Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Role and user strategy

Depending on how the system is viewed, different tasks must be performed to administer and operate the SE server which are categorized in multiple task areas. The task areas correspond to the roles described below.

The roles are tied to an account. In other words the user takes over a role when he/she logs in on the SE Manager with an account which is assigned to this role. A user who takes over a task area (i.e. a role) must be authorized to execute all the functions which are required to perform these tasks.

When the system is delivered, there are predefined accounts for the Administrator and Service roles, see "Predefined accounts".

All roles except the Service role can be assigned to additional accounts, see "Further accounts with role assignment".

The task areas of the various roles are described in detail below. For further information, see the online help.

Administrator

This task area comprises management of all units on the SE server and management and operation of the systems which run on Server Units and Application Units of the SE server.

  • BS2000 systems: For BS2000 on a Server Unit, the task area comprises operation of the BS2000 system or, under VM2000, operation and partial management of the BS2000 guest systems.

  • XenVM systems:For a Server Unit x86 with a XenVM license the task area also comprises management of the virtual machines (XenVMs) and their devices for Linux and Windows guest systems.

  • Application Units:For the optional Application Units the task area comprises the configuration and management of the Application Units and the systems running on these.

In the SE server configuration, the administrator performs, among others, the following tasks:

  • Managing all user accounts

  • Managing individual authorizations

  • LDAP configuration

  • Managing the networks

  • Monitoring audit and event logging

  • The administrator can configure the automatic messaging (via SNMP trap or E-Mail) that is triggered for events with a certain weighting.

  • Additional general configurations like installing add-on packs, etc.

The administrator can also open a Linux shell on the Management Unit and can use this to call CLI commands. The cli_info command lists the M2000-specific commands which are available. You can obtain a detailed description of the commands in the online help.

All administrator accounts are of equal value.

BS2000 administrator

Comprises (largely) the subset of the Administrator task area which refers to BS2000 systems.

All BS2000 administrator accounts are equal ranking.

General access to the Linux shell is not possible. A BS2000 administrator can, however, access the BS2000 console, the BS2000 dialog and the SVP console outside the SE Manager by means of ssh client PuTTY. To do this, they can execute the bs2Console, bs2Dialog and svpConsole commands as remote commands by means of PuTTY.

XenVM administrator

Comprises (largely) the subset of the Administrator task area which refers to XenVM systems.

All XenVM administrator accounts are equal ranking.

Access to the Linux shell is not possible.

AU administrator

Comprises (largely) the subset of the Administrator task area which refers to Application Units.

All AU administrator accounts are of equal value.

Access to the Linux shell is not possible.

Operator

This task area is a subset of the administrator tasks and largely consists of operating the BS2000 systems for ongoing operation or, under VM2000, operation and partial management of the BS2000 guest systems.

All operator accounts are initially equivalent. The administrator can equip them with individual authorizations for accessing BS2000 or the individual BS2000 VMs.

General access to the Linux shell is not possible. An operator can, however, access the BS2000 console, the BS2000 dialog and the SVP console outside the SE Manager by means of ssh client PuTTY. To do this, they can - depending on the individual rights - execute the bs2Console, bs2Dialog and svpConsole commands as remote commands by means of PuTTY.

Service

This role includes all tasks of Customer Support, such as maintenance and configuration of the SE server and registration of Application Units.

Predefined accounts

As supplied, the following local accounts are predefined on the SE server for the existing roles:

  • admin (administrator role)

  • service (Customer Support role)

The predefined account admin is protected by an initial password. The administrator can configure further accounts. Further details are provided in the section "Managing accounts" and in the Security Manual [6].

The predefined account service is available solely to Customer Support.

A service account cannot be administered in the SE Manager. Accounts of the add-ons do not correspond to a role in the SE Manager and are therefore not displayed in the SE Manager.

Further accounts with role assignment

The administrator can configure further accounts for an administrator, BS2000 administrator, operator, XenVM administrator or AU administrator. He/She assigns the Administrator, BS2000 administrator, operator, XenVM administrator or AU administrator role during configuration. The use of person-related accounts is therefore also possible.

The accounts are MU-global, i.e. in SE server configurations with more than one MU, all accounts that are added, changed or removed by the administrator are implicitly added, changed or removed on all existing MUs.

An account (locally or centrally managed) must always be unique. If an account is to be added that corresponds to a pre-defined account (e.g. admin, service or account of an add-on), the SE Manager rejects the action and shows an error message.

Centrally managed accounts

In addition to local accounts, the administrator can also permit LDAP accounts for the various roles. These accounts are managed centrally on an LDAP server (in particular also the password).

In order to use LDAP accounts, the access to an LDAP server must be configured. In the Management Cluster, access to the LDAP server can be configured specifically for one SE server. See section "Access to an LDAP server". When this requirement is satisfied, the administrator, when creating an account, can release an LDAP account by means of the account type for the desired role. If the central account is the same as the existing local account, no LDAP account can be released. When an LDAP account is removed, it is also locked again.

Accesses to BS2000

All administrator and BS2000 administrator accounts have access authorization to the BS2000 console and BS2000 dialog of all BS2000 systems. An administrator can assign these authorizations individually to an operator account, in VM2000 mode specifically for particular guest systems.

For information on accesses to BS2000 for operator accounts, see section "Managing individual rights".

Accesses to the operating system on XenVMs and Application Units

The customer is responsible for configuring accounts in the operating systems on XenVMs and Application Units, possibly linked to a strategy for particular roles or authorizations. This depends on the options of the operating system concerned.