Manuals / IBM / Computer Equipment / Server

IBM DS8000 manual User security, Usage concepts, Command modes, Single command mode

Models: DS8000

1 450
Download 450 pages 61.48 Kb
Page 261
Image 261

11.6 User security

The DS CLI software must authenticate with the S-HMC or CS Server before commands can be issued. An initial setup task will be to define at least one userid and password whose authentication details are saved in an encrypted file. A profile file can then be used to identify the name of the encrypted password file. Scripts that execute DS CLI commands can use the profile file to get the password needed to authenticate the commands.

User security employs the concept of groups to control which functions a particular userid is allowed to perform. A userid can be a member of more than one group. The groups are:

￿admin - can perform all tasks - this is the only group that can create and change userids

￿op_storage - can perform any configuration task

￿op_volume - can configure logical volumes and volume groups

￿op_copy_services - can perform Copy Services commands

￿service - can perform service commands

￿monitor - has read-only access to commands

￿no_access - cannot perform any tasks

The functions of these groups are fairly self describing and are fully detailed both in the IBM TotalStorage DS8000 Command-Line Interface User’s Guide, SC26-7625 and IBM TotalStorage DS6000 Command-Line Interface User’s Guide, SC26-7681, and the help screens. If a userid is not a member of any group, then it is automatically placed into the no_access group to prevent it from performing any functions.

The default userid supplied with an S-HMC or DS Storage Manager is admin (whose password is also admin). During setup it is advisable that a new userid be created in the admin group. The default userid should then be removed (with the rmuser command). Note that userid management can be performed by using either the DS CLI or by using the DS Storage Manager GUI. Userids created by either interface will be usable via either interface.

For an example of how a userid and profile are created, refer to “Procedure to create an encrypted password file” on page 249.

11.7 Usage concepts

It is important to understand the various concepts that frame DS CLI usage.

11.7.1 Command modes

The DS CLI can be operated in three modes. In the examples that follow, the lsuser command is used. The lsuser command is used to display which users have been created and to which groups they are a member. For more details on user authentication see “User security” on page 239.

Single command mode

At a shell prompt, the user specifies a single DS CLI command which is immediately executed, and a return code is presented. To avoid having to enter authentication details, a profile and password file would have to be created first. This is shown in Example 11-1.

Example 11-1 Using DS CLI via a single command

C:\Program Files\IBM\dscli>dscli lsuser

Name Group

=========================

admin admin

Chapter 11. DS CLI 239

Page 260 Page 262
Page 261
Image 261
IBM DS8000 manual User security, Usage concepts, Command modes, Single command mode
Page 260 Page 262