The Role Based Access Control (RBAC) or User Authorization feature released in Unisphere for PowerMax 9.0 enables you to restrict the management operations that individual users or groups of users may perform on their Storage Arrays.
In previous versions of Unisphere authentication was array wide. This set of enhancements will provide the following:
- More granular support by giving the rights to operate on individual applications (Storage Groups) to application administrators, but not the entire array.
- Provides the administrator with the ability to further target user access to specific replication roles whether that is local or remote.
- RESTAPI integration allowing associated scripts to take advantage of these RBAC controls to simplify the management stack and overall maintenance as well as eliminate the need to deploy Solutions Enabler gatekeeper devices.
It is managed using Unisphere for VMAX, Unisphere for PowerMax, or the Solutions Enabler CLI symauth command. Using symauth, a user or group of users, may be mapped to a specific access role, which defines the operations that these users are permitted to perform on the entire VMAX array.
There are currently 7 user defined roles that are available with RBAC: None, Monitor, PerfMonitor, StorageAdmin, SecurityAdmin, Admin, and Auditor. Listed below are the base capabilities of these current roles:
- None No capabilities
- Monitor Performs read-only operations on an array excluding the ability to read the audit log or Access Control definitions.
- PerfMonitor Includes Monitor role permissions and grants additional privileges within the performance component of Unisphere for VMAX application to set up various alerts and update thresholds to monitor array performance.
- StorageAdmin Perform all management and control functions. Please see specific section pertaining to this role below.
- Auditor Grants the ability to view, but not modify, security settings for an array (including reading the audit log, symacl list and symauth) in addition to all monitor operations. This is the minimum role required to view the array audit log.
It’s important to clarify that your Storage_Admin role will remain your “Super user” and will remain sole control of provisioning storage on the array. To clarify this further here is a diagram which will outline the various roles and how they interact with one another:
How to configure RBAC
In order to set RBAC you will need go to the settings section and then Users and Groups and then Local Users.
To outline the feature I will now outline a number of the potential use cases it will be used for.
Performance Monitor Role
In a situation whereby a new junior storage administrator joins the team you want them to learn more about the array but you are also conscious of giving them too much responsibility before they have a good understanding of the storage. By allowing them these privileges you enable them to do performance troubleshooting within Unisphere and also adjust various thresholds and alerts if required. This will allow them to get a good grounding of the architecture before they move on to active management of the array.
Increasingly security plays an integral part of the management of the today’s data center. In order to allow the security team to do their job they need the ability to view certain logs and run certain query commands such as symaudit in order to check the system to see if there are any potential vulnerabilities or if some user has been doing something they should not have been performing due to the incorrect permissions being set. The 2 roles SecurityAdmin and Auditor should satisfy the security team’s needs in this respect. They will not have any active management or replications roles as they don’t require them to do their jobs.
Application Owner Role
Storage Administrators can have responsibility for managing a lot of backups for application owners and this work can be time consuming even with using scripts as they may get unique requests that fall outside defined windows. In order to reduce their workload and hand a certain degree of responsibility over to application owners we have created 2 new roles LocalReplication and RemoteReplication in order to provide them with the ability to perform their local and/or remote backups. These roles are strictly replication based and as always active management falls under the admin role.
For these replication roles we allow you the granularity of selecting individual SG’s. Here I have selected App1_SG as that is the one the user is responsible for. Here you also have a wildcard option whereby if you had an application owner with multiple sg’s that were labelled oracle_trading you could assign privileges to all of these in 1 click.
You also have the ability to manage RBAC through your RESTAPI or symcli as required. For a useful video on RBAC please check this out: https://www.youtube.com/watch?v=2V7KidifeA4
For a more detailed deep dive on RBAC please see this whitepaper: https://www.emc.com/collateral/technical-documentation/h17132-role-based-access-controls-rbac-technical-overview-and-enhancements.pdf