- Notes, cautions, and warnings
- Introduction to this guide
- PowerScale scale-out NAS
- Introduction to the OneFS command-line interface
- General cluster administration
- General cluster administration overview
- User interfaces
- Connecting to the cluster
- Licensing
- Certificates
- Cluster identity
- Cluster contact information
- Cluster date and time
- SMTP email settings
- Configuring the cluster join mode
- File system settings
- Data compression settings and monitoring
- Events and alerts
- Security hardening
- Cluster configuration backup and restore
- Cluster monitoring
- Monitoring cluster hardware
- Cluster maintenance
- SRS Summary
- Access zones
- Data Security overview
- Base directory guidelines
- Access zones best practices
- Access zones on a SyncIQ secondary cluster
- Access zone limits
- Quality of service
- Zone-based Role-based Access Control (zRBAC)
- Zone-specific authentication providers
- Managing access zones
- Create an access zone
- Assign an overlapping base directory
- Manage authentication providers in an access zone
- Associate an IP address pool with an access zone
- Modify an access zone
- Delete an access zone
- View a list of access zones
- Create one or more access zones
- Create local users in an access zone
- Access files through the RESTful Access to Namespace (RAN) in non-System zones
- Authentication
- Authentication overview
- Authentication provider features
- Security Identifier (SID) history overview
- Supported authentication providers
- Active Directory
- LDAP
- NIS
- Kerberos authentication
- File provider
- Local provider
- Multi-factor Authentication (MFA)
- Multi-instance active directory
- LDAP public keys
- Managing Active Directory providers
- Managing LDAP providers
- Managing NIS providers
- Managing MIT Kerberos authentication
- Managing file providers
- Managing local users and groups
- SSH Authentication and Configuration
- Administrative roles and privileges
- Identity management
- Home directories
- Home directories overview
- Home directory permissions
- Authenticating SMB users
- Home directory creation through SMB
- Home directory creation through SSH and FTP
- Home directory creation in a mixed environment
- Interactions between ACLs and mode bits
- Default home directory settings in authentication providers
- Supported expansion variables
- Domain variables in home directory provisioning
- Data access control
- File sharing
- File sharing overview
- SMB security
- NFS security
- FTP
- HTTP and HTTPS security
- File filtering
- Auditing and logging
- Auditing overview
- Syslog
- Protocol audit events
- Supported audit tools
- Delivering protocol audit events to multiple CEE servers
- Supported event types
- Sample audit log
- Audit log purging
- Managing audit settings
- Integrating with the Common Event Enabler
- Tracking the delivery of protocol audit events
- View the time stamps of delivery of events to the CEE server and syslog
- Display a global view of delivery of protocol audit events to the CEE server and syslog
- Move the log position of the CEE forwarder
- View the rate of delivery of protocol audit events to the CEE server
- Automatic deletion
- Manual deletion
- Snapshots
- Snapshots overview
- Data protection with SnapshotIQ
- Snapshot disk-space usage
- Snapshot schedules
- Snapshot aliases
- File and directory restoration
- Best practices for creating snapshots
- Best practices for creating snapshot schedules
- File clones
- Snapshot locks
- Snapshot reserve
- Writable snapshots
- SnapshotIQ license functionality
- Creating snapshots with SnapshotIQ
- Managing writable snapshots
- Managing snapshots
- Restoring snapshot data
- Managing snapshot schedules
- Managing snapshot aliases
- Managing with snapshot locks
- Configure SnapshotIQ settings
- Set the snapshot reserve
- Managing changelists
- Managing writable snapshots
- Deduplication with SmartDedupe
- Inline Data Deduplication
- Inline Data Deduplication overview
- Inline deduplication interoperability
- Considerations for using inline deduplication
- Enable inline deduplication
- Verify inline deduplication is enabled
- View inline deduplication reports
- Disable or pause inline deduplication
- Remove deduplication
- Troubleshoot index allocation issues
- Data replication with SyncIQ
- SyncIQ data replication overview
- Replication policies and jobs
- Replication snapshots
- Data failover and failback with SyncIQ
- Recovery times and objectives for SyncIQ
- Replication policy priority
- SyncIQ license functionality
- Replication for nodes with multiple interfaces
- Restrict SyncIQ source nodes
- Creating replication policies
- Managing replication to remote clusters
- Initiating data failover and failback with SyncIQ
- Performing disaster recovery for older SmartLock directories
- Managing replication policies
- Managing replication to the local cluster
- Managing replication performance rules
- Managing replication reports
- Managing failed replication jobs
- Restrict SyncIQ to use the interfaces in the IP address pool
- Modify the Restrict Target Network value
- Data Encryption with SyncIQ
- Data Compression
- Data layout with FlexProtect
- Large file size support
- Administering NDMP
- NDMP backup and recovery overview
- NDMP two-way backup
- NDMP three-way backup
- Support for NDMP sessions on Generation 6 hardware
- Setting preferred IPs for NDMP three-way operations
- NDMP multi-stream backup and recovery
- Snapshot-based incremental backups
- NDMP backup and restore of SmartLink files
- NDMP protocol support
- Supported DMAs
- NDMP hardware support
- NDMP backup limitations
- NDMP performance recommendations
- Excluding files and directories from NDMP backups
- Configuring basic NDMP backup settings
- Managing NDMP user accounts
- Managing NDMP backup devices
- Managing NDMP Fibre Channel ports
- Managing NDMP preferred IP settings
- Managing NDMP sessions
- Managing NDMP restartable backups
- NDMP restore operations
- Managing default NDMP variables
- Managing snapshot based incremental backups
- Managing cluster performance for NDMP sessions
- Managing CPU usage for NDMP sessions
- View NDMP backup logs
- File retention with SmartLock
- SmartLock overview
- Compliance mode
- Enterprise mode
- SmartLock directories
- Replication and backup with SmartLock
- SmartLock license functionality
- SmartLock considerations
- Delete WORM domain and directories
- Set the compliance clock
- View the compliance clock
- Creating a SmartLock directory
- Managing SmartLock directories
- Managing files in SmartLock directories
- Set a retention period through a UNIX command line
- Set a retention period through Windows Powershell
- Commit a file to a WORM state through a UNIX command line
- Commit a file to a WORM state through Windows Explorer
- Override the retention period for all files in a SmartLock directory
- Delete a file committed to a WORM state
- View WORM status of a file
- Data Removal with Instant Secure Erase (ISE)
- Protection domains
- Data-at-rest-encryption
- Data-at-rest encryption overview
- Self-encrypting drives
- Data security on self-encrypting drives
- Data migrations and upgrades to a cluster with self-encrypting drives
- Enabling external key management
- Migrate nodes and SEDs to external key management
- Chassis and drive states
- Smartfailed drive REPLACE state
- Smartfailed drive ERASE state
- SmartQuotas
- SmartQuotas overview
- Quota types
- Default quota type
- Usage accounting and limits
- Disk-usage calculations
- Quota notifications
- Quota notification rules
- Quota reports
- Creating quotas
- Managing quotas
- Search for quotas
- Manage quotas
- Export a quota configuration file
- Import a quota configuration file
- Managing quota notifications
- Email quota notification messages
- Managing quota reports
- Basic quota settings
- Advisory limit quota notification rules settings
- Soft limit quota notification rules settings
- Hard limit quota notification rules settings
- Limit notification settings
- Quota report settings
- Storage Pools
- Storage pools overview
- Storage pool functions
- Autoprovisioning
- Node pools
- Virtual hot spare
- Spillover
- Suggested protection
- Protection policies
- SSD strategies
- Other SSD mirror settings
- Global namespace acceleration
- L3 cache overview
- Tiers
- File pool policies
- Managing node pools through the command-line interface
- Delete an SSD compatibility
- Create a node pool manually
- Add a node to a manually managed node pool
- Add a new node type to an existing node pool
- Remove a node type from a node pool
- Change the name or protection policy of a node pool
- Remove a node from a manually managed node pool
- Remove a node pool from a tier
- View node pool settings
- Modify default storage pool settings
- SmartPools settings
- Managing L3 cache from the command-line interface
- Managing tiers
- Creating file pool policies
- Managing file pool policies
- Monitoring storage pools
- Pool-based tree reporting in FSAnalyze (FSA)
- System jobs
- S3 support
- Small Files Storage Efficiency for archive workloads
- Networking
- Networking overview
- About the internal network
- About the external network
- Managing internal network settings
- Managing groupnets
- Managing external network subnets
- Managing Multi-SSIP
- Managing IP address pools
- Managing SmartConnect Settings
- Managing connection rebalancing
- Managing network interface members
- Managing node provisioning rules
- Managing routing options
- Managing DNS cache settings
- NFS3oRDMA
- Partitioned Performance Monitoring
- IPMI
- Antivirus
- Antivirus overview
- On-access scanning
- ICAP Antivirus policy scanning
- Individual file scanning using ICAP
- WORM files and antivirus
- Antivirus scan reports
- ICAP servers
- CAVA servers
- ICAP threat responses
- CAVA threat responses
- Configuring global antivirus settings
- Managing ICAP servers
- Managing CAVA servers
- Add and connect to a CAVA server
- Modify CAVA connection settings
- List or view CAVA servers
- Disable connection to a CAVA server
- Delete a CAVA server configuration
- Create an IP pool in a CAVA server
- Create a dedicated Access Zone on a CAVA server
- Create an Active Directory authentication provider for the AvVendor access zone
- Update the role in the access zone
- Scan CloudPool files in a CAVA server
- View CloudPool scan timeout
- Manage CAVA filters
- Manage CAVA jobs
- Create an ICAP antivirus policy
- Managing ICAP antivirus policies
- Managing antivirus scans
- Managing antivirus threats
- Managing antivirus reports
PowerScale OneFS 9.3.0.0 CLI Administration Guide
Add a user to integrated roles
You can assign an integrated role to a user.
-
To view the list of roles, run the
isi auth roles list command.
The following authentication roles list displays:
isi auth roles list Name --------------- AuditAdmin BackupAdmin BasicUserRole SecurityAdmin StatisticsAdmin SystemAdmin VMwareAdmin --------------- Total: 7
-
Run the
isi auth roles list --zone zone1 command to view the roles available in zone1
The roles available in zone1 display:
isi auth roles list --zone zone1 Name ----------------- BasicUserRole ZoneAdmin ZoneSecurityAdmin ----------------- Total: 3
-
Run the
isi auth roles view BasicUserRole --zone zone1 command to view the privileges associated with the BasicUserRole role in zone1.
isi auth roles view BasicUserRole --zone zone1 Name: BasicUserRole Description: Allow restricted access to cluster for storage users. Members: - Privileges ID: ISI_PRIV_LOGIN_PAPI Permission: r ID: ISI_PRIV_AUTH Permission: r ID: ISI_PRIV_AUTH_PROVIDERS Permission: - ID: ISI_PRIV_AUTH_SETTINGS_ACLS Permission: - ID: ISI_PRIV_AUTH_SETTINGS_GLOBAL Permission: - ID: ISI_PRIV_AUTH_ZONES Permission: - ID: ISI_PRIV_FILE_FILTER Permission: w ID: ISI_PRIV_HDFS Permission: w ID: ISI_PRIV_HDFS_RACKS Permission: - ID: ISI_PRIV_HDFS_SETTINGS Permission: w ID: ISI_PRIV_NFS Permission: w ID: ISI_PRIV_NFS_SETTINGS Permission: r ID: ISI_PRIV_NFS_SETTINGS_GLOBAL Permission: - ID: ISI_PRIV_NFS_SETTINGS_ZONE Permission: - ID: ISI_PRIV_S3 Permission: w ID: ISI_PRIV_S3_MYKEYS Permission: - ID: ISI_PRIV_S3_SETTINGS Permission: w ID: ISI_PRIV_S3_SETTINGS_GLOBAL Permission: - ID: ISI_PRIV_SMB Permission: w ID: ISI_PRIV_SMB_SESSIONS Permission: r ID: ISI_PRIV_SMB_SETTINGS Permission: - ID: ISI_PRIV_SMB_SETTINGS_GLOBAL Permission: - ID: ISI_PRIV_SMB_SETTINGS_SHARE Permission: - ID: ISI_PRIV_NS_IFS_ACCESS Permission: r -
Run the
isi auth roles view ZoneAdmin --zone zone1 command to view the privileges associated with the ZoneAdmin role in zone1.
isi auth roles view ZoneAdmin --zone zone1 Name: ZoneAdmin Description: Administer aspects of configuration related to current access zone. Members: - Privileges ID: ISI_PRIV_LOGIN_PAPI Permission: r ID: ISI_PRIV_AUDIT Permission: w ID: ISI_PRIV_FILE_FILTER Permission: w ID: ISI_PRIV_HDFS Permission: w ID: ISI_PRIV_NFS Permission: w ID: ISI_PRIV_PAPI_CONFIG Permission: w ID: ISI_PRIV_S3 Permission: w ID: ISI_PRIV_SMB Permission: w ID: ISI_PRIV_SWIFT Permission: w ID: ISI_PRIV_VCENTER Permission: w ID: ISI_PRIV_NS_TRAVERSE Permission: r ID: ISI_PRIV_NS_IFS_ACCESS Permission: r -
Run the
isi auth roles view ZoneSecurityAdmin --zone zone1 command to view the privileges associated with the ZoneSecurityAdmin role in zone1.
isi auth roles view ZoneSecurityAdmin --zone zone1 Name: ZoneSecurityAdmin Description: Administer aspects of security configuration related to current access zone. Members: - Privileges ID: ISI_PRIV_LOGIN_PAPI Permission: r ID: ISI_PRIV_AUTH Permission: w ID: ISI_PRIV_ROLE Permission: w -
Run the
isi auth user create command to create a user to add to the ZoneAdmin role.
You can only add existing users to a role. The isi auth roles modify command does not create the user for you.
isi auth user create z1-user1 --zone zone1 --enabled True --set-password password: <enter password> confirm: <re-enter password>
-
Run the
isi auth roles modify command to add a user to the ZoneAdmin role.
isi auth roles modify --zone zone1 ZoneAdmin --add-user z1-user1
-
Run the isi auth roles view command to view whether the new user has been added to the ZoneAdmin role.
isi auth roles view ZoneAdmin --zone zone1 Name: ZoneAdmin Description: Administer aspects of configuration related to current access zone. Members: z1-user1 Privileges ID: ISI_PRIV_LOGIN_PAPI Permission: r ID: ISI_PRIV_AUDIT Permission: w ID: ISI_PRIV_FILE_FILTER Permission: w ID: ISI_PRIV_HDFS Permission: w ID: ISI_PRIV_NFS Permission: w ID: ISI_PRIV_PAPI_CONFIG Permission: w ID: ISI_PRIV_S3 Permission: w ID: ISI_PRIV_SMB Permission: w ID: ISI_PRIV_SWIFT Permission: w ID: ISI_PRIV_VCENTER Permission: w ID: ISI_PRIV_NS_TRAVERSE Permission: r ID: ISI_PRIV_NS_IFS_ACCESS Permission: r -
Run the
isi auth user create command to create a user to add to the ZoneSecurityAdmin role.
You can only add existing users to a role. The isi auth roles modify command does not create the user for you.
isi auth user create z1-user2 --zone zone1 --enabled True --set-password password: <enter password> confirm: <re-enter password>
-
Run the
isi auth roles modify command to add a user to the ZoneSecurityAdmin role.
isi auth roles modify --zone zone1 ZoneSecurityAdmin --add-user z1-user2
-
Run the isi auth roles view command to view whether the new user has been added to the ZoneSecurityAdmin role.
isi auth roles view ZoneSecurityAdmin --zone zone1 Name: ZoneSecurityAdmin Description: Administer aspects of security configuration related to current access zone. Members: z1-user2 Privileges ID: ISI_PRIV_LOGIN_PAPI Read Only: True ID: ISI_PRIV_LOGIN_PAPI Permission: r ID: ISI_PRIV_AUTH Permission: w ID: ISI_PRIV_ROLE Permission: w
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\