Use the Create a User panel in the SAN Volume Controller Console to
create either a local or remote user of the cluster.
Introduction
You can create two types
of users who access the cluster. These types are based on how the
users are authenticated to the cluster. Local users must provide either
a password, a Secure Shell (SSH) key, or both. Local users are authenticated
through the authentication methods that are located on the SAN Volume Controller cluster.
If the local user needs access to SAN Volume Controller Console,
a password is needed for the user. If the user requires access to
the command-line interface, a valid SSH key file is necessary. If
a user is working with both interfaces, both a password and SSH key
are required. Local users must be part of a user group that is defined
on the cluster. User groups define roles that authorize the users
within that group to a specific set of operations on the cluster.
A remote user is authenticated on a remote service
usually provided by a SAN management application, such as IBM® Tivoli® Storage Productivity Center.
Remote users require no local credentials to access the SAN Volume Controller Console.
Remote users have their groups defined by the remote authentication
service. If a remote user needs to use the command-line interface,
both a password and SSH key are required. If the remote authentication
service fails, then remote users cannot access the SAN Volume Controller Console or
the command-line interface. In this situation, a local user with the
Security Administrator role must change remote users to local users
by adding them to the appropriate user group. After logging in to
a SAN Volume Controller application, a remote
user is granted access to the SAN Volume Controller CLI
and Console by default.
Fields
The
following fields can be updated:
- User Name
- Enter the name of the new user. The user name cannot
start or end with a blank character. The user name can consist of
any string of 1 - 256 printable-ASCII characters. This field is required.
- Password
- Enter a password for the user. The password cannot
start or end with a blank character. The password can consist of any
string of 6 - 64 printable-ASCII characters.
- Re-enter Password
- Re-enter the password for the user.
- Authentication Type
- Select the authentication type for the user.
The following values are possible:
- Remote
- Select this option if the user is authenticated to the cluster
by a remote service.
Note: Selecting this option disables the User
Group table.
- Local
- Select this option if the user is authenticated by the SAN Volume Controller cluster.
This is the default setting.
- User Groups
- Select the user groups that you want the user to belong to. With
user groups you can manage authenticated users into groups based on
their access level or role. The role determines the access to cluster
functions for the users in the group. User that are locally authenticated
can only belong to a single group. The following attributes display
in the table:
- Select
- Specify the user group for the new user.
- Name
- Displays the name of the user group.
- Role
- Displays the role that applies to all users within the group.
The following values are possible:
- Monitor
- Users with the monitor role have access to all viewing
actions available with the SAN Volume Controller Console.
This user cannot perform any actions that change the state of the
cluster or the resources that the cluster manages. The user can access
all the information-related panels and commands, back up configuration
data, change his or her password, and issue the following commands: finderr, dumperrlog, dumpinternallog, ping, and chcurrentuser.
- Copy Operator
- Users with the copy operator role can manage all existing FlashCopy,
Metro Mirror, and Global Mirror relationships. They can also create
and delete FlashCopy mappings, FlashCopy consistency groups, Metro
Mirror or Global Mirror relationships, and Metro Mirror and Global
Mirror consistency groups. In addition, the user can access all the
functions available to the Monitor role.
- Service
- Users with the service role can view the View Clusters panel,
launch the SAN Volume Controller Console,
and view the progress of actions on clusters with the View Progress
panel, begin disk discovery process, and discover and include disks.
The user can access the following commands: applysoftware, setlocale, addnode, rmnode, cherrstate, setevent, writesernum, detectmdisk,
and includemdisk. A user with this role can also
access all the functions available to the Monitor role.
- Administrator
- Users with the administrator role can access all functions on
the SAN Volume Controller Console and
issue any command-line interface (CLI) command, except those that
deal with managing users, user groups, and authentication.
- Security Administrator
- Users with the security administrator role can access all functions
on the SAN Volume Controller Console and
issue any CLI command. Users with this role can also manage users,
user groups, and manage user authentication.
- Members
- Displays the number of users in the user group.
- Remote Visibility
- Indicates whether this user group can be used during remote authentication.
As part of configuring remote authentication, administrators can configure
user groups on the cluster to match the authorization that is provided
by the remote authentication service. For each group of users that
is defined on the remote authentication service, you can create a
corresponding SAN Volume Controller user
group with the same name and the Remote Visibility option enabled.
For example, if a group of users exist on the remote authentication
service called sysadmins, then a corresponding
group called sysadmins should be created on SAN Volume Controller cluster
with the Administrator role and with remote visibility option enabled.
If none of a user's groups on the remote authentication service
match the SAN Volume Controller user
groups then the user is not permitted to access the cluster. The following
values are possible:
- Yes
- Indicates that this user group can be used during remote authentication.
- No
- Indicates that this user group cannot be used during remote authentication.
- SSH Public Key File
- Enter the SSH key file that is associated with the
user. Click Browse to select the file. An SSH
key is needed if this user plans to use the command-line interface
to manage the cluster.
Actions
The
following actions are available:
- OK
- Click this button to create the new user based on the specified
values.
- Cancel
- Click this button to exit this panel without creating the new
user.