Dell EqualLogic PS6210XS EqualLogic Group Manager Administrator s Guide PS Ser - Page 54
Types of Administration Accounts, using FTP.
View all Dell EqualLogic PS6210XS manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 54 highlights
If your environment requires additional security, you might consider a dedicated management network. (See Configure a Management Network for more information.) Administration accounts allow you to specify how much control individual administrators will have over the PS Series group, according to their account type: • Group administrators (all permissions) • Read-only accounts (read access only to a group and can selectively enable configuration/diagnostic collection) • Pool administrators (manage only selected pools, and if group read-only, can enable configuration/diagnostic collection) • Volume administrators (create and manage owned volumes in selected pools) Administration accounts can be managed locally or remotely: • Local accounts - If you have relatively few administration accounts, this method is practical because account authentication occurs within the group. The default administration account, grpadmin, is a local account created automatically when the group is first configured. • Remote using Active Directory (LDAP) - If you use Active Directory in your environment, you can configure a group to use LDAP to authenticate administration accounts. You can grant group, pool, or volume administrator privileges to individual Active Directory users or to entire Active Directory groups. • Remote using a RADIUS server - If you have a large number of administration accounts, you can use an external Remote Authentication Dial-in User Service (RADIUS) server to authenticate administration accounts. NOTE: You cannot simultaneously use RADIUS and Active Directory to authenticate administrator accounts. However, you can always add local accounts. The default administration account, grpadmin, provides full access to Group Manager's features and allows you to perform all group operations. Some operations, such as upgrading array firmware, can be performed only by the grpadmin user. NOTE: Dell recommends that you set up an account for each administrator, with no users sharing a single account. Further, Dell recommends that the group administrator monitor the activity of other accounts. Types of Administration Accounts Table 13. Types of Administration Accounts lists administration account types and their privileges. The attributes can be applied to both local accounts and Active Directory accounts or groups. Table 13. Types of Administration Accounts Account Type Description grpadmin Can perform all group management tasks, including managing the group, storage pools, members, NAS clusters, volumes, and accounts. Group Administrator can also enable secure erase to securely erase data so that it cannot be recovered. Only the grpadmin account can update member firmware or fetch diagnostic files using FTP. You cannot rename, delete, or change the account type for the grpadmin account. Group administrator Read-only Pool administrator Can perform the same tasks as the grpadmin account, except updating member firmware. Can view information about all group objects except NAS clusters, but cannot change the group configuration. Read-only users can also save diagnostics and save the group configuration. Can view the volumes, members, snapshots, and other objects only in the pool or pools for which the account has authorization. They cannot manage members. Optionally, pool administrators can view information about all group objects except NAS clusters. Pool administrators can assign volumes to volume administrators, provided that the pool administrator has access to the pool containing the volumes, and the volume administrator has sufficient free quota space. Pool administrators cannot change the resources to which they have access. 54 About Group-Level Security