Dell PowerFlex v3.6.x User Roles and LDAP Usage Technical Notes

LDAP domain roles

Roles in the LDAP domain are similar by name to local user roles, but are defined in a mutually exclusive manner.

Each role is authorized to perform a separate set of commands that are related to its functionality, with basically no overlap. The only exception is Configure, which is constructed from FrontendConfigure and BackendConfigure and does not exist as a separate role in LDAP. This model allows better granularity when defining users.

1. Superuser: Not supported for LDAP users. Must be a local user.
2. Security: Can define administrators and control LDAP. The Security user is not part of the hierarchical model and has a set of commands that only a Security (or Superuser) user can perform.
3. Administrator: Can define Configure and Monitor users.
4. FrontendConfigure: Can perform any frontend-related configurations that include volume manipulations (adding, deleting, and mapping volumes and snapshots) and SDC operations (adding and deleting SDCs).
5. BackendConfigure: Can perform upgrades and any backend-related configurations. Operations include:
   • Protection Domain and Storage Pool operations
   • Manipulating Fault Sets and SDS
   • Configuring SDS devices
   • Configuring replication
6. Monitor: Can only perform monitoring operations that do not affect the system.

In order to run NDU, the LDAP user must be assigned at a minimum both the Monitor and BackendConfigure user roles.