Managing users with XCLI

This section summarizes the commands and options available to manage associated roles as well as user groups and associated hosts resources through the XCLI user access.

Table 6-2 on page 135 shows the various commands and a brief description for each command. The table also indicates the user role required to issue specific commands.

Table 6-2 XCLI access control commands

Adding users with the XCLI

To perform the following steps, the XCLI component must be installed on the management workstation, and a storageadmin user is required. The following examples assume a Windows- based management workstation.

1. Open a Windows command prompt and execute the command XCLI -L to see the registered managed systems. In Example 6-1, there are two IBM XIV Storage Subsystems registered. The configuration is saved with the serial number as the system name.

Example 6-1 XCLI List managed systems

C:\>xcli -L

System Managements IPs

MN00050 9.155.56.100, 9.155.56.101, 9.155.56.102 1300203 9.155.56.58, 9.155.56.56, 9.155.56.57

Command Description Role required to use

command

access_define Defines an association between a user group and a host.

storageadmin

access_delete Deletes an access control definition.

storageadmin

access_list Lists access control definitions. storageadmin, readonly, and applicationadmin

user_define Defines a new user. storageadmin

user_delete Deletes a user. storageadmin

user_group_add_user Adds a user to a user group. storageadmin user_group_create Creates a user group. storageadmin user_group_delete Deletes a user group. storageadmin user_group_list Lists all user groups or a

specific one.

storageadmin, readonly, and applicationadmin

user_group_remove_user Removes a user from a user group.

storageadmin

user_group_rename Renames a user group. storageadmin

user_list Lists all users or a specific user. storageadmin, readonly, and applicationadmin

user_rename Renames a user. storageadmin

user_update Updates a user. You can update the password, Access_all or Full_access, e-mail, area code, or phone number.

technician, storageadmin, and applicationadmin

Example 6-2 XCLI state_list

C:\>xcli -c 1300203 -u admin -p adminadmin state_list Command completed successfully

system_state off_type=off safe_mode=no shutdown_reason=No Shutdown system_state=on target_state=on

3. XCLI commands are grouped into categories. The help command can be used to get a list of all commands related to the category accesscontrol. Refer to Example 6-3.

Example 6-3 XCLI help

C:\>xcli -c 1300203 -u admin -p adminadmin help category=accesscontrol Category Name Description

accesscontrol access_define Associate a user group and a host. accesscontrol access_delete Deletes an access control definition. accesscontrol access_list Lists access control definitions. accesscontrol user_define Defines a new user.

accesscontrol user_delete Deletes a user.

accesscontrol user_group_add_user Adds a user to a user group. accesscontrol user_group_create Creates a user group.

accesscontrol user_group_delete Deletes a user group.

accesscontrol user_group_list Lists all user groups or a specific one. accesscontrol user_group_remove_user Removes a user from a user group.

accesscontrol user_group_rename Renames a user group.

accesscontrol user_list Lists all users or a specific user. accesscontrol user_rename Renames a user.

accesscontrol user_update Updates a user.

4. Use the user_list command to obtain the list of predefined users and roles (categories) as shown in Example 6-4. This example assumes that no users, other than the default users, have been added to the system.

Example 6-4 XCLI user_list

C:\>xcli -c 1300203 -u admin -p adminadmin user_list

Name Category Group/EmailAddress/AreaCode/Phone/AccessAll xiv_development xiv_development

xiv_maintenance xiv_maintenance admin storageadmin technician technician

5. If this is a new system, you must change the default passwords for obvious security reasons. Use the update_user command as shown in Example 6-5 for the user technician.

Example 6-5 XCLI user_update

C:\>xcli -c 1300203 -u admin -p adminadmin user_update user=technician password=d0ItNOW password_verify=d0ItNOW

Command completed successfully

6. Adding a new user is straightforward as shown in Example 6-6. A user is defined by a unique name, password, and role (designated here as category).

Example 6-6 XCLI user_define

C:\>xcli -c 1300203 -u admin -p adminadmin user_define user=adm_itso02 password=wr1teFASTER password_verify=wr1teFASTER category=storageadmin Command completed successfully

7. Example 6-7 shows a quick test to verify that the new user can log on.

Example 6-7 XCLI user_list

C:\>xcli -c 1300203 -u adm_itso02 -p wr1teFASTER user_list Name Category xiv_development xiv_development xiv_maintenance xiv_maintenance admin storageadmin technician technician adm_itso02 storageadmin

Defining user groups with the GUI

To use the GUI to define user groups:

1. Use the user_group_create command as shown in Example 6-8 to create a user group called EXCHANGE_CLUSTER_01.

Example 6-8 XCLI user_group_create

C:\>xcli -c 1300203 -u adm_itso02 -p wr1teFASTER user_group_create user_group=EXCHANGE_CLUSTER_01

Command completed successfully

2. The user group EXCHANGE_CLUSTER_01 is empty and has no associated host. The next step is to associate a host or cluster. In Example 6-9, user group EXCHANGE_CLUSTER_01 is associated to EXCHANGE_CLUSTER_MAINZ.

Example 6-9 XCLI access_define

C:\>xcli -c 1300203 -u adm_itso02 -p wr1teFASTER access_define user_group="EXCHANGE_CLUSTER_01" cluster="EXCHANGE_CLUSTER_MAINZ" Command completed successfully

3. A host has been assigned to the user group. The user group still does not have any users included. In Example 6-10 on page 137, we add the first user.

Example 6-10 XCLI user_group_add_user

C:\>xcli -c 1300203 -u adm_itso02 -p wr1teFASTER user_group_add_user user_group="EXCHANGE_CLUSTER_01" user="adm_mike02"

Command completed successfully

4. The user adm_mike02 has been assigned to the user group EXCHANGE_CLUSTER_ 01. You can verify the assignment by using the XCLI user_list command as shown in

Note: Avoid spaces in user group names. If spaces are required, the group name must be

Example 6-11 XCLI user_list

C:\>xcli -c 1300203 -u adm_itso02 -p wr1teFASTER user_list Name Category Group Access All

xiv_development xiv_development xiv_maintenance xiv_maintenance admin storageadmin technician technician adm_itso02 storageadmin

adm_mike02 applicationadmin EXCHANGE_CLUSTER_01 no

The user adm_mike02 is an applicationadmin with the Full Access right set to no. This user can now perform snapshots of the EXCHANGE_CLUSTER_01 volumes.

Because EXCHANGE_CLUSTER_01 is the only cluster (or host) in the group, adm_mike02 is only allowed to map those snapshots to the same EXCHANGE_CLUSTER_01. This is not useful in practice and is not supported in most cases. Most servers (operating systems) cannot handle having two disks with the same metadata mapped to the system. In order to prevent issues with the server, you need to map the snapshot to another host, not the host to which the master volume is mapped.

Therefore, to make things practical, a user group is typically associated to more than one host.