symauth and symacl questions

Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility.  Questions written to the users' own "Discussions" space don't get the same amount of attention and questions can go unanswered for a long time.

You can do so by selecting "Move" under ACTIONS along the upper-right.  Then search for and select: "Symmetrix Support Forum" which would be the most relevant for this question.

symacl needs to be enable in the BIN and then configure through SE.

The ACL helps to restrict for a server from where you would like to control the array irrelevant of the SYMAUTH.

If auth is configured then those user who got rights can do the administration from the servers configured with symacl.

Only symacl will put or give path to all the users on the system to do storage administration.

Hope the user account is unique to a person.

With the ACL you have to be cautious, if you forgot to add the newly created devices in user defined ACL groups / pools then you may end up troubleshooting.

Its you're choice to decide whether you need only SYMAUTH or both. Cause, I do not see a strong reason to use both.

Hi,

Thank you for you answers.  I will continu working on this soon and will return if i have further questions.

Christian

Hi Mohammed,

Just to confirm, the symacl command is used to give or restrict access to a host, so do i need to be connected on that host in order to run the symacl command for that specific host ?

Thank you,

Christian

In order to run SYMACL commands you need to be connected to any SE host that has privileges to do so. You can create and edit new ACLs for any host from any management host that is permitted to do so. You do need to get the unique identifier of the specific host you would like you to create ACLs for directly from that host though. So if you need to create ACL rule for host B (which is currently not authorized) you would need to first log on to host B and run:

C:\>symacl -unique

The unique id for this host is: 2C5D07AF-54448CC9-9A3B7D7C

This gives you the unique identifier of that host. You would need to then go to another host that is currently authorized, lets say host A to create the ACLs for host B. You can then use host B to run commands allowed by the new ACLs.

Furthermore, by default any client that connects to that host B to issue SYMAPI calls remotely will inherit the ACLs of that server. But it can also be configured in a way for clients to have their own ACLs--this is non-default. Refer the Solutions Enabler guide for more information on that.

You're welcome!

Yes--you can add multiple identifiers to one access group--this is the preferred option in many cases. The mgmt guide talks about this in detail: https://support.emc.com/docu46983_Solutions-Enabler-Symmetrix-Array-Management-CLI--7.6-Product-Guide.pdf?language=en_US

Q: Also, the documentation, mention to enter a PIN when you commit the creation of an ACCGROUP, do you know what this is about ?

A: The pin is created in SYMMWIN by PSE when enabling ACLs. This allows you to make changes to ACLs. We enforce the use of this to make sure ACLs are implemented properly with EMCs supervision/approval.

Q: The customer is also asking if for some reason a bad SYMACL change is done, if it can be simply de-activated, i guess so via EMC support (SYMMWIN) ?

A: You should always make sure a mgmt host is created that has the ability to undo changes that are incorrect or have unintended consequences. But yes, PSE has the ability to correct errors if they are unrecoverable by the customer. But we recommend that ACLs be carefully planned with EMC and the customer so this does not happen. Ensure careful change request procedures are created and followed.

Q: And finaly, can you confirm me that the creation of ACL is done to secure hosts that are using SE only and will not cause interruption for the other hosts that are masked in the environnement ?

A: ACLs will never interrupt normal host I/O in any situation. ACLs only prevent management changes but will never interfere with data access

Hi Cody,

When i'm looking at the "symacl list -v" command, on one of the console Unisphere, i see that now it is not ADMIN (SYMACL is not active in SYMWIN at the moment).  Once it is activated in SYMWIN, i guess that the first ACL to put active would be an ADMIN right for the consoles.  Doing so, i would be able to remove an incorrect ACL from another server, it that correct ?

Thank you,

Christian

Correct. When EMC enables it they will work with you to make sure that you have configured at least one admin host (usually two) and those hosts will be able to remove incorrect ACLs from then on.

Hi Cody,

Thank you for your answer.  I understand it is not quite recommanded to put in place "symauth" and "symacl" at the same time on the same environnement.  Can you tell me if by using "symauth" one can limit a user to only SNAP operations ?

Thank you,

Christian

No only symacl has the granularity to restrict a user to performing snap operations--symauth cannot do this.

What do you mean not recommended together? There are plenty of customers who use both--it might be advisable to implement them one at a time opposed to simultaneously to keep the roll out simpler, but I am not aware of recommendations against using both. If there is please point me to where it says that so I can inquire.

Hi Cody,

Thank you, i sent you an email about that.

Hmm, yesterday, i have tried communicating with EMC support in order to have the symacl activated on symmwin, but the people i talked to told me that with code 5876.251.161, the symacl functionality is active by default.  Are you aware of something like that ?

Thank you,

Christian

Christian,

This would be news to me, just to check I have looked over the latest documentation/release notes and support articles and see no mention of this change. While it is true that ACLs are enabled by default (since late DMX days) a CE still needs to initialize the ACL database and supply the customer-created PIN from the Service Processor.