Access Control

In this topic:

About Access Control

Role-based authorization

Creating custom roles

Adding or removing privileges from custom roles

Deleting custom roles

Ownership-based authorization

Assigning or removing ownership of virtual disks

Also see:

Registering Users and Assigning Roles for assigning and removing roles for users

About Access Control

The Access Control feature includes role and ownership based authorization which provides refined user controls for the software. Access control allows administrators to fine-tune control and distribute management responsibilities among registered users based on the assignment of roles and virtual disk ownership.

The operations that a user can perform in consoles or cmdlets is always limited by the role assigned to the user. Ownership of a virtual disk further limits access to specific virtual disks in the server group.

Definitions

  • A privilege allows a single operation or action, for example creating a virtual disk. Privileges are grouped by common properties. For example, virtual disk privileges is a privilege group that controls various operations on virtual disks. A description of the actions allowed for each privilege group is provided in the Create Role dialog box when roles are created.
  • A role allows software access based on the privilege groups that are selected in a role. Roles are assigned per user. Roles determine what action users can perform. See Role-based Authorization for more information.
  • Ownership determines the objects on which a user can perform operations. Ownership currently applies to virtual disks as well as the associated snapshots and rollbacks (also virtual disks). See Ownership-based Authorization for more information.
  • An object is an entity in the server group, such as server, virtual disk, pool, physical disk, port and so on.

Role-based Authorization

User accounts are assigned roles that define privilege groups granted to the user. Roles determine the operations that the user is allowed to execute in the software. A role can be assigned to one or more users, and more than one role can be assigned to the same user.

The Administrator is a predefined registered user in SANsymphony software. The Administrator has authority to perform all actions in SANsymphony, which include registering SANsymphony users, creating roles, and assigning roles to users. The Administrator is also the owner of all objects in SANsymphony.

The Administrator creates custom roles by selecting a custom subset of privilege groups from the entire list of privilege groups. Roles can also be created that allow users to perform actions granted to Administrators, so that the Administrator may off-load administrator-type duties, such as registering users, creating roles, and assigning object ownership.

Predefined Roles

There are three predefined roles:

  • Full Privileges - Users are granted full privileges in using this software, although virtual disk action are further limited by ownership. In order to perform actions on a specific virtual disk that has owners, that user must be among the owners of the virtual disk, see Ownership-based Authorization for more information.
  • View - Users may only view information in the SANsymphony Management Console and cannot make any changes to the configuration.
  • VVol Managers - VVol Managers are granted permission to perform actions on VVOLs and protocol endpoints in the DataCore VASA Provider. This role is applied to the VASA Provider and should only be assigned to users that login to this software from the VASA Provider. Only users with this role will be able to perform actions on VVOLs and protocol endpoints.
  • Predefined roles (Full Privileges, View, VVol Managers) cannot be changed or deleted. Custom roles cannot be deleted while assigned to users.
  • The default role for a user is Full Privileges with full privileges if no other role is selected when the user is registered. Registering users without assigning roles will result in those users having full privileges in the software. To limit access, assign roles with only the required privileges.
  • The roles assigned to a user can be viewed in the User Details page under the Roles tab. Privileges associated with the roles assigned to the user can be viewed in the User Details page under the Privileges tab.
  • The privilege groups included in a role can be viewed in the Role Details page. To open the details page, right-click the role in the Roles List and click View Details.
  • Special notes on required privilege groups when performing certain actions:
    • Modifying host group name or description requires the following privilege groups: Host Group, DataCore Server, and Host.
    • Creating pass-through virtual disks requires the following privilege groups: Physical Disk and Virtual Disk.
    • Setting the location for the replication buffer requires the DataCore Server privilege group.
    • Setting System Health Thresholds requires the System Health Monitor privilege group.
    • Deleting snapshot or rollbacks requires the Virtual Disk privilege group.
  • The View Information privilege is automatically added to all custom roles.

Creating Custom Roles

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.

    (Alternatively, the action can be initiated from the Create Role link in the Roles List, which is opened by clicking Roles in the Ribbon.)

  2. Click Create Role to open the Create Role dialog box.
  3. Enter the role name and description at the top of the page.
  4. In the list, select the appropriate check boxes to assign privilege sets to the role. Privilege sets are grouped by common properties. Descriptions of the privileges within each set is listed under the Description column.
  5. Click Create. A details page is created for the role and the role is added to the list of roles in the Roles tab.

Adding or Removing Privileges from Custom Roles

Predefined roles cannot be edited at any time.

To edit an existing role:

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.
  2. Double-click on the role to edit.

    (Alternatively, right-click on the role and select View Details.)

  3. in the Role Details page, click Edit.
  4. Select or clear check boxes as appropriate to add or remove privileges.
  5. Click Done.

Deleting Custom Roles

Roles cannot be deleted when assigned to users. Predefined roles cannot be deleted.

To delete a role:

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.
  2. In the Roles List, right-click on the role to delete and select Delete Role.

Ownership-based Authorization

Ownership-based authorization allows virtual disk operations to be performed exclusively by the owners of those virtual disks and restricts actions by all other users. The Administrator owns all objects in the server group and therefore cannot be excluded from ownership under any circumstances.

Ownership-based authorization can be used to grant management of specific virtual disks to users with the required knowledge to perform operations on those virtual disks and lessens the possibility of unintentional modifications by non-qualified users.

An object can have:

  • No owner - lack of specific ownership implies ownership by all users, in which case actions on those virtual disks are controlled by role privileges. Virtual disks without specific user ownership can have operations performed on them by all users with virtual disk privileges, including all users with the Owners role.
  • One owner - restricts control of the object to a single owner with exclusive ownership, regardless of whether other users have the same role. Exclusive ownership can be assigned to the creator when the virtual disk is created. In this case, users with the same role as the creator are not granted ownership of the object.
  • Multiple owners - ownership of a virtual disk can be assigned to multiple owners. In this case, those owners must have virtual disk privileges in an assigned role in order to perform operations on the virtual disk. Access can be very refined. For example, one owner may have the privilege to create a snapshot of a virtual disk, but not have the ability to serve or unserve the same virtual disk. Privilege sets define the operations that can be performed. For instance, in order for an owner to perform snapshot, rollback, or replication operations, they would require those privilege sets in an assigned role.
  • When a virtual disk is owned by users and ownership is later removed, the ability to perform actions on that virtual disk will revert to all users with virtual disk privileges.
  • Snapshots and rollbacks are created without an owner. Ownership of snapshots and rollbacks are currently not inherited by the creator and must be specifically assigned by the Administrator or a user with the privilege of assigning ownership. The user performing a Revert operation must be an owner of the source virtual disk as well as have the Snapshot or Rollback privilege set.
  • Ownership-based authorization also extends to virtual disk group operations. Ensure that a user has authorization to perform operation on all members of the virtual disk group; otherwise some operations will fail.
  • Ownership of VVOL virtual disks in use by the VASA Provider is automatically assigned to users with the VVol Manager role. This prevents users from inadvertently modifying VVOL virtual disks in the console.
  • Ownership-based authorization does not apply to VSS users so that the backup process will always succeed.
  • Ownership of a virtual disk can be viewed in the Virtual Disk Details page under the Owned By tab.
  • The ownership of virtual disks (including rollbacks and snapshots) assigned to a user can be viewed in the User Details page under the Owns tab.

Assigning Ownership of Virtual Disks

Ownership can be assigned when a virtual disk is created or after in the User Details page.

  • In the Create Virtual Disk wizard, the Assign ownership to me check box restricts ownership to the creator of the virtual disk exclusively. Once this assignment is set, no other user, regardless of privileges, can perform operations on the virtual disk*. This restriction is regardless of privileges, unless ownership is later expanded to additional users. In order to select the check box, the user must have the privilege to create a virtual disk. The creator does not require the Assign Identifiable privilege to assign ownership of an object. During creation of the virtual disk is the only time that a user without the privilege of assigning ownership can assign him or herself ownership. Furthermore, not selecting the check box allows all users with the required privilege to perform operations on the object. See Creating Virtual Disks for instructions.

    * An exception is the Administrator, who is the owner of all objects in SANsymphony.

  • In the User Details page or directly from the Users List, virtual disk ownership can be assigned by the Administrator or users with the privilege to assign ownership.

To assign ownership in the User Details page:

  1. Open the User Details page for the user that you are granting ownership to.
    (The User Details page can be opened from the Users List under Security in the Home tab of the Ribbon.)
  2. In the Owns tab, click the Assign Virtual Disk link.
  3. In Assign Virtual Disk form, select a virtual disk in the list and click Assign.

Removing Ownership of Virtual Disks

  1. Open the User Details page for the user that you are granting ownership to.
  2. In the Owns tab, right-click on the virtual disk to delete and select Unassign Virtual Disk.