Managing users

A user's operation privilege is determined by the roles set for the user group to which the user belongs. For example, only a user who belongs to a user group having the VpsSecurity role can create users. Ask a system administrator to create initial user groups and users that have the VpsSecurity role.

The only operation a user who is created can perform initially is to change the password. After changing the password, the user can perform any operations allowed for the given role. Ask a system administrator about password policies.

A user can be registered for more than one user group.

You can create new user groups.

The following table lists the roles and available operations. Create users according to the system operation guidelines.

No role-based execution restriction is applied to the following operations:

• Verifying, creating, and deleting your own session

• Obtaining a message to be displayed in the GUI login window and in

• Obtaining versions of APIs

• Obtaining information about individual jobs

• Obtaining information about storage cluster master (primary)

• Obtaining information about control ports and internode ports

• Network settings for the storage cluster

• Storage cluster time settings

• Obtaining your own user information

• Changing your own password

• A user who has the VpsSecurity, VpsStorage, or VpsMonitor role can perform the following operations:

  • Obtaining volume information

  • Obtaining S-VOL and P-VOL information

  • Obtaining compute node information

  • Obtaining compute node initiator information

  • Obtaining compute node path information

  • Obtaining volumes and compute node connection information

  • Obtaining compute port information

  • Obtaining storage node network settings

To perform a storage cluster operation through a REST API, for example, send an authentication request to Virtual Storage Software block with credentials specified in the Authorization header for the request header.

Virtual Storage Software block supports three authentication methods: basic authentication, session authentication, and ticket authentication.

In basic authentication, a user ID and a password are used as credentials. In basic authentication, authentication is performed for each request.

In session authentication, a token is used as credentials, and authentication can be omitted for a period of time. Therefore, session authentication is useful in application-based automatic operations. A token is obtained by running a REST API or CLI for generating a session. For how to generate a token, see Generating a session.

The settings that are applied to user authentication are called user authentication settings. User authentication settings contain password complexity, password expiration time, lockout, and session parameters. System administrators set those values and VPS administrators can obtain them. See Editing user authentication settings.

When linkage with an external authentication server is configured by the system administrator, authentication can be performed by using the user information registered in the external authentication server. Only an OpenLDAP or Active Directory (AD) external authentication server can be linked.