Depending on how the system is viewed, different tasks must be performed to administer and operate the SE server which are categorized in multiple task areas. The task areas correspond to predefined basic roles. In addition, basic roles (except Administrator and Service) can be combined to user-defined roles.
In addition to the SEM functionality described below, each basic role also has access to some further SEM windows like the main windows Dashboard and Certificates and may change its own password on main window Password management, download the CA certificate of the MU and access the event logging.
The roles are tied to an account. In other words, users take over a role when they log in on the SE Manager with an account which is assigned to this role. A user who takes over a task area (i.e. a role) must be authorized to execute all the functions which are required to perform these tasks.
When the system is delivered, there are predefined accounts for the Administrator and Service roles, see "Predefined accounts".
All roles except the Service role can be assigned to additional accounts, see "Further accounts with role assignment".
All accounts to which the same role is assigned are equivalent. The only exception in this respect is for accounts with the BS2000 operator role. These are also initially equivalent. However, an administrator or security administrator can additionally assign them individual rights for access to BS2000 or the individual BS2000 VMs.
The task areas of the various roles are described in detail below. For further information, see the online help.
Administrator
This task area comprises management of all units on the SE server and management and operation of the systems which run on Server Units and Application Units of the SE server.
BS2000 systems: For BS2000 on a Server Unit, the task area comprises operation of the BS2000 system or, under VM2000, operation and partial management of the BS2000 guest systems.
Application Units: For the optional Application Units the task area comprises the configuration and management of the Application Units and the systems running on these.
In the SE server configuration, the administrator performs, among others, the following tasks:
Managing all user accounts
Managing individual authorizations
LDAP configuration
Managing the networks
Monitoring audit and event logging
The administrator can configure the automatic messaging (via SNMP trap or E-Mail) that is triggered for events with a certain weighting.
Additional general configurations like installing add-on packs, etc.
The administrator can also open a Linux shell on the Management Unit and can use this to call CLI commands. The cli_info command lists the M2000-specific commands which are available. You can obtain a detailed description of the commands in the online help.
BS2000 administrator
Comprises (largely) the subset of the Administrator task area which refers to BS2000 systems (BS2000 systems, BS2000 devices, Backup Monitor, Net-Storage, Cluster, …).
General access to the Linux shell is not possible. A BS2000 administrator can, however, access the BS2000 console, the BS2000 dialog and the SVP console outside the SE Manager by means of ssh client PuTTY. To do this, they can execute the bs2Console, bs2Dialog and svpConsole commands as remote commands by means of PuTTY.
BS2000 operator
This task area is a subset of the administrator tasks and largely consists of operating the BS2000 systems for ongoing operation or, under VM2000, operation and partial management of the BS2000 guest systems.
General access to the Linux shell is not possible. A BS2000 operator can, however, access the BS2000 console, the BS2000 dialog and the SVP console outside the SE Manager by means of ssh client PuTTY. To do this, they can - depending on the individual rights - execute the bs2Console, bs2Dialog and svpConsole commands as remote commands by means of PuTTY.
AU administrator
An AU administrator has the authorization for functions of the SE Manager which are necessary to operate the systems on AUs. In addition, they also have some administrator authorizations: switching the AUs on/off, read access to the hardware inventory, and configuration of scheduled power on/off of the AUs.
Access to the Linux shell is not possible.
Read-only administrator
A Read-only administrator has the right to view all windows of the SE Manager, however modifying actions are not allowed.
Security administrator
A Security administrator has full authorization for the windows and functions of the SE Manager under the categories Authorizations and Logging.
Hardware administrator
A Hardware administrator has full authorization for the windows and functions of the SE Manager under the categories Hardware -> Units, Hardware -> HW inventory, Hardware -> Energy and Service -> Units.
Storage administrator
A Storage administrator has full authorization for the windows and functions of the SE Manager under the categories
Devices -> … -> IORSF files | Disks | Tape devices, Hardware -> Units -> … -> FC interfaces | Multipath disks | CRD disks as well as Hardware -> Storage (without STORMAN!).
Power operator
A Power operator has authorization for the main window Units under the category Hardware and the functions for powering units on and off.
IP networks administrator
An IP network administrator has full authorization for the windows and functions of the SE Manager under the categories Hardware -> Units -> … -> IP interfaces, Hardware -> Management -> … -> IP configuration | Routing & DNS as well as Hardware -> IP networks.
FC networks administrator
An FC network administrator has full authorization for the windows and functions of the SE Manager under the categories Hardware -> FC networks and Devices -> BS2000 paths.
Shadow terminal operator
A Shadow terminal operator has authorization for access to the main window Service -> Units -> <MU> -> Remote Service, wherefrom a shadow terminal can be opened.
Add-on-specific roles
OPENSM2
- OPENSM2 administrator
An OPENSM2 administrator has authorization for access to the add-on OPENSM2 and to its administration on all Management Units. - OPENSM2 information
A user with role OPENSM2 information has authorization for access to the add-on OPENSM2. The administration of the add-on is not allowed.
- OPENSM2 administrator
OPENUTM
- OPENUTM administrator
An OPENUTM administrator has authorization for access to the add-on OPENUTM and to its administration on all Management Units (Master and Administration Write privileges). - OPENUTM operator
An OPENUTM operator has authorization for access to the add-on OPENUTM including administration (Administration Write privilege). - OPENUTM information
A user with role OPENUTM information has authorization for read access to the add-on OPENUTM (Administration Read privilege).
- OPENUTM administrator
ROBAR
- ROBAR administrator
A ROBAR administrator has authorization for access to the add-on ROBAR and to its administration on all Management Units. - ROBAR operator
A ROBAR operator has authorization for access to the add-on ROBAR. The administration of the add-on is not allowed.
- ROBAR administrator
STORMAN
STORMAN administrator
A STORMAN administrator has authorization for access to the add-on STORMAN and to its administration on all Management Units.- STORMAN information
A user with role STORMAN information has authorization for access to the add-on STORMAN. The administration of the add-on is not allowed.
Service
This role includes all tasks of Customer Support, such as maintenance and configuration of the SE server and registration of Application Units.
When special basic roles are mentioned below, such as BS2000 administrator or Security administrator, this also refers to those user-defined roles which contain these basic roles.
Predefined accounts
As supplied, the following local accounts are predefined on the SE server for the existing roles:
admin (administrator role)
service (Customer Support role)
The predefined account admin is protected by an initial password. The administrator can configure further accounts. Further details are provided in the section "Managing accounts" and in the Security Manual [6].
The predefined account service is available solely to Customer Support. A service account cannot be administered in the SE Manager.
Accounts of the add-ons are internal function accounts, do not correspond to a role in the SE Manager and are therefore not displayed in the SE Manager.
Further accounts with role assignment
An administrator or security administrator can configure further accounts for all basic roles except Service and for user-defined roles. They assign the role during creation of an account. The use of person-related accounts is therefore also possible.
The accounts are MU-global, i.e. in SE server configurations with more than one MU, all accounts that are added, changed or removed by the administrator are implicitly added, changed or removed on all existing MUs.
An account (locally or centrally managed) must always be unique. If an account is to be added that corresponds to a pre-defined account (e.g. admin, service or account of an add-on), the SE Manager rejects the action and shows an error message.
Centrally managed accounts
In addition to local accounts, an administrator or security administrator can also permit LDAP accounts for the various roles. These accounts are managed centrally on an LDAP server (in particular also the password).
In order to use LDAP accounts, the access to an LDAP server must be configured. In the Management Cluster, access to the LDAP server can be configured specifically for one SE server. See section "Access to an LDAP server". When this requirement is satisfied, the administrator resp. security administrator, when creating an account, can release an LDAP account by means of the account type for the desired role. If the central account is the same as the existing local account, no LDAP account can be released. When an LDAP account is removed, it is also locked again.
Accesses to BS2000
All administrator and BS2000 administrator accounts have access authorization to the BS2000 console and BS2000 dialog of all BS2000 systems. An administrator or security administrator can assign these authorizations individually also to a BS2000 operator account, in VM2000 mode specifically for particular guest systems.
For information on accesses to BS2000 for BS2000 operator accounts, see section "Managing individual rights".
Accesses to the operating system on Application Units
The customer is responsible for configuring accounts in the operating systems on Application Units, possibly linked to a strategy for particular roles or authorizations. This depends on the options of the operating system concerned.