Managing Users and Roles

Explore this Page

Overview

The Users section explains how to manage access to the SANsymphony software by registering users, assigning roles, and configuring user-level privileges. Using built-in and custom roles, administrators can enforce operational boundaries and assign responsibilities based on job function. Role- and ownership-based access control ensures secure and appropriate usage of resources within the server group.

Registering Users and Assigning Roles

Software users must be registered and assigned roles in order to gain access to this software. Before a user can connect to a server in a server group, that user must be registered as a user in the DataCore Management Console. The role assigned to the user determines the privilege level.

The Administrator account is added by default as a user when the software is installed. In this manner, a user may gain access to the DataCore Management Console after software installation in order to register users.

Credentials and User Names

  • Windows operating system credentials are used to authenticate registered users when connecting to a server in a server group. Credentials can be domain-wide or local (workgroup).
    • This software assumes domain authentication if the machine is a member of a domain. If the user requires local authentication, credentials should be specified as "machinename\username".
    • If the machine is not a member of a domain, then local authentication is assumed. If the user requires domain authentication, credentials should be specified as "domainname\username".
    • Domain credentials should be added to the Administrator group or other groups with administrator privileges.
    • In order to perform maintenance of the software, such as software upgrades, the user account should have installation and administrator privileges.
  • The same Windows user accounts and passwords should exist on all servers in the server group. If connecting to remote server groups, the same user accounts and passwords must exist on all servers in both local and remote groups. See Connecting to a Server Group and Name Resolution for important information.
  • User names registered in this software must be identical to the Windows account created for that user. If connecting to remote server groups, users should be registered in both local and remote server groups.
    • When the account is a domain account, register the user name as "domainname\username".
    • When the account is a local account, register just the user name.

User Roles

There are three predefined roles:

  • Full Privileges - Users are granted full privileges in using DataCore SANsymphony software. These users should have administrator privileges.
  • View - Users may only view information in the DataCore Management Console and cannot make any changes to the configuration.
  • VVol Managers - VVol Managers are granted permission to perform actions on VVOLs and protocol endpoints in the DataCore VASA Provider. This role is applied to the DataCore VASA Provider and should only be assigned to users that login to this software from the VASA Provider. Only users with this role will be able to perform actions on VVOLs and protocol endpoints.

Predefined roles cannot be edited or deleted. Also see Access Control for creating, editing, and deleting custom roles.

Registering Users and Assigning Roles

A user can have multiple roles assigned.

To register a new user and assign a role:

  1. Click the Register User link to open the Register User page.

  2. Enter user information:

    1. Name of the user. The user name must match the user account name in the Windows® operating system. (If credentials are domain-wide, include the domain with the name for example: DOMAIN\user name.)
    2. Email address. Email notifications can be sent to users when events occur, such as when pool thresholds have been reached or warnings are received from the System Health Tool. See Automated Tasks. (This step is optional and can be added later.)
    3. User description, if desired.
  3. In the list, click on the roles required and click Register. A details page will be created for the user. The User Details page contains the role and privileges assigned to the user, as well as the virtual disks owned by the user and the event log for the user.

After the user is registered, a User Details page is created for the user and the user is added to the Users list.

Assigning or Unassigning Roles for Registered Users

To assign a role to an existing user:

  1. In the Ribbon>Home tab, click Users to open the Users list.
  2. In the Users list, right-click on the name and select Assign Role.

    (Alternatively, roles can be assigned by clicking Assign Role from the Ribbon>User Actions tab when the User Details page is open in the workspace.)

  3. In the list, select the role to add and click Assign. The role is added.

To unassign a role:

  1. In the Ribbon>Home tab, click Users to open the Users list.
  2. In the Users list, right-click on the name and select Unassign Role.
  3. In the list, select the role to remove. The role will be removed.

Deleting Users

When a user is deleted, the user can no longer log in to the DataCore Management Console.

To delete a user:

  1. In the Ribbon>Home tab, click Users to open the Users list.
  2. From the list, select one or more users to delete, then right-click and select Delete.
  3. You will receive a message to confirm deletion. Click Yes to continue. The user is deleted.

Adding or Changing User Email Addresses

Email notifications can be sent to users if an email address is entered.

In order to change the Administrator email address, the Administrator must be logged in to the console.

To add or change a user email addresses:

  1. In the Ribbon>Home tab, click Users to open the Users list.
  2. In the Users list, double-click on a name in the list to open the User Details page for the user.
  3. At the top of the page, click Edit.
  4. In Email address field, enter or make changes for the email address and click Done.

Access Control

The Access Control feature includes role and ownership based authorization which provides refined user controls for the software. Access control allows administrators to fine-tune control and distribute management responsibilities among registered users based on the assignment of roles and virtual disk ownership.

The operations that a user can perform in consoles or cmdlets is always limited by the role assigned to the user. Ownership of a virtual disk further limits access to specific virtual disks in the server group.

Definitions

  • A privilege allows a single operation or action, for example creating a virtual disk. Privileges are grouped by common properties. For example, virtual disk privileges is a privilege group that controls various operations on virtual disks. A description of the actions allowed for each privilege group is provided in the Create Role dialog box when roles are created.
  • A role allows software access based on the privilege groups that are selected in a role. Roles are assigned per user. Roles determine what action users can perform. See Role-based Authorization for more information.
  • Ownership determines the objects on which a user can perform operations. Ownership currently applies to virtual disks as well as the associated snapshots and rollbacks (also virtual disks). See Ownership-based Authorization for more information.

    • An object is an entity in the server group, such as server, virtual disk, pool, physical disk, port and so on.

Role-based Authorization

User accounts are assigned roles that define privilege groups granted to the user. Roles determine the operations that the user is allowed to execute in the software. A role can be assigned to one or more users, and more than one role can be assigned to the same user.

The Administrator is a predefined registered user in DataCore SANsymphony software. The Administrator has authority to perform all actions in DataCore SANsymphony, which include registering DataCore SANsymphony users, creating roles, and assigning roles to users. The Administrator is also the owner of all objects in DataCore SANsymphony.

The Administrator creates custom roles by selecting a custom subset of privilege groups from the entire list of privilege groups. Roles can also be created that allow users to perform actions granted to Administrators, so that the Administrator may off-load administrator-type duties, such as registering users, creating roles, and assigning object ownership.

Predefined Roles

There are three predefined roles:

  • Full Privileges - Users are granted full privileges in using this software, although virtual disk action are further limited by ownership. In order to perform actions on a specific virtual disk that has owners, that user must be among the owners of the virtual disk, see Ownership-based Authorization for more information.
  • View - Users may only view information in the DataCore Management Console and cannot make any changes to the configuration.
  • VVol Managers - VVol Managers are granted permission to perform actions on VVOLs and protocol endpoints in the DataCore VASA Provider. This role is applied to the DataCore VASA Provider and should only be assigned to users that login to this software from the VASA Provider. Only users with this role will be able to perform actions on VVOLs and protocol endpoints.
  • Predefined roles (Full Privileges, View, VVol Managers) cannot be changed or deleted. Custom roles cannot be deleted while assigned to users.
  • The default role for a user is Full Privileges with full privileges if no other role is selected when the user is registered. Registering users without assigning roles will result in those users having full privileges in the software. To limit access, assign roles with only the required privileges.
  • The roles assigned to a user can be viewed in the User Details page under the Roles tab. Privileges associated with the roles assigned to the user can be viewed in the User Details page under the Privileges tab.
  • The privilege groups included in a role can be viewed in the Role Details page. To open the details page, right-click the role in the Roles List and click View Details.
  • Special notes on required privilege groups when performing certain actions:
    • Modifying host group name or description requires the following privilege groups: Host Group, DataCore Server, and Host.
    • Creating pass-through virtual disks requires the following privilege groups: Physical Disk and Virtual Disk.
    • Setting the location for the replication buffer requires the DataCore Server privilege group.
    • Setting System Health Thresholds requires the System Health Monitor privilege group.
    • Deleting snapshot or rollbacks requires the Virtual Disk privilege group.
  • The View Information privilege is automatically added to all custom roles.

Creating Custom Roles

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.

    (Alternatively, the action can be initiated from the Create Role link in the Roles List, which is opened by clicking Roles in the Ribbon.)

  2. Click Create Role to open the Create Role dialog box.
  3. Enter the role name and description at the top of the page.
  4. In the list, select the appropriate check boxes to assign privilege sets to the role. Privilege sets are grouped by common properties. Descriptions of the privileges within each set is listed under the Description column.
  5. Click Create. A details page is created for the role and the role is added to the list of roles in the Roles tab.

Adding or Removing Privileges from Custom Roles

Predefined roles cannot be edited at any time.

To edit an existing role:

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.
  2. Double-click on the role to edit.

    (Alternatively, right-click on the role and select View Details.)

  3. in the Role Details page, click Edit.
  4. Select or clear check boxes as appropriate to add or remove privileges.
  5. Click Done.

Deleting Custom Roles

Roles cannot be deleted when assigned to users. Predefined roles cannot be deleted.

To delete a role:

  1. In the Ribbon>Home tab, click Roles in the Security area to open the Roles tab.
  2. In the Roles List, right-click on the role to delete and select Delete Role.

Ownership-based Authorization

Ownership-based authorization allows virtual disk operations to be performed exclusively by the owners of those virtual disks and restricts actions by all other users. The Administrator owns all objects in the server group and therefore cannot be excluded from ownership under any circumstances.

Ownership-based authorization can be used to grant management of specific virtual disks to users with the required knowledge to perform operations on those virtual disks and lessens the possibility of unintentional modifications by non-qualified users.

An object can have:

  • No owner - lack of specific ownership implies ownership by all users, in which case actions on those virtual disks are controlled by role privileges. Virtual disks without specific user ownership can have operations performed on them by all users with virtual disk privileges, including all users with the Owners role.
  • One owner - restricts control of the object to a single owner with exclusive ownership, regardless of whether other users have the same role. Exclusive ownership can be assigned to the creator when the virtual disk is created. In this case, users with the same role as the creator are not granted ownership of the object.
  • Multiple owners - ownership of a virtual disk can be assigned to multiple owners. In this case, those owners must have virtual disk privileges in an assigned role in order to perform operations on the virtual disk. Access can be very refined. For example, one owner may have the privilege to create a snapshot of a virtual disk, but not have the ability to serve or unserve the same virtual disk. Privilege sets define the operations that can be performed. For instance, in order for an owner to perform snapshot, rollback, or replication operations, they would require those privilege sets in an assigned role.
  • When a virtual disk is owned by users and ownership is later removed, the ability to perform actions on that virtual disk will revert to all users with virtual disk privileges.
  • Snapshots and rollbacks are created without an owner. Ownership of snapshots and rollbacks are currently not inherited by the creator and must be specifically assigned by the Administrator or a user with the privilege of assigning ownership. The user performing a Revert operation must be an owner of the source virtual disk as well as have the Snapshot or Rollback privilege set.
  • Ownership-based authorization also extends to virtual disk group operations. Ensure that a user has authorization to perform operation on all members of the virtual disk group; otherwise some operations will fail.
  • Ownership of VVOL virtual disks in use by the DataCore VASA Provider is automatically assigned to users with the VVol Manager role. This prevents users from inadvertently modifying VVOL virtual disks in the console.
  • Ownership-based authorization does not apply to VSS users so that the backup process will always succeed.
  • Ownership of a virtual disk can be viewed in the Virtual Disk Details page under the Owned By tab.
  • The ownership of virtual disks (including rollbacks and snapshots) assigned to a user can be viewed in the User Details page under the Owns tab.

Assigning Ownership of Virtual Disks

Ownership can be assigned when a virtual disk is created or after in the User Details page.

  • In the Create Virtual Disk wizard, the Assign ownership to me check box restricts ownership to the creator of the virtual disk exclusively. Once this assignment is set, no other user, regardless of privileges, can perform operations on the virtual disk*. This restriction is regardless of privileges, unless ownership is later expanded to additional users. In order to select the check box, the user must have the privilege to create a virtual disk. The creator does not require the Assign Identifiable privilege to assign ownership of an object. During creation of the virtual disk is the only time that a user without the privilege of assigning ownership can assign him or herself ownership. Furthermore, not selecting the check box allows all users with the required privilege to perform operations on the object. See Creating Virtual Disks for instructions.

    * An exception is the Administrator, who is the owner of all objects in DataCore SANsymphony.

  • In the User Details page or directly from the Users List, virtual disk ownership can be assigned by the Administrator or users with the privilege to assign ownership.

To assign ownership in the User Details page:

  1. Open the User Details page for the user that you are granting ownership to.
    (The User Details page can be opened from the Users List under Security in the Home tab of the Ribbon.)
  2. In the Owns tab, click the Assign Virtual Disk link.
  3. In Assign Virtual Disk form, select a virtual disk in the list and click Assign.

Removing Ownership of Virtual Disks

  1. Open the User Details page for the user that you are granting ownership to.
  2. In the Owns tab, right-click on the virtual disk to delete and select Unassign Virtual Disk.

User Details and List

User information is displayed in the Users List and the User Details page. The Users List contains general information for all registered DataCore SANsymphony users. Each user has a User Details page which lists information that is specific to that user.

Users List

The Users list provides basic information for every registered DataCore SANsymphony user in one list. Information includes name, description, the roles assigned when the user was registered, and the email address.

Actions can be performed by right-clicking a user in the list and selecting the operation from the context menu. There is also a link on the page to register a user.

To open the list:

  • In the Ribbon>Home tab, click Users.

In the Users list, double-click a user to open the User Details page for that user.

User Details Page

Each user has a details page with information that is specific to the user and is opened from the Users list.

User name, email address and description can be changed at the top of the page by clicking Edit. When changes are made, click Done.

To open the user details page:

  • In the Ribbon>Home tab, click Users to open the Users list
  • In the Users list, double-click on a name in the list to open the User Details page for the user. Information is organized under tabs as shown in the following table.

When the User Details page is active, the User Actions tab appears in the Ribbon to perform actions on the user.

User Details Tabs

Roles tab

Lists the role that the user was assigned when registered.

Roles can be assigned or unassigned by right-clicking on the entry and selecting from the menu. See Registering Users and Assigning Roles and Access Control.

Privileges tab

Lists the specific user privileges for the assigned roles.

Owns tab

Lists the virtual disks owned by the user. Only owners have the privilege to perform operations on the virtual disks. See Access Control.

Events tab

Lists events for the selected user. Click an event in the list to view details in the Message Text area at the bottom of the tab. See Event Log and Alerts.

Learn More