Users gain access to a storage system or component directly through a role assignment or indirectly through membership in a user group that has a role assignment.
The Role Based Access Control (RBAC) feature provides a method for restricting the management operations that individual users or groups of users may perform on storage systems.
The following diagram outlines the role hierarchy.
Roles are assigned as part of the user creation process.
The following tables detail the permissions that are associated with each role in Unisphere.
NOTE: The Unisphere Initial Setup User has all permissions on a storage system until an Administrator or SecurityAdmin is added to the storage system.
The roles (and the acronyms that are used for the roles) in these tables are:
None—Provides no permissions.
Monitor (MO)—Performs read-only (passive) operations on a storage system excluding the ability to read the audit log or access control definitions.
StorageAdmin (SA)—Performs all management (active or control) operations on a storage system and modifies GNS group definitions in addition to all Monitor operations.
Admininstrator (AD)—Performs all operations on a storage system, including security operations, in addition to all StorageAdmin and Monitor operations.
SecurityAdmin (SecA)—Performs security operations on a storage system, in addition to all Monitor operations.
Auditor (AUD)—Grants the ability to view, but not modify, security settings for a storage system(including reading the audit log, symacly list, and symauth) in addition to all Monitor operations. It is the minimum role that is required to view the storage system audit log.
Performance Monitor (PM)—Includes Monitor role permissions and grants additional privileges within the performance component of the Unisphere application to set up various alerts and update thresholds to monitor storage system performance.
Local Replication—Performs local replication operations (SnapVX or legacy Snapshot, Clone, BCV). To create Secure SnapVX snapshots a user must have Storage Admin rights at the storage system level. This role also automatically includes Monitor rights.
Remote Replication—Performs remote replication (SRDF) operations involving devices and pairs. Users can create, operate upon or delete SRDF device pairs but cannot create, modify, or delete SRDF groups. This role also automatically includes Monitor rights.
Device Management—Grants user rights to perform control and configuration operations on devices.
NOTE: Storage Admin rights are required to create, expand, or delete devices.
This role also automatically includes Monitor rights.