No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Administrator Guide

OceanStor 2800 V5 V500R007

This document is applicable to OceanStor 2800 V5. Routine maintenance activities are the most common activities for the storage device, including powering on or off the storage device, managing users, modifying basic parameters of the storage device, and managing hardware components. This document is intended for the system administrators who are responsible for carrying out routine maintenance activities, monitoring the storage device, and rectifying common device faults.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Users and Their Access Permissions

Managing Users and Their Access Permissions

To prevent misoperations from affecting device stability and service data security, the storage device defines three user levels, each with certain permission.

Creating a Local User (Applicable to V500R007C20 and Earlier Versions)

To ensure device stability and service data security, a super administrator can create different levels of users based on service requirements.

Context

For the user levels, see User Levels, Roles, and Permission.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, click Add.

    The Add User dialog box is displayed.

  4. Set user information. Select Local user in Type and configure relevant parameters.

    Table 5-5 describes the local user parameters.

    Table 5-5 Local user parameters

    Parameter

    Description

    Value

    Username

    Name of a newly created user.

    [Value range]

    • The name contains 5 to 32 characters.
    • The name can only contain letters, digits, and underscores (_) and must start with a letter.
    • The username must be unique.
    NOTE:

    You can modify the username policy in Permission Settings > Security Policies.

    [Example]

    user12345

    Password

    Password of a newly created user.

    [Value range]

    • The password contains 8 to 32 characters.
    • The password must contain special characters. Special characters include !"#$%&'()*+,-./:;<=>?@[\]^`{_|}~ and spaces.
    • The password must contain any two types of uppercase letters, lowercase letters and digits.
    • The maximum number of consecutive same characters cannot exceed 3.
    • The password cannot be the same as the username or the username typed backward.
    NOTE:
    • You can modify the password policy in Permission Settings > Security Policies.
    • Keep your password safe.

    [Example]

    a#123456

    Confirm Password

    Password for confirmation.

    [Value range]

    The value must be the same as that of Password.

    [Example]

    a#123456

    Description

    Description of a newly created user.

    [Example]

    User

    Role

    Sets permissions for users. You can select a built-in role or create a self-defined role.

    [Example]

    Administrator

    Level

    Level of a user. Possible values are as follows:

    • Super administrator: has full administrative permissions on the storage device, and is able to create the users at all user levels.
    • Administrator: has partial system administration permissions. Specifically, administrators cannot manage users, upgrade storage devices, modify system time, restart devices, or power off devices.
    • Read-only user: has only the access permission for the storage system and can perform queries only.

    [Example]

    Read-only user

  5. Confirm the user account creation.

    1. Click OK.

      The Success dialog box is displayed, indicating that the operation is successful.

    2. Click OK.

Creating a Local User (Applicable to V500R007C30 and Later)

To protect device stability and service data security, a super administrator can create different levels of users based on different requirements.

Context

For the user levels and roles, see User Levels, Roles, and Permission.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, click Add.

    The Add User dialog box is displayed.

  4. Set user information. Select Local user in Type and configure relevant parameters.

    Table 5-6 describes the local user parameters.

    Table 5-6 Local user parameters

    Parameter

    Description

    Value

    Username

    Name of a newly created user.

    [Value range]

    • The name contains 5 to 32 characters.
    • The name can only contain letters, digits, and underscores (_) and must start with a letter.
    • The username must be unique.
    NOTE:

    You can modify the username policy in Permission Settings > Security Policies.

    [Example]

    user12345

    Password

    Password of a newly created user.

    [Value range]

    • The password contains 8 to 32 characters.
    • The password must contain special characters. Special characters include !"#$%&'()*+,-./:;<=>?@[\]^`{_|}~ and spaces.
    • The password must contain any two types of uppercase letters, lowercase letters and digits.
    • The maximum number of consecutive same characters cannot exceed 3.
    • The password cannot be the same as the username or the username typed backward.
    NOTE:
    • You can modify the password policy in Permission Settings > Security Policies.
    • Keep your password safe.

    [Example]

    a#123456

    Confirm Password

    Password for confirmation.

    [Value range]

    The value must be the same as that of Password.

    [Example]

    a#123456

    Password Always Valid

    Determine whether the thin password always valid is enabled. After this function is enabled, the password will not be restricted by the password validity period specified on the Security Policies tab page.

    [Example]

    Enable

    Description

    Description of a newly created user.

    [Example]

    User

    Role

    Set permissions for users. You can select a built-in role or create a self-defined role.

    [Example]

    Administrator

    Level

    Level of a user. Possible values are as follows:

    • Super administrator: has full administrative permissions on the storage device, and is able to create the users at all user levels.
    • Administrator: has partial system administration permissions. Specifically, administrators cannot manage users, upgrade storage devices, modify system time, restart devices, or power off devices.
    • Read-only user: has only the access permission for the storage system and can perform queries only.

    [Example]

    Read-only user

    Advanced

    Specifies login modes.

    [Value range]

    • For a super administrator, you must select at least one of the CLI, DeviceManager and RESTful login modes.
    • For an administrator or read-only user, you must select at least one of the CLI, DeviceManager, RESTful, SFTP, and Serial port login modes.

  5. Confirm the user account creation.

    1. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    2. Click OK.

Creating a Domain User (Applicable to V500R007C20 and Earlier Versions)

DeviceManager allows users to log in to the storage system using the Lightweight Directory Access Protocol (LDAP) server authentication mode to centrally manage user information.

Context

For the user levels and roles, see User Levels, Roles, and Permission.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, click Add.

    The Add User dialog box is displayed.

  4. Set user information. Select LDAP user or LDAP user group in Type and configure the relevant parameters. Table 5-7 describes the parameters.

    Table 5-7 LDAP user or LDAP user group parameters

    Parameter

    Description

    Value

    Username

    Name of a newly created LDAP user or LDAP user group.

    NOTE:

    The LDAP user or LDAP user group to be created must reside on the LDAP domain server. Otherwise, the login will fail.

    [Value range]

    • The username contains 1 to 64 characters.
    • The username must be unique.

    [Example]

    user12345

    Description

    Description of a newly created user.

    [Example]

    User

    Role

    Set permissions for users. You can select a built-in role or create a self-defined role.

    [Example]

    Administrator

    Level

    Level of a newly created LDAP user or LDAP user group. Possible values are as follows:

    • Administrator: has partial system administration permissions. Specifically, administrators cannot manage users, upgrade storage devices, modify system time, restart devices, or power off devices.
    • Read-only user: has only the access permission for the storage system and can perform queries only.

    [Example]

    Read-only user

  5. Confirm the user account creation.

    1. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    2. Click OK.

Creating a Domain User (Applicable to V500R007C30 and Later)

DeviceManager allows users to log in to the storage system using the Lightweight Directory Access Protocol (LDAP) server authentication mode to centrally manage user information.

Context

For the user levels, see User Levels, Roles, and Permission.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, click Add.

    The Add User dialog box is displayed.

  4. Set user information. Select LDAP user or LDAP user group in Type and configure the relevant parameters. Table 5-8 describes these parameters.

    Table 5-8 LDAP user or LDAP user group parameters

    Parameter

    Description

    Value

    Username

    Name of a newly created LDAP user or LDAP user group.

    NOTE:

    The LDAP user or LDAP user group to be created must reside on the LDAP domain server. Otherwise, the login will fail.

    [Value range]

    • The username contains 1 to 64 characters.
    • The username must be unique.

    [Example]

    user12

    Description

    Description of a newly created user.

    [Example]

    User

    Role

    Sets permissions for users. You can select a built-in role or create a self-defined role.

    [Example]

    Administrator

    Level

    Level of a newly created LDAP user or LDAP user group. Possible values are as follows:

    • Administrator: has partial system administration permissions. Specifically, administrators cannot manage users, upgrade storage devices, modify system time, restart devices, or power off devices.
    • Read-only user: has only the access permission for the storage system and can perform queries only.

    [Example]

    Read-only user

    Advanced

    Specifies login modes.

    [Value range]

    • For a super administrator, you must select at least one of the CLI, DeviceManager and RESTful login modes.
    • For an administrator or read-only user, you must select at least one of the CLI, DeviceManager, RESTful, SFTP, and Serial port login modes.

  5. Confirm the user account creation.

    1. Click OK.

      The Success dialog box is displayed, indicating that the operation is successful.

    2. Click OK.

Managing Login Modes (Applicable to V500R007C30 and Later)

A super administrator can change the modes in which a user logs in to the storage system.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the middle function pane, select a user that you want to modify and click Modify.

    The Modify User dialog box is displayed.

  4. Click Advanced.

    The Advanced dialog box is displayed.

  5. Select the login modes supported by the user and click OK.

    NOTE:
    • For a super administrator, you must select at least one of the CLI, DeviceManager and RESTful login modes.
    • For an administrator or read-only user, you must select at least one of the CLI, DeviceManager, RESTful, SFTP, and Serial port login modes.

  6. Confirm the login mode modification.

    1. Click OK.

      The security alert dialog box is displayed. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.

    2. Click OK.

      The Execution Result dialog box is displayed, indicating that the modification is successful.

    3. Click Close.

Managing User Levels

A super administrator can change the level of a read-only user or an administrator according to the actual requirements.

Prerequisites
  • Only super administrators have the right to perform this operation.
  • The super administrator can modify the level and initiate the password only for users whose Status is Offline.
Context

User levels include:

  • Administrator: has permission to control the storage device and modify password of administrator, but cannot manage users, upgrade the storage device, modify system time, activate license files, restart device, or power off device. Administrator cannot import or export license files.
  • Read-only user: has permission to access the storage device and change its password. After logging in to the storage device, the read-only user can only query device information but cannot perform other operations.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the middle function pane, select a user that you want to modify and click Modify.

    The Modify User dialog box is displayed.

  4. Select a desired user level from the Level drop-down list.

    NOTE:

    The user level determines whether a user has operation or read-only permission. For details on how to modify the scope of permission, see Customizing User Roles.

  5. Confirm the user modification.

    1. Click OK.

      The security alert dialog box is displayed. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.

    2. Click OK.

      The Execution Result dialog box is displayed indicating that the operation succeeded.

    3. Click Close.

Locking or Unlocking a User

A super administrator can prevent a user from logging in to the storage device by locking the user. Locked users online at the time they are locked can continue using DeviceManager but will not be able to log in again after they log out.

Prerequisites
  • Only super administrators have the permission to perform this operation.
  • Lock Status of the user to be locked is Unlock.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the middle function pane, choose a user that you want to lock and click Lock.

    The Success dialog box is displayed, indicating that the operation succeeded.

    NOTE:

    You can also right-click the user that you want to lock and choose Lock.

  4. Click OK.

Logging Out a User

A super administrator can prevent a logged-in user from using the storage device by forcibly logging the user out of DeviceManager.

Prerequisites
  • Only super administrators have the permission to perform this operation.
  • Users whose Status is Online can be logged out.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, select a user that you want to log out and click Offline.

    The security alert dialog box is displayed.

    NOTE:

    You can also right-click the user, and then choose Offline.

  4. Confirm the logout of the user.

    1. Carefully read the content in the dialog box and select I have read and understand the consequences associated with performing this operation to confirm the information.
    2. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

Changing Password

To ensure storage system security, periodically change the password used for logging in to the storage system.

Precautions
  • Super administrators, administrators, and read-only users only have the permission to change their own passwords. Super administrators have the permission to initialize the passwords of administrators and read-only users.
  • If your password has expired or been initialized, the system will prompt you to change your password when you log in to DeviceManager.
  • If your password is about to expire, the system will prompt you to change your password after you log in to DeviceManager.
  • To prevent security risks caused by password leaks, super administrators, administrators, and read-only users need to change their default password after logging in to the storage system for the first time and change their password later regularly.
  • If a non-super administrator account encounters a security problem, super administrators can set the password properties of the non-super administrator account. The password of the non-super administrator account then must be changed before it is used to log in to the system.

Do not change the password during information collection or capacity expansion. Otherwise, information collection or capacity expansion fails.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the function pane, click the name of the super administrator and click Modify.

    The Modify Password dialog box is displayed.

  4. Enter Old Password, New Password and Confirm Password.

    NOTE:
    • To ensure account security, change the default password after you log in to the storage system for the first time.
    • To ensure account security, change your password regularly.

  5. Click OK.

Resetting the Password of an Administrator or a Read-Only User

This section describes how to retrieve or reset user passwords.

If an administrator or a read-only user forgets the password, the super administrator admin can reset the password on DeviceManager or the CLI.

  • Resetting user passwords on DeviceManager
    1. Log in to DeviceManager as the super administrator.
      NOTE:

      The default super administrator name is admin and its password is Admin@storage.

    2. Choose Settings > Permission Settings > User Management.
    3. In the middle function pane, select a user that you want to modify and click Modify.

      The Modify User dialog box is displayed.

    4. Select Initialize password. Input Password of Current Login User, New Password, and Confirm Password.
      NOTE:

      The passwords of LDAP users cannot be initialized.

    5. Confirm the password initialization.
      1. Click OK.

        The security alert dialog box is displayed. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.

      2. Click OK.

        The Execution Result dialog box is displayed indicating that the operation succeeded.

      3. Click Close.
  • Resetting user passwords on the CLI
    1. Log in to the CLI as the super administrator.
      NOTE:

      The default super administrator name is admin and its password is Admin@storage.

    2. Run the change user user_name=? action=reset_password command to reset the password.

      For example, to reset the password of testuser, run the following command:

      admin:/>change user user_name=testuser action=reset_password 
       New password:********** 
       Reenter password:********** 
       Password:********** 
       Command executed successfully.

Resetting the Password of a Super Administrator

This section describes how to reset the password of a super administrator.

If the password of the super administrator admin is lost, another root administrator _super_admin can log in to the CLI via a serial port and run initpasswd to reset the password. The procedure is as follows:

  1. Use _super_admin to log in to the CLI via a serial port.
    NOTE:

    The default password of the root administrator _super_admin is Admin@revive.

  2. Run the initpasswd command to reset the password of the super administrator admin.
    Storage: _super_admin> initpasswd 
    please input username:admin 
    init admin passwd,wait a moment please... 
    *****please enter new password for admin :***** 
    *****please re-enter new password for admin :***** 
    Init admin passwd succeeded

Setting User Passwords to Never Expire

This section describes how to set user passwords to never expire.

Procedure

You can set user passwords to never expire in Security Policies or User Management.

NOTE:
  • In Security Policies, you can set passwords of all users in a storage system to never expire.
  • In User Management, you can only set the password of a specified user to never expire. This applies to V500R007C20 and later.
  • Configuring Password Validity Period in Security Policies
    1. Log in to DeviceManager.
    2. Choose Settings > Permission Settings > Security Policies.
      1. On the right navigation bar, click Settings.
      2. In the Basic Service Settings area on the function pane, click Permission Settings.

        The Security Policies page is displayed.

      3. In the left navigation tree, select Security Policies.

        The Security Policies page is displayed.

    3. Deselect Password Validity Period (days).
    4. Click Save.

      The Execution Results dialog box is displayed, indicating that the security policy configuration succeeds.

    5. Click Close.

      Passwords of all users in the storage system will never expire.

  • Configuring Password Policies in User Management
    1. Log in to DeviceManager.
    2. Choose Settings > Permission Settings > User Management.
    3. In the middle function pane, select a user that you want to modify and click Modify.

      The Modify User dialog box is displayed.

    4. Select Password Always Valid.
    5. Click OK.

      The Execution Result dialog box is displayed indicating that the operation succeeded.

    6. Click Close.

      The password of the specified user will never expire.

Removing a User

This operation enables you to remove an unwanted user.

Context
  • Only a super administrator has the permission to remove the administrators, read-only users and other super administrators.
  • An online user cannot be removed.
Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. In the middle function pane, select the user that you want to remove and click Remove.

    The security alert dialog box is displayed.

  4. Confirm the user removal.

    1. Confirm the information in the dialog box and select I have read and understand the consequences associated with performing this operation.
    2. Click OK.

      The Success dialog box is displayed, indicating that the operation succeeded.

    3. Click OK.

Translation
Download
Updated: 2019-07-11

Document ID: EDOC1000181576

Views: 18714

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next