No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Enterprise
Worldwide
Huawei Global - English
Search
Support Documentation
OceanStor Dorado 6.0.1 Security Configuration Guide
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Access Control

Access Control

You can use GUI or CLI to access the OceanStor Dorado V6 series storage system and control the access to management and service resources, thereby ensuring security of the storage system and service data.

Management Resource Access Control

  • Accessible IP addresses

    When security restrictions are enabled, only users in the accessible IP address list can access the storage system.

  • User permission control

    To prevent mis-operations from compromising storage system stability and service data security, you can define user roles to control user permissions.

    The storage system provides both built-in and user-defined roles.

    • Built-in roles are preset in the storage system with certain permission, as shown in Table 3-1.
    • User-defined roles allow users to configure the scope of permission as required. For details, see the administrator guide.
    Table 3-1 Built-in roles

    Built-in Role

    Permissions Owned by a Role

    Super administrator

    All permissions

    Administrator

    All permissions except user management, batch configuration and high-risk maintenance operations

    Security administrator

    System security configuration permissions, including management of security rules, certificates, KMC, and data destruction

    SAN resource administrator

    SAN resource management permissions, including management of storage pools, LUNs, mapping views, hosts, ports, and background configuration tasks

    Data protection administrator

    Data protection management permissions, including management of LUNs, local data protection, remote data protection, HyperMetro, and background configuration tasks

    Remote device administrator

    Cross-device data protection management permissions, including management of remote replication, HyperMetro, 3DC, LUNs, and mapping views. This role is used for remote authentication in cross-device data protection scenarios.

    Monitor

    Routine O&M permissions, such as information collection, performance collection, and inspection. This role does not have permission to manage SAN resources, data protection, and security configuration.

    Empty role

    Basic system permissions, including querying information about the system, users, and roles. This role can be queried or used only on the CLI. On the CLI, this role is Empty role. On the DeviceManager, this role is Non-privileged administrator.

The super administrator can lock other users and get these users offline. In some conditions, the super administrator can manually restrict access activities of related accounts. Table 3-2 lists the management operations that can be performed by the super administrator.

Table 3-2 Management operations

Management Operation

Description

Creating

Adds a user and sets its information including the permission, user name, password, and role. Adds local users, LDAP users, and LDAP user groups.

Modifying

Modifies information about a permission-assigned user, such as the user role, password, and description.

Deleting

Deletes a user that no longer needs operation permission, ensuring system security and stability.

Getting a user account offline

Forcibly gets users offline during a device upgrade or troubleshooting to prevent interference from these users. This function is available to the super administrator only.

Locking

Locks a user account to freeze its operation permissions. This function is available to the super administrator only.

Unlocking

Unlocks a user account that has been locked to restore its operation permissions. This function is available to the super administrator only.

Initializing password

If a non-super administrator user forgets the password or the password is maliciously tampered with, the super administrator can reset the password. The initial password is required at the next login.

Changing the password upon the next login

If a non-super administrator account encounters suspected security issues, the super administrator can force the account user to change the password upon the next login. Otherwise, the account user cannot log in to the storage system.

Service Resource Access Control

DeviceManager provides various simple and flexible methods for you to create the following mappings:
  • Mapping between LUNs and a host

    You can directly map one or more LUNs to a host in a simple application scenario or when no LUN groups are required.

  • Mapping between a LUN group and a host

    If an application requires multiple LUNs, you can use a LUN group to manage these LUNs. In this case, create a mapping between the LUN group and the host.

  • Mapping between a LUN group and a host group

    If an application has its data stored on multiple LUNs and is deployed on a cluster consisting of multiple hosts, you can use a LUN group to manage the LUNs and a host group to manage the hosts. In this case, create a mapping between the LUN group and the host group.

Translation
简体中文
Download
Updated: 2021-11-25

Document ID: EDOC1100135786

Views: 13491

Downloads: 131

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :