Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

CarC8

77 Posts

10979

March 7th, 2014 11:00

symauth and symacl questions

Hi,

I'm actually working for a customer wishing to secure it's VMAX environnement so that only those working with storage environnement  can actively administrate the storage array.  The request come from the fact that anyone logging onto management console having Solutions Enabler, will be able to execute commands on the array.

In order to secure the arrays from non-storage administrator, i have activated "symauth" in the following way:

-I create a Windows Domain account (D:) for each storage administrator in the authentification DB of each VMAX

-I have also created a local account on each console (in case the Windows Domain is not accessible)

--> I have enabled "symauth" in enhenced mode in order to limit access to only the users registered on each VMAX

Can anyone who used this fonctionnality able to tell me it is the right way to use it ?

Also, the customer has a AIX server that will be used to SNAP volumes from the VMAX and wish to limit it's access to only SE TF/SNAP operations.  I know i should use the "symacl" command to do so, but am unsure of where to start. I have 3 SE installed in the environnement, 2 are installed on management console and 1 is on AIX server.

-On the management consoles (Unisphere), should i leave the base configuration in place (UNKNOWN_GRP) ?  Or should i add new ACL and remove the base configuration ?

-What ACL configuration should i place on the AIX server ?

Thank you,

Christian

CarC8

77 Posts

April 8th, 2014 10:00

Hi Cody,

Ok, it make sense now, it is not the EMC Support or PSE lab that initialised the DB and create PIN, but a CE.  That is different.  I was not talking to the right person.

Once the CE has done it's job, will i be able to assign full rights on the management servers having SE, because as of now they're not ADMIN.

Please see below the output of symacl list -v command:

Access Control         : N/A
Session Locked         : N/A
Time Held in Seconds   : 0
Lock Identifier        : N/A

Time Enabled           : N/A
Time Disabled          : N/A
Time Updated           : N/A

ADMIN priv             : No
ADMINRD priv           : No

Lastly, i have two VMAXs, so both need to have the symacl activated if i want the management servers to manage both of them ?

Thank you again for the input you would be able to give me.

Christian

codyhosterman

286 Posts

April 8th, 2014 11:00

When the CE initializes ACLs on the array they will also ask you for a mgmt host to configure in the system to allow for management. You will then be able to do what you want from that management host.

A SE instance can manage multiple arrays with ACLs on none, some or all of them. For every array (that has ACLs enabled) that you want a given SE host to manage you will need to give it specific ACLs on those given arrays.

View More

View All

No Events found!

Top