SupportDocumentationFlash StorageConvergent StorageOceanStor 18500 V5Operation & MaintenanceAdministrator Guide

OceanStor V500R007 Administrator Guide

User Levels, Roles, and Permission

User Levels, Roles, and Permission

To prevent misoperations from compromising the storage system stability and service data security, the storage system defines user levels and roles to determine user permission and scope of permission. Before using this document, check the level and role of your account to know your permission.

Definition of User Levels and Roles

  • Level: determines whether a user has operation or access permission.

    The storage system defines three user levels, as described in Table 1-1.

    Table 1-1 User levels

    Level

    Description

    Super administrator

    A super administrator has full administrative permissions on the storage device, and is able to create users of all levels.

    Administrator

    An administrator has partial administrative permissions on the storage device but cannot manage users, upgrade the storage device, modify the system time, perform batch configuration, restart the device, or power off the device.

    Read-only user

    A read-only user has only the access permission on the storage device. After logging in to the storage device, read-only users can only query information about the storage device.

    The storage system supports a maximum of 32 system users, among which a maximum of two super administrators can be created.

  • Role: defines the scope of objects that can be operated or accessed by a user.

    The storage system provides both built-in and user-defined roles.

    • Preset roles are preset in the storage system with certain permission. Table 1-2 describes the preset roles in detail.
    • User-defined roles allow users to configure the scope of permission as required. For user-defined roles, see Permission Matrix for Self-defined Roles (Applicable to V500R007C10 and Earlier) and Permission Matrix for Self-defined Roles (Applicable to V500R007C20 and Later).

      To support permission control in vStore scenarios, the storage system divides the preset roles into the system group and vStore group.

    • vStore group: The roles are used only when the user logs in to DeviceManager using a vStore account.
    • System group: The roles are used only when the user logs in to DeviceManager using a system account.
      Table 1-2 Preset roles

      Preset Role

      Function Group

      Scope of Permission

      Super administrator

      System group

      All permissions over the system

      Administrator

      System group

      All permissions except user management, security configuration, and batch configuration

      Security administrator

      System group

      Permission for managing system security configurations, including security rules, certificates, audit, KMC, and compliance clocks

      Network administrator

      System group

      Permission for managing system network resources, including physical ports and failover groups

      SAN resource administrator

      System group

      Permission for managing SAN resources, including storage pools, LUNs, mapping views, hosts, and ports

      NAS resource administrator

      System group

      Permission for managing NAS resources, including storage pools, file systems, file servers, authenticated users, networks, quota trees, and shares

      Data protection administrator

      System group

      Permission for managing data protection, including local data protection, remote data protection, and HyperMetro data protection

      Backup administrator

      System group

      Permission for managing data backup, including local data and mapping views

      Maintenance administratora

      System group

      Permission for querying except user management and security configuration

      vStore administrator

      vStore group

      All vStore management permissions

      vStore data protection administrator

      vStore group

      Permission for managing vStore data protection, including local data protection, remote data protection, and HyperMetro data protection for vStores

      vStore protocol administrator

      vStore group

      Permission for managing vStore protocols, including authenticated users and shares of vStores

      a: applicable to V500R007C50 and later versions.

Figure 1-1 User roles and permission

Querying the Current User's Permission

You can perform the following operations to query the permission and scope of the current account.

Procedure

  1. Log in to DeviceManager.
  2. Choose Settings > Permission Settings > User Management.
  3. Query the current user's Level and Role in the middle pane and determine the user permission and scope according to Table 1-1, Table 1-2, Permission Matrix for Self-defined Roles (Applicable to V500R007C10 and Earlier), and Permission Matrix for Self-defined Roles (Applicable to V500R007C20 and Later).
  • Super administrators can view the information about all users on the device.
  • Administrators or read-only users can only view their own information.

For example, in Figure 1-2, the role and level of the safe_admin_reader user are Security administrator and Read-only user, respectively. According to Table 1-1 and Table 1-2, the user has the permission to query the security rules, certificates, audits, KMC, antivirus function, data destruction function, and compliance clock. To modify the user level and role, see Managing User Levels and Customizing User Roles.

Figure 1-2 Information of the current user
Translation
Favorite
Download
Update Date:2023-12-18
Document ID:EDOC1000181620
Views:340335
Downloads:4099
Average rating:0.0Points

Related Documents

Digital Signature File

digtal sigature tool