C80D1622-CC56-4338-93E1-C5796DDF1014-low.png
  4. In the maintenance utility, click Log Out.

  5. Log in to Storage Advisor Embedded by using the newly created user account.

Modifying user accounts

You can modify the passwords of user accounts, or the user groups that user accounts belong to.

  1. In the navigation bar, click GUID-86A03C30-5E3C-4836-88C3-5B6794E8056F-low.gif (Settings), and then select User Administration.

  2. In the maintenance utility, click the user group name.

  3. Select the user account that you want to modify, and then click Edit.

  4. Specify the required information.

    Note

    To check the roles set for a user group, click the name of the user group and select the Roles tab.

  5. In the maintenance utility, click Log Out.

  6. Confirm that you can log in to Storage Advisor Embedded by using the revised user account.

Removing user accounts

You can remove user accounts.

  1. In the navigation bar, click GUID-86A03C30-5E3C-4836-88C3-5B6794E8056F-low.gif (Settings), and then select User Administration.

  2. In the maintenance utility, click the user group name.

  3. Select the user that you want to remove, and then click Remove.

  4. In the maintenance utility, click Log Out.

Using external authentication

You can select whether to use authentication and authorization servers for each user account by enabling the external authentication setting. An LDAP directory server can be used as an authentication server.

Enabling external authentication

You can set up external authentication using an LDAP directory server.

Before you begin

Ensure that the following requirements are met:
  • The authentication server must support TLS1.2 as a transfer protocol.
  • Make sure the LDAP directory server is connected to the management LAN.
  • Contact the administrator of the LDAP directory server to obtain a server certificate.
  • The authentication server protocol must be LDAPv3 simple bind authentication.
  • The certificate file type must be CA (Certification Authority) root certificate.
  • The certificate file format must be X509 DER or X509 PEM.
  • When searching for servers by information registered in the SRV record on the DNS server:
    • The DNS server setting must be completed on the LDAP server.
    • The host name, port number, domain name and other parameters of the LDAP directory server must be registered on the DNS server.
  • Make sure the authentication server is configured for user groups as defined in the maintenance utility, and that external users are assigned to these user groups.
    • If you don't create user accounts in the maintenance utility, use the authentication server to allocate user groups to users by configuring the same user group name between the storage system and the authentication server.
    • If you create user accounts in the maintenance utility, users can be authenticated by the authentication server, but user groups are allocated to users based on the configuration in the maintenance utility.

Procedure

  1. Log in to the maintenance utility.

  2. Click Administration > External Authentication > Set Up Server > LDAP.

    GUID-84EEFBDA-9C02-43E5-95A6-C1E3793C86CC-low.png
  3. Complete the entries in the Set up Server (LDAP) setting window. For details about each item, refer to the following table.

  4. Confirm the settings, and then click Apply.

Set Up Server (LDAP) settings
Item Description
Certificate File Name (Required) Specify a certificate file. Click Browse to specify a certificate file. The following formats are supported:
  • X509 DER
  • X509 PEM
DNS Lookup (Required) Enter a method to specify the authentication and authorization server.
  • Enable: Specifies the authentication and authorization server using the SRV records in the DNS server.
  • Disable: Specifies the authentication and authorization server using the host name or IP address.
Authentication Protocol (Required) Enter an LDAP protocol. The following protocols can be used:
  • LDAP over SSL/TLS
  • STARTTLS
If you select Enable in DNS Lookup, you cannot select LDAP over SSL/TLS .
External User Group Mapping Choose whether to use the specified LDAP directory server as also an authorization server.
  • Enable: Uses the LDAP directory server as an authorization server.
  • Disable: Does not use the LDAP directory server as an authorization server.
Primary Server - Host Name (Required) Enter the host name or IP address of the LDAP directory server.

Enter the same host name or IP address as the common name of root certificate.

If you select Enable in DNS Lookup, this item does not need to be specified.

Primary Server - Port Number (Required) Enter the port number of the LDAP directory server.

If you select Enable in DNS Lookup, this item does not need to be specified.

Primary Server - Domain Name (Required) Enter the domain name of the LDAP directory tree.
Primary Server - User Name Attribute (Required) Enter the attribute name for which the user ID value used for authentication is defined.
  • Usable characters: Alphanumeric characters and symbols (! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ )
  • Hierarchical model: Set up an attribute name where the value that can identify a user is stored.
  • Flat model: Set up an attribute name for a user entry's RDN.
Primary Server - Timeout (Required) Enter time in seconds before detecting that timeout for connecting to the LDAP directory server. The recommended value of 10 seconds is also the default.
Primary Server - Retry Interval (Required) Enter the retry interval in seconds when communication with the LDAP directory server fails. The recommended value of 1 second is also the default.
Primary Server - Number of Retries (Required) Enter the number of retries when communication with the LDAP directory server fails. The recommended value of 3 is also the default.
Primary Server - Base DN (Required) Enter a base DN to search for users to authenticate.
  • Usable characters: Alphanumeric characters and all symbols.
  • Hierarchical model: Enter a DN of hierarchy that includes all the targeted users for searching.
  • Flat model: Set up a DN of hierarchy that is one level up of the targeted user for searching.

To use symbols such as ( + ; , < = > etc), enter a backslash( \ ) before each symbol for the escape sequence.

For the following 3 symbols, enter a backslash ( \ ) and then enter the ASCII code in hex as follows when you enter (\ / "):

  • Enter > \5c for \
  • Enter> \2f for /
  • Enter > \22 for "
Primary Server - Search User's DN (Required) Specify a DN of the user for searching.

Usable characters: Alphanumeric characters and all symbols.

Required if you specify sAMAccountName in Primary Server - User Name Attribute, or when you select Enable in External User Group Mapping.

To use symbols such as ( + ; , < = > etc), enter a backslash( \ ) before each symbol for the escape sequence.

For the following 3 symbols, enter a backslash ( \ ) and then enter the ASCII code in hex as follows when you enter (\ / "):

  • Enter > \5c for \
  • Enter> \2f for /
  • Enter > \22 for "
Primary Server - Password (Required) Enter a password of the user for searching. Enter the same password that is registered in the LDAP directory server.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' ( ) * + - . = @ \ ^ _ | )

Required if you specify sAMAccountName in Primary Server - User Name Attribute, or when you select Enable in External User Group Mapping.
Primary Server - Re-enter Password (Required) Reenter the password entered in Primary Server - Password.
Secondary Server Select whether to use the secondary server.
  • Enable: Uses the secondary server.
  • Disable: Does not use the secondary server.
If you select Enable in DNS Lookup, this item does not need to be specified.
Secondary Server - Host Name Enter a host name or IP address of the secondary server.

Enter the same host name or IP address as the common name of root certificate.

If you select Disable in Secondary Server, this item does not need to be specified.

Secondary Server - Port Number Enter a port number of the secondary server.

If you select Disable in Secondary Server, this item does not need to be specified.

Test User Name (Required to test the configuration.) Enter a user name for the Server Configuration Test.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' * + - . / = ? @ ^ _ `{ | } ~ )

Test User Name - Password (Required to test the configuration.) Enter a password of the user name for the Server Configuration Test.

Usable characters: Alphanumeric characters and symbols ( ! # $ % & ' * + - . / = ? @ ^ _ `{ | } ~ )

Server Configuration Test Click Check to test a server connection for the authentication and authorization server based on the specified settings.
Server Configuration Test - Result Displays a result of the server connection test for the authentication and authorization server.

Disabling external authentication

You can disable the external authentication server using the maintenance utility.

  1. Log in to the maintenance utility.

  2. Click Administration > External Authentication > Set Up Server > Disable.

  3. When the confirmation window appears, click Apply.

  4. When the completion message appears, click Close.