Role Based Access Control (RBAC) gives administrators the ability to restrict management operations that users or groups of users can perform on PowerMax arrays. RBAC consists of various roles that define the operations that can be performed. Users can be assigned their own login and password with a single role or a combination of roles. Each role can further be restricted to specific storage groups.
RBAC is a hierarchy of roles, and each role has specific privileges. For example:
- Administrator—Performs all operations.
- Storage Administrator—Performs all management operations. Cannot perform security operations.
- Security Administrator—Performs all security operations.
- Local Replication—Performs local replication operations involving snapshot creation. Device Manager is also required to restore a snapshot and only needed to link target devices. Secure snaps require Storage Administrator rights.
- Remote Replication—Performs SRDF operations involving device pairs. Create, modify, or deletion of SRDF groups requires Storage Administrator rights.
- Device Manager—Performs control and configuration operations on devices. Storage Administrator rights are required to create, expand, or delete devices.
- Performance Monitor—Can set performance alerts and thresholds.
- Auditor—Grants the ability to view, but not modify, security settings. Minimum role to view audit logs.
- Monitor—Performs read-only operations excluding access to audit logs.
- None—Has no permissions.
The following figure shows the hierarchy of RBAC.
Figure 13. RBAC role hierarchy