User Groups

User groups (or roles) are a level of access that is assigned by the administrator, which allows users to perform certain functions. User groups are created using the DS Storage Manager or the CLI.

When a user account is created, the administrator must specify an initial password for the account. This initial password expires immediately which means that the account users must change the password before they are allowed to perform any other actions. This is also true for all account roles, including Administrators.

The user must be assigned to at least one group or role. Users can be assigned to multiple groups or combinations of groups. Groups with the label No Access (only) cannot be selected in combination with another group.

Administrators can make the following user group assignments (Table 1 provides specific capabilities for each user group):

Administrator (only): Must be the only assigned group. This user group has the highest level of authority. It allows a user to add or remove user accounts. This group has access to all service functions and DS6000™ resources.
Physical operator (only): Must be the only assigned group. This user group allows access to resources that are related to physical configuration, including storage complex, storage unit, storage image, management console, arrays, ranks, and extent pools. The physical operator group does not have access to security functions.
Logical operator: Can be assigned in combination with the Copy Services operator group, but not in combination with any other group. This group has access to service functions and resources that relate to logical volumes, hosts, host ports, logical subsystems, and volume groups, excluding security functions.
Copy Services Operator: Can be assigned in combination with the Logical operator group, but not in combination with any other group. This group has access to all Copy Services service functions and resources, excluding security functions.
Monitor (only): Must be the only assigned group. This group has access to all read-only, nonsecurity service functions and all DS6000 resources.
Service Operator: This group has access to all service related DS6000 service functions and resources (for example, performing a code load, and retrieving problem logs). This user group inherits all authority of the Monitor group.
No Access (only): The default selection. Must be the only assigned group. This group has no access to any service functions or DS6000 resources. This is the user group that is assigned to a user account that is not associated with any other user group.

Table 1. User Group capabilities
Capability	Administrator	Physical Operator	Logical Operator	Copy Services Operator	Monitor	Service Operator
User account management	X
Access audit log	X
Update storage complex	X	X
Power on/off storage image	X	X
Update storage unit	X	X
Update storage image	X	X
Warmstart storage image	X	X
Manage arrays, ranks, extent pools	X	X
I/O port configuration	X	X
Configuration recovery services (unfence volumes, discard pinned tracks, repair ranks,…)	X	X
Host configuration	X	X	X
Logical subsystem configuration	X	X	X
Volume configuration	X	X	X
Add or remove volume group	X	X	X
Assign or unassign volume group to host connection	X	X	X
Add or remove volumes to volume group	X	X	X
Manage Copy Services (FlashCopy, PPRC, Global Mirror)	X	X		X
Set Copy Services timeout values	X	X		X
Update user account password	X	X	X	X	X	X
Query FRUs and enclosures	X	X	X	X	X	X
Query configuration	X	X	X	X	X	X
Query Copy Services	X	X	X	X	X	X
FRU management	X	X				X
Problem management	X	X				X
Validate communication paths	X	X				X
Activate code load	X	X				X
Create a new PE package	X	X				X
Manage storage unit IP addresses	X