To give a more descriptive answer. We do have role based users but they are very limited. There is Tech, Admin, Configuration, and Read-Only. The Read-only is just as it sounds and Tech is for support. Admin and Configuration have few differences between the two. Basically Configuration allows you to provision storage where as Admin allows you to connect hosts and other advanced options. With what you are describing above this doesn't have the limitations you are looking for. Let me know if you would like to have an enhancement request submitted for this. I see value in having this ability. Let me know if there are any other specific roles that you would like to give/restrict access to.
- Chris P
Thanks Chris. Just to reiterate what you said - we would be very interested in understanding what customers would want to be able to do with role based access control.
We have a similar requirement:
for an application on XIO volumes we want to create application consistent snapshots. For this we will need to run a small workflow:
- start hotbackup mode for the application
- run xms command to create a snapshot for the consistency group
- end hotbackup mode
Simplest would be to run the "create snapshot" command from the host also running the application.
Now this will require to have account/password (or key) stored on this host. As this account must have administrative privileges not restricted to this CG only anybody able to read this script can connect to XMS and perform any command. 😞
Can you create a new user in the XMS (either plaintext password or public key see: https://support.emc.com/kb/336153) and then encrypt the password and have your script call it? I have seen others do this for the same reason you mention above.
not sure how this should help. The Password/key must still be on the host running the application. Encrypting it may makes it a little bit harder to get the Password in clear text, but you can still do so by reading the script and running the command for uncrypt.