Roles and associated permissions

Users gain access to a storage system or component directly through a role assignment or indirectly through membership in a user group that has a role assignment.

A Unisphere user can assume several roles. Tasks and associated permissions are associated with each role. The Role Based Access Control (RBAC) feature provides a method for restricting the management operations that individual users or groups of users may perform on storage systems.

If a user has two different role assignments (one as an individual and one as a member of a group), the permissions that are assigned to the user are combined. For example, if a user is assigned a Monitor role and a StorageAdmin role through a group, the user is granted Monitor and StorageAdmin rights.

The following diagram outlines the role hierarchy.

Roles are assigned as part of the user creation process (see Create local users).

The following tables detail the permissions that are associated with each role in Unisphere. You can assign up to four of these roles per authorization rule.

NOTE:  In addition to these user roles, Unisphere includes an administrative role, the Initial Setup User. This role (defined during installation) is a temporary role that provides administrator-like permissions for adding local users and roles to Unisphere.

The roles (and the acronyms that are used for the roles) in these tables are:

• None—Provides no permissions.
• Monitor (MO)—Performs read-only (passive) operations on a storage system excluding the ability to read the audit log or access control definitions.
• StorageAdmin (SA)—Performs all management (active or control) operations on a storage system and modifies GNS group definitions in addition to all Monitor operations.
• Admin (AD)—Performs all operations on a storage system, including security operations, in addition to all StorageAdmin and Monitor operations.
• SecurityAdmin (SecA)—Performs security operations on a storage system, in addition to all Monitor operations.
• Auditor (AUD)—Grants the ability to view, but not modify, security settings for a storage system (including reading the audit log, symacly list, and symauth) in addition to all Monitor operations. It is the minimum role that is required to view the storage system audit log.
• PerfMonitor (PM)—Performs read-only (passive) operations on performance management functionality. This role also includes Monitor rights.
• MainframeAdmin (MA)—Grants user rights to perform mainframe control and configuration operations on Splits and CU images. This role also grants the rights to perform z/OS Map and Unmap operations on CKD devices. This role also includes Monitor rights for non-mainframe operations.
• Local Replication—Performs local replication operations (SnapVX or legacy Snapshot, Clone, BCV). To create Secure SnapVX snapshots, a user must have Storage Admin rights at the storage system level. This role also includes Monitor rights.
• Remote Replication—Performs remote replication (SRDF) operations involving devices and pairs. Users can create, operate upon, or delete SRDF device pairs but cannot create, modify, or delete SRDF groups. This role also includes Monitor rights.
• Device Management—Grants user rights to perform control and configuration operations on devices. Storage Admin rights are required to create, expand, or delete devices. This role also includes Monitor rights.

NOTE: The RBAC roles for performing local and remote replication actions are outlined in Roles for performing local and remote replication actions.

NOTE: The RBAC roles for SRDF local and remote replication actions are outlined in RBAC roles for SRDF local and remote replication actions.

NOTE: The RBAC roles for TimeFinder SnapVX local and remote replication actions are outlined in RBAC roles for TimeFinder SnapVX local and remote replication actions.