Modifying a user

Introduction

You can create two types of users who access the cluster. These types are based on how the users are authenticated to the cluster. Local users must provide either a password, a Secure Shell (SSH) key, or both. Local users are authenticated through the authentication methods that are located on the SAN Volume Controller cluster. If the local user needs access to SAN Volume Controller Console, a password is needed for the user. If the user requires access to the command-line interface, a valid SSH key file is necessary. If a user is working with both interfaces, both a password and SSH key are required. Local users must be part of a user group that is defined on the cluster. User groups define roles that authorize the users within that group to a specific set of operations on the cluster.

A remote user is authenticated on a remote service usually provided by a SAN management application, such as IBM® Tivoli® Storage Productivity Center. Remote users require no local credentials to access the SAN Volume Controller Console. Remote users have their groups defined by the remote authentication service. If a remote user needs to use the command-line interface, both a password and SSH key are required. If the remote authentication service fails, then remote users cannot access the SAN Volume Controller Console or the command-line interface. In this situation, a local user with the Security Administrator role must change remote users to local users by adding them to the appropriate user group. After logging in to a SAN Volume Controller application, a remote user is granted access to the SAN Volume Controller CLI and Console by default.

Attributes

The following attributes are displayed:

Name

Displays the name of the selected user.

User Group Name

Displays the name of the group that the selected user belongs to.

Password

Indicates whether a password has been specified for the selected user. The following values are possible:

Yes

Indicates that a password has been defined for the selected user.

No

Indicates that a password has not been defined for the selected user.

Authentication

Indicates the authentication type for the selected user. The following values are possible:

Remote

Indicates that the user is authenticated to the cluster by a remote authentication service.

Local

Indicates that the user is authenticated using the SAN Volume Controller cluster.

SSH Public Key

Displays whether there is an Secure Shell (SSH) key that is associated with the user. The following values are possible:

Yes

Indicates that there is an SSH key that is associated with the user.

No

Indicates that there is not an SSH key that is associated with the user.

Fields

The following fields can be updated:

Password

Enter a password for the user. The password cannot start or end with a blank character. The password can consist of any string of 6 - 64 printable-ASCII characters.

Select Remove Password to remove the password from the user.

Re-enter Password

Re-enter the password for the user.

Authentication Type

Select the authentication type for the user. The following values are possible:

Remote

Select this option if the user is authenticated to the cluster by a remote service.

Note: Selecting this option disables the User Group table.

Local

Select this option if the user is authenticated by the SAN Volume Controller cluster. This is the default setting.

User Groups

Select the user groups that you want the user to belong to. With user groups you can manage authenticated users into groups based on their access level or role. The role determines the access to cluster functions for the users in the group. User that are locally authenticated can only belong to a single group. The following attributes display in the table:

Select

Specify the user group for the new user.

Name

Displays the name of the user group.

Role

Displays the role that applies to all users within the group. The following values are possible:

Monitor

Users with the monitor role have access to all viewing actions available with the SAN Volume Controller Console. This user cannot perform any actions that change the state of the cluster or the resources that the cluster manages. The user can access all the information-related panels and commands, back up configuration data, change his or her password, and issue the following commands: finderr, dumperrlog, dumpinternallog, ping, and chcurrentuser.

Copy Operator

Users with the copy operator role can manage all existing FlashCopy, Metro Mirror, and Global Mirror relationships. They can also create and delete FlashCopy mappings, FlashCopy consistency groups, Metro Mirror or Global Mirror relationships, and Metro Mirror and Global Mirror consistency groups. In addition, the user can access all the functions available to the Monitor role.

Service

Users with the service role can view the View Clusters panel, launch the SAN Volume Controller Console, and view the progress of actions on clusters with the View Progress panel, begin disk discovery process, and discover and include disks. The user can access the following commands: applysoftware, setlocale, addnode, rmnode, cherrstate, setevent, writesernum, detectmdisk, and includemdisk. A user with this role can also access all the functions available to the Monitor role.

Administrator

Users with the administrator role can access all functions on the SAN Volume Controller Console and issue any command-line interface (CLI) command, except those that deal with managing users, user groups, and authentication.

Security Administrator

Users with the security administrator role can access all functions on the SAN Volume Controller Console and issue any CLI command. Users with this role can also manage users, user groups, and manage user authentication.

Members

Displays the number of users in the user group.

Remote Visibility

Indicates whether this user group can be used during remote authentication. As part of configuring remote authentication, administrators can configure user groups on the cluster to match the authorization that is provided by the remote authentication service. For each group of users that is defined on the remote authentication service, you can create a corresponding SAN Volume Controller user group with the same name and the Remote Visibility option enabled. For example, if a group of users exist on the remote authentication service called sysadmins, then a corresponding group called sysadmins should be created on SAN Volume Controller cluster with the Administrator role and with remote visibility option enabled. If none of a user's groups on the remote authentication service match the SAN Volume Controller user groups then the user is not permitted to access the cluster. The following values are possible:

Yes

Indicates that this user group can be used during remote authentication.

No

Indicates that this user group cannot be used during remote authentication.

SSH Public Key File

Enter the SSH key file that is associated with the user. Click Browse to select the file. An SSH key is needed if this user plans to use the command-line interface to manage the cluster.

Actions

The following actions are available:

OK

Click this button to change the selected user based on the specified values.

Cancel

Click this button to exit this panel without changing the selected user.