You are here: Group security > About administration accounts > Types of administrator accounts

(Previous Topic: Accessing the GUI or CLI)

About administration accounts

Having persons in the role of administrator is important to protect and maintain your group from unauthorized access. Environments that need additional security might also benefit from a dedicated management network.

To manage or monitor a group, you must log in to an administration account. Administration accounts prevent unauthorized individuals from accessing a group.

An account can authorize an individual to perform all group operations, perform only operations on a pool (and optionally monitor the entire group), manage its own volumes within an assigned quota, or only monitor the group, depending on the type of account.

The default administration account, grpadmin, can perform all group operations. Dell recommends that you set up an account for each administrator.

Recommendation:  Dell recommends one account per user and that the group administrator monitors the activity of other accounts. See Group monitoring, for more information.

You can manage accounts locally or remotely:

Locally in the group – If you have relatively few administration accounts, this method is practical. Account authentication occurs within the group. The default administration account, grpadmin, is a local account created automatically when the group is first configured.

See Creating a local administration account.
Remotely on an external server – If you have a large number of administration accounts, you can use an external Remote Authentication Dial-in User Service (RADIUS) server to authenticate and, optionally, manage administration accounts.

Restriction:  To delete a RADIUS account, remove it from Active Directory and then delete it from the group.

A group can use both local accounts and RADIUS-authenticated accounts. However, each account name must be unique.

See About administration accounts on a RADIUS authentication server.

Types of administrator accounts

Types of Administrator Accounts lists administration account types and their privileges, The first column lists account types and the second column describes them.

Table: Types of Administrator Accounts

Account Type

Description

grpadmin

Can perform all group management tasks, including managing the group, storage pools, members, volumes, and accounts. You set the password for the grpadmin account when you create a group. You cannot delete the grpadmin account.

Only the grpadmin account can update member firmware. You cannot rename, delete, or change the account type for the grpadmin account.

Group administrator

Can perform the same tasks as the grpadmin account, except cannot update member firmware.

Read-only

Can view information about all group objects, but cannot change the group configuration.

Pool administrator

Can manage the volumes, members, snapshots, and other objects only in the pool or pools for which the account has authorization. Optionally, pool administrators can view information about all group objects.

Pool administrators can assign volumes to volume administrators, provided that the pool administrator has access to the pool containing the volumes, and that the volume administrator has sufficient free quota space.

Pool administrators cannot change the resources to which they have access.

Volume administrator

Assigned a quota of storage to manage within one or more pools. They can create and manage volumes within their quota, and can perform all operations on volumes they own.

Volume administrators can view information only for pools and volumes to which they have access. For security purposes, the volume administrator has a limited view of group and pool configuration settings, and cannot view information, such as the SNMP Community Name or event log, that might enable them to gain additional access.

Group and pool administrators can assign existing volumes to a volume administrator. If a volume is assigned to another administrator account, the volume administrator can no longer view or modify it.

Volume administrators cannot exceed their quotas by creating or modifying volumes, and cannot be assigned volumes by group or pool administrators if the capacity of the volume exceeds the free space within the quota.

Volume administrators cannot modify their quotas, reassign volumes to other administrators, or change the pools, volumes, or replication partners to which they have access.

Administrators accounts have these restrictions:

You cannot change the name of an administration account. Instead, you must delete the account and then re-create it with the new name.
You cannot disable, delete, change the name, or change the type of the grpadmin account.
Only group administrator accounts can change the attributes of accounts, with the exception of the grpadmin account restrictions above.
Volume administrator, pool administrator, and read-only accounts can only change the password, description, and contact information for their accounts.

Administration account attributes

Administration Account Attributes displays the attributes of administration accounts. The first column lists the attributes, the second column describes them. Gather this information before creating an account.

Table: Administration Account Attributes

Attribute

Description

Name

Name of the account, up to 16 alphanumeric characters, including period (.), hyphen (-), and underscore (_). The first character must be a letter or number. The last character cannot be a period.

Password

Password for the account. The password must be from 3 to 16 alphanumeric characters and is case-sensitive. However, validation occurs only for the first 8 characters.

Description

Optional description for the account.

Type

Account type:

Group administrator – Can change any and all aspects of the group, storage pools, members, and volumes, except updating member firmware.
Pool administrator – Can manage the volumes, members, snapshots, and other objects only in the pool or pools for which the account has authorization. Optionally, pool administrators can view information about all group objects.
Volume administrator – Can manage the volumes for which the account has authorization. Additionally, volume administrators can view information about pools to which the account has access.
Read-only – Can view information about all group objects, but cannot change the group.

Managed pools

Pools to which the account has access, and, if the account is a Volume administrator, the storage quota the account can manage within the selected pool(s). Applies to Pool administrators and Volume administrators.

Replication Partners

The group(s) on which the account can delegate space for replication and replicate volumes. Applies to Volume administrators only.

Additional access permission

Grants read access to the entire group. Applies to Pool administrator and Read-only accounts; Volume administrators only have read access to the individual pools containing the storage quota they manage.

Contact

Name, e-mail address, and phone numbers for the account owner.

Enable administration account

Whether the account is enabled or disabled. A user cannot log into a disabled account.

Displaying local administration accounts

To display details of the local administration accounts:

1. Click Group, then Group Configuration.
2. Select the Administration tab. The Group Administration window appears.

Administration account panel shows the information in the Administration Accounts panel for the default grpadmin account and any other local accounts.

Table: Administration account panel

Field

Description

Shortcut

User Actions

Account

Name of the account

None

Creating a local administration account

Account type

Group administrator, pool administrator, volume administrator, or read-only account.

Pool access

Storage pool(s) to which the account has management permissions.

Status

Whether the account is enabled or disabled.

Creating a local administration account

You can configure, manage, and authenticate local administration accounts within the group. Local accounts are practical when you need only a small number of administration accounts for the group.

Before creating a local administration account, gather the information described in Administration account attributes.

1. Click Group Configuration, then Administration tab.
2. In the Administration Accounts panel, click Add. The Create Account - General Settings dialog box opens.
3. General Settings: Enter the account name, password, and description (optional) and click Next.
4. Account Permissions: Select the type of account and (if applicable) the pool access and read access to the group.

For a pool administrator, select one or more pools the account can manage and whether the account has read-only access to the entire group.

For a volume administrator, select one or more pools the account can manage and specify the quotas for each pool.

Select whether to enable (default) or disable the account, then click Next. (You can enable and disable accounts at any time.)
5. Replication Partners: If you created a volume administrator account, and the group has replication partner(s) configured, the Create Account - Allowed replication partners dialog box opens. Select one or more replication partners that this account can replicate to, then click Next.
6. Contact Information: Optionally, enter contact information for the account and click Next. The Create Account - Summary dialog box opens.
7. Summary: Review the account information. Click Back to make changes, or click Finish to create the account.

Modifying a local administration account

You can modify the account attributes described in Administration Account Attributes. However, you cannot change the account name. Instead, you must delete the account and then re-create it with a new name.

In addition, you cannot disable, delete, change the name, or change the type of the grpadmin default administration account.

1. Click Group, then Group Configuration, and then the Administration tab.
2. In the Administration Accounts panel, select the account and click Modify.

To change the account password or description, click the General tab and change the information in the Modify Administration Account – General dialog box.

To change the account type or pool or volume administrator settings, click the Permissions tab and change the information.

To change replication partners for a volume administrator, click the Replication Partners tab and change the selection(s).

To change the account contact information, click the Contact tab and change the information.

3. Click OK.

Deleting a local administration account

1. Click Group, then Group Configuration, and then the Administration tab.
2. In the Administration Accounts panel, select the account and click Delete.
3. Confirm that you want to delete the account.

Note:  When you delete a Volume administrator account, the volumes it manages are not deleted, and its replication and operations continue as scheduled.

(Next Topic: About administration accounts on a RADIUS authentication server)

 


Copyright 2010 Dell Inc.