Controlling user role, Controlling user resources, Controlling user role controlling user resources – HP XP P9500 Storage User Manual

password. This saves the necessity of inputting the user ID and password each time a command
is executed. If the user logs out, the user ID and password stored by RAID Manager are deleted.

If the user ID and password are different, the command is rejected and RAID Manager automatically
performs the logout processing for it, and requires the user authentication processing (user ID and
password input) again.

NOTE:
•

The only function that can be used if the user authentication function is disabled is the
Replication function (replication command). If the user authentication function is disabled, the
Provisioning function (configuration setting command) cannot be used.

•

If specific user information or authority information is changed, delete the user ID and password
maintained by the storage system from the SVP. Therefore, perform the user authentication
processing on RAID Manager again.

•

If the communication with the SVP in the out-band method cannot be performed, the new
authentication cannot be performed.

Command operation authority and user authentication

When RAID Manager is used with the user authentication function enabled, commands are executed
complying with the operation authority managed by Remote Web Console and the SVP.

Controlling User Role

RAID Manager verifies whether or not the user executing the command on the host was already
authenticated by checking the command device being in the authentication mode. After that, RAID
Manager obtains the execution authority of the command that is configured on the user role, and
then compares the relevant command and the execution authority.

Checking the execution authority

If the configuring commands authenticated are compared with the execution authorities of commands
configured on the user role and they do not correspond, RAID Manager rejects the command with
an error code "EX_EPPERM".

Normally, the user role needs to be the consistent and integrated authority among the large storage
systems. In case of HORCM instances that are configured by the multiple large storage systems,
the execution authorities are obtained by the serial number of the storage systems. If the user role
is for the multiple storage systems and is not consistent among these storage systems, RAID Manager
makes the integrated authority by performing the logical AND of the execution authorities among
the storage systems.

The target commands

RAID Manager checks execution authorities on the following commands that use command devices.

•

horctakeover, horctakeoff

•

paircreate, pairsplit, pairresync

•

raidvchkset

Controlling user resources

RAID Manager verifies the user who executes the command has been authenticated already. After
that, RAID Manager obtains the access authority of the resource groups that are configured on the
user roles, and then compares the access authority of the user and the specified resources.

Command operation authority and user authentication

55