Add authorization rules

Users gain access to a storage system or component either directly through a role assignment or indirectly through membership in a user group that has a role assignment, or both.

Prerequisites

To perform this operation, you must be the Initial Setup User (set during installation), or a SecurityAdmin.

About this task

See Roles and associated permissions for an overview of the Role-Based Access Control (RBAC) functionality.

To add authorization rules:

Steps

  1. Select Settings icon to open the Settings panel.
  2. Select Users and Groups > Authorized Users & Groups.
  3. Click Create.
  4. Select an authentication Authority. Possible values are:
    • None—No authority specified
    • Local Directory—Specifies to authenticate the user against the Local Authority repository.
    • LDAP-SSL—Specifies to authenticate the user against an LDAP directory.
    • Windows AD—Specifies to authenticate the user against the Active Directory domain.
    • SSO—Specifies to authenticate the user using SSO.
    • Host—Specifies to authenticate using Role-Based Access Control (RBAC).
  5. Do the following depending on the authority selection:
    • None

      Type values for Name and Domain.

    • Local Directory

      Select the user Name.

    • Windows AD or LDAP-SSL
      1. Type the name of the Domain used to authenticate the user/group. Possible values are based on the authentication authority:
        Table 1. Domain name values
        Authority Domain Name
        Local directory Unisphere server hostname
        Windows OS
        Windows AD Unisphere server domain
        LDAP-SSL LDAP server domain
      2. Type the Name of the user or group. User names are case-sensitive and allow alphanumeric characters of either case, an underscore, a dash, or a period:
      • a-z
      • A-Z
      • 0-9
      • _
      • .
      • -
    • SSO

      Type values for Name and Claim, where Name is the value from the group or username OIDC ID token, and Claim is the OIDC ID token claim for the group or username.

    • Host

      Select a host from the Domain list and type its name. The list of systems that are displayed depends on the host selected.

  6. Select the Account type. Valid values are User and Group.
  7. On the Roles tab, select the object and up to four roles.
  8. If you choose a Local Replication, Remote Replication, or Device Management role, click Select Storage Group(s) and in the edit dialog that opens choose between:
    1. Wildcard—A wildcard syntax used with the storage group component name to allow a single rule to apply to multiple storage groups.

      A simple wildcard syntax can be used with the component name to allow a single rule to apply to multiple SGs as follows:

      abc - Exactly these characters

      ? Any 1 character

      * Any zero or more characters

      + Zero or more additional occurrences of the previous match

      [a-z0-9] Any of these characters

      [!a-z] Anything but one of these characters

      All SG name comparisons are case-insensitive. The following examples show how they are interpreted:

      Table 2. Wildcard syntax examples
      This pattern Matches these Storage Groups Does not match these Storage Groups
      tg_* tg_DB_SG1 or tg_newSG or TG_sg_db tgNewSG
      prod_sg? prod_sg1 or prod_sga or Prod_sg2 prod_sg12 or prod_sgab
      prod_sg[0-9]+ prod_sg1 or prod_sg12 prod_sga or prod_sgab

      The only allowed characters are: a-zA-Z0-9_- along with the above *+?[]! wildcard characters.

      The only roles that can be assigned against storage groups are: Local Replication, Remote Replication, and Device Management.

      Storage groups do not have to exist at the time that a matching Role-Based Authentication Controls (RBAC) rule for them is defined.

      These storage groups-level RBAC rules are only applicable to parent and stand-alone SGs and not child SGs. Child SGs are protected by the RBAC rules, if any, on their parent SG.

    2. Storage Group
    3. Once your input or selection is complete, click Save.
  9. Click OK.