• The setting operations that affect the security of the whole system must be done by the administrator.
• The setting operations on the resource group 10 must be done by user A.
• The setting operations on the resource group 20 must be done by user B.
To implement the above configuration, assign the users to the user groups as shown below.
Table 4-1 User registration example User User group to be
registered Roles to be assigned to the user group
Resource group to be assigned to user
group Administ
rator user group 1 Security Administrator (View &
Modify) All Resource Groups
Assigned1
User A user group 10 Storage Administrator2 Resource group 10 User B user group 20 Storage Administrator2 Resource group 20 Notes:
1. For the user group that is assigned the Security Administrator role, All Resource Groups Assigned is automatically set to Yes.
2. There are a few types of storage administrators. See Table 4-2 Roles, Permissions, and Capabilities on page 4-8 for more information.
Caution: When multiple user groups are assigned to a user, the user has the permissions of all the roles in each user group that are enabled on the
resource groups assigned to each user group.
Roles
The following table shows all the roles that are available for use and the permissions that each role provides to the users. You cannot create a custom role.
Table 4-2 Roles, Permissions, and Capabilities
Role Permissions Capabilities
Security Administrator View Only • Viewing information about user accounts and encryption settings
• Viewing information about encryption key in the key management server
Security Administrator View & Modify • Configuring user accounts
• Creating encryption keys and configuring encryption settings
• Viewing and switching where encryption keys are generated
• Backing up and restoring encryption keys
• Deleting encryption keys backed up in the key management server
• Viewing and changing the password policy for backing up encryption keys on the Storage Navigator computer
• Connection to the external server
• Backing up and restoring connection configuration to the external server
• Configuring the certificate used for the SSL communication
Role Permissions Capabilities
• Configuring the fibre channel authentication (FC-SP)
• Configuring resource groups
Audit log Administrator View Only • Viewing audit log information and downloading audit logs Audit log Administrator View & Modify • Configuring audit log settings and downloading audit logs Storage Administrator View Only • Viewing storage system information
Storage Administrator all
permissions -initial
configuration
• Configuring settings for storage systems
• Configuring settings for SNMP
• Configuring settings for e-mail notification
• Configuring settings for license keys
• Viewing, deleting, and downloading storage configuration reports
• Acquiring all the information about the storage system and refreshing Storage Navigator window by clicking [Refresh All]
Storage Administrator system resource management
• Configuring settings for CLPR
• Configuring settings for MP Blade
• Deleting tasks and releasing exclusive locks of resources
• Completing SIMs
• Configuring attributes for ports
• Configuring LUN security
• Configuring Server Priority Manager
• Configuring tiering policies
• Remote copy operations in general*
Storage Administrator provisioning • Configuring caches
• Configuring LDEVs, pools, and virtual volumes
• Formatting and shredding LDEVs
• Configuring external volumes
• Configuring Dynamic Provisioning
• Configuring LUSE
• Configuring host groups, paths, and WWN
• Configuring Volume Migration except splitting Volume Migration pairs when using CCI
• Configuring access attributes for LDEVs
• Configuring LUN security
• TrueCopy and High Availability Manager operations in general*
Storage Administrator performance management
• Configuring monitoring
• Starting and stopping monitoring
Storage Administrator local copy • Performing pair operations for local copy
• Configuring environmental settings for local copy
• Splitting Volume Migration pairs when using CCI
Role Permissions Capabilities Storage Administrator remote copy • Remote copy operations in general*
Support Personnel View & Modify Configuring SVP
• Normally, this role is for Hitachi Vantara service representative.
• Downloading dump files using the FD Dump tool.
Notes:
* Remote copy operations from Storage Navigator require all of the following roles:
For TrueCopy or High Availability Manager:
• Storage Administrator (System Resource Management) role
• Storage Administrator (Provisioning) role
• Storage Administrator (Remote Copy) role For Universal Replicator
• Storage Administrator (System Resource Management) role
• Storage Administrator (Remote Copy) role
Note: Normally, the Support Personnel role is assigned to a Hitachi Vantara service representative, but if the role is assigned to a user account, dump files can be downloaded using the FD Dump tool.
Caution: If a user has All Resource Groups Assigned set to Yes, the user can access all the resources in the storage system. For example, if a user is a security administrator and a storage administrator taking care of some resources, have all resource groups assigned, and has roles of Security Administrator (View & Modify) and Storage Administrator (View & Modify), the user can edit the storage for all the resources. If this is a problem, the recommended solution is to register the following two user accounts in Storage Navigator and use these different accounts for different purposes
• A security administrator user account that has All Resource Groups Assigned set to Yes.
• A storage administrator user account that does not have all resource groups assigned and has only some of the resource groups assigned.
Caution: For the user groups whose roles are other than the Storage Administrator, All Resource Groups Assigned is automatically set to Yes. If you delete all the roles except the Storage Administrator, reassign resource groups to the user group because All Resource Groups Assigned is
automatically set to No. To assign resource groups to the user group, see Changing resource groups assigned to a user group on page 4-19.