SANtricity 11 Manuals (CA08872-010)

to Japanese version

What do I need to know about mapping to storage system roles?

Before mapping groups to roles, review the following guidelines.

The storage system’s embedded RBAC (role-based access control) capabilities include the following roles:

  • Storage admin
    Full read/write access to the storage objects (for example, volumes and pools), but no access to the security configuration.

  • Security admin
    Access to the security configuration in Access Management, certificate management, audit log management, and the ability to turn the legacy management interface (SYMbol) on or off.

  • Support admin
    Access to all hardware resources on the storage system, failure data, MEL events, and controller firmware upgrades. No access to storage objects or the security configuration.

  • Monitor
    Read-only access to all storage objects, but no access to the security configuration.

Directory Services

If you are using an LDAP (Lightweight Directory Access Protocol) server and Directory Services, make sure that:

  • An administrator has defined user groups in the directory service.

  • You know the group domain names for the LDAP user groups. Regular expressions are supported. These special regular expression characters must be escaped with a backslash (\) if they are not part of a regular expression pattern:

    \.[]{}()<>*+-=!?^$|
  • The Monitor role is required for all users, including the administrator. SANtricity System Manager will not operate correctly for any user without the Monitor role present.

SAML

If you are using the Security Assertion Markup Language (SAML) capabilities embedded in the storage system, make sure that:

  • An Identity Provider (IdP) administrator has configured user attributes and group membership in the IdP system.

  • You know the group membership names.

  • You know the attribute value for the group to be mapped. Regular expressions are supported. These special regular expression characters must be escaped with a backslash (\) if they are not part of a regular expression pattern:

    \.[]{}()<>*+-=!?^$|
  • The Monitor role is required for all users, including the administrator. SANtricity System Manager will not operate correctly for any user without the Monitor role present.

Top of Page