Creating a user group

You can create user groups to organize users of the SAN Volume Controller cluster by role. Roles define access to different cluster functions. Administrators can create role-based user groups where any users added to the group adopts the role that is assigned to that group. User groups simplify management of user access to the cluster.

1. In the portfolio, click Manage Authentication > User Groups. The Viewing User Groups panel is displayed.
2. Select Create a User Group from the task list and click Go. The Creating a User Group panel is displayed.
3. Enter a name for the user group.
4. Select the role that all users adopt when they are added to this user group. The following roles can be selected:

   Monitor

   Select this role if you want the user to access all viewing actions available with the SAN Volume Controller Console. This user cannot perform any actions that change the state of the cluster or the resources that the cluster manages. The user can access all the information-related panels and commands, back up configuration data, change his or her password, and issue the following commands: finderr, dumperrlog, dumpinterallog, and chcurrentuser.

   Copy Operator

   Select this role if you want the user to manage all existing FlashCopy®, Metro Mirror, and Global Mirror relationships. They can also create and delete FlashCopy mappings, FlashCopy consistency groups, Metro Mirror or Global Mirror relationships, and Metro Mirror and Global Mirror consistency groups. In addition, the user can access all the functions available to the Monitor role.

   Service

   Select this role if you want the user to view the View Clusters panel, launch the SAN Volume Controller Console, and view the progress of actions on clusters with the View Progress panel, begin disk discovery process, and discover and include disks. The user can access the following commands: applysoftware, setlocale, addnode, rmnode, cherrstate, setevent, writesernum, detectmdisk, and includemdisk. A user with this role can also access all the functions available to the Monitor role.

   Administrator

   Select this role if you want the user to access all functions on the SAN Volume Controller Console and issue any command-line interface (CLI) command, except those that deal with managing users, user groups, and authentication.

   Security Administrator

   Select this role if you want the user to access all functions on the SAN Volume Controller Console and issue any CLI command. Users with this role can also manage users, user groups, and manage user authentication.

5. Select Enable this user group to be visible to a remote authentication service if you want the user group to match the access that is defined in user groups on a remote authentication service. For each group of users on the remote authentication service, there must be an SAN Volume Controller user group with the same name and the user group must be visible to the remote authentication service. Security administrators can control what user groups can match the access of user groups on the remote authentication service. When SAN Volume Controller Console authenticates a remote user, it requests a list of groups that the user belongs to from the remote authentication service. The system then assigns a role to the remote user based on whether there is an existing user group on the SAN Volume Controller with the same name and if that user group allows remote visibility. When these criteria are met, the SAN Volume Controller assigns the role based on the user group role specification. If the user is a member of multiple groups that match multiple roles, the user is given the most powerful role. In the case where a user has a combination of Copy Operator and Service roles, the SAN Volume Controller assigns both roles to the user.
6. Click OK.