- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
CLI role-based access setup
A user account is always associated with a primary group and each group is assigned a role. A role defines the privileges (that is, the operations) the user can perform on a particular File object.
Defining role-based access for commands
This appendix provides information about how to setup role-based access for CLI commands. The first four tables list the CLI commands for which you can specify the privileges needed to perform different command actions. The object on which privileges are defined and the specific command actions available when Modify or Full Control privileges are selected are listed for each command. Using this information you can create a custom role (also known as a user role) that gives a user associated with this role exactly the privileges necessary to perform his job. Or you can associate a user with the predefined role that already includes Full Control privileges for the command. The first table lists the commands with the prefix cel. The second table lists the commands with the prefix fs. The third table lists the commands with the prefix nas. And the fourth table lists the commands with the prefix server.
You create and manage role-based administrative access with or . You must be root or a user associated with the Administrator or Security Administrator role to create a user account and to associate it with a group and role.
Read-only privileges
Regardless of the role with which he is associated, a user always has read-only privileges for all commands and command options that display information. Some of the command actions available with read-only privileges include info, list, status, and verify. The fifth table lists commands that users associated with any role can execute.
Commands not covered by the role-based access feature
The final table lists the commands that are not covered by the role-based access feature. Some of these commands invoke scripts, others are based on legacy executables, and others are associated with File objects that are not exposed. If the File object associated with a command is not exposed in Create Role, you cannot create a custom (user) role that allows you to specify the privileges needed to perform different command actions. Consequently these commands can only be performed by the default user accounts root and nasadmin or, in some cases, by a user account associated with the root and nasadmin roles.
cel commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
| Command | Object category | Actions available with modify privileges | Actions available with full control privileges | Included in predefined role |
|---|---|---|---|---|
| cel_fs | Storage>File Systems | extract
import |
FileMover Application |
fs commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
| Command | Object category | Actions available with modify privileges | Actions available with full control privileges | Included in predefined role |
|---|---|---|---|---|
| fs_ckpt | Data Protection>Checkpoints | modify
refresh |
create
restore |
Data Protection
Data Recovery Local Data Protection |
| fs_dhsm | Storage>FileMover | connection modify
modify |
connection create
connection delete |
FileMover Application |
| fs_group | Storage>File Systems | create
delete shrink xtend |
FileMover Application | |
| fs_rdf | Storage>Storage Systems | info
mirror restore |
||
| fs_timefinder | Storage>File Systems | mirror
restore snapshot |
nas commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
| Command | Object category | Actions available with modify privileges | Actions available with full control privileges | Included in predefined role |
|---|---|---|---|---|
| nas_ckpt_schedule | Data Protection >Checkpoints
Data Protection >VTLU |
modify
pause resume |
create
delete |
Data Protection
Data Recovery Local Data Protection |
| nas_copy | Data Protection> Replication | create
destination source interconnect |
Data Recovery | |
| nas_devicegroup | Storage>Storage Systems | acl
resume suspend |
||
| nas_disk | Storage>Volumes | rename | delete | |
| nas_diskmark | Storage>Storage Systems | mark | ||
| nas_fs | Storage>File Systems | modify
rename translate access policy start xtend |
acl
create delete type |
FileMover Application |
| nas_fsck | Storage>File Systems | start | FileMover Application | |
| nas_license | System>Licenses | create
delete init |
Security Administrator (not included in the NAS Administrator and Storage Administrator roles) | |
| nas_pool | Storage>Pools | modify
shrink xtend |
create
delete |
|
| nas_quotas | Storage>Quotas
Storage>File System |
edit
on | off |
clear | |
| nas_replicate | Data Protection>Replication | modify
refresh |
create
delete failover reverse start stop switchover |
Data Recovery |
| nas_server | System>Data Movers
Protocols>CIFS |
acl
rename |
create
delete (System>Data Movers object category) vdm (Protocols>CIFS object category) |
|
| nas_slice | Storage>Volumes | rename | create
delete |
|
| nas_storage | Storage>Storage Systems | modify
rename |
acl
delete fallback sync |
|
| nas_task | System>Task | abort
delete |
All users can abort and delete any task they own but only root user can abort and delete tasks owned by any user | |
| nas_volume | Storage>Volumes | rename
xtend |
acl
clone create delete |
server commands
NOTE:Object category lists the field in the
Roles dialogs where privileges can be set.
NOTE:All commands are also included in the NAS Administrator and Storage Administrator roles unless otherwise noted.
| Command | Object category | Actions available with modify privileges | Actions available with full control privileges | Included in predefined role |
|---|---|---|---|---|
| server_arp | Networking>NIS | delete
set |
Network Administrator | |
| server_cdms | Storage>Migration | convert
halt start |
connect
disconnect |
|
| server_certificate | Security>Public Key Certificates | cacertificate delete
cacertificate import persona clear persona generate persona import |
Security Administrator (not included in the NAS Administrator and Storage Administrator roles) | |
| server_cifs | Protocol>CIFS | disable
enable join rename replace unjoin update |
add
delete migrate |
|
| server_cifssupport | Protocols>CIFS | acl
secmap update |
secmap create
secmap delete secmap import secmap migration |
|
| server_cpu | System>Data Movers | halt
reboot |
||
| server_date | System>Data Movers | timesvc hosts
timesvc start timesvc update |
timesvc delete
timesvc set timesvc stop |
|
| server_devconfig | Storage>Storage System | rename | create | |
| server_dns | Networking>DNS | option | delete
protocol |
Network Administrator |
| server_export | Protocols>NFS
or Protocols>CIFS |
unexport | protocol (NFS) | |
| server_ftp | Protocols>NFS | modify
service stat reset |
service start | stop | Network Administrator |
| server_http | Storage>FileMover | modify
appand remove service start | stop |
FileMover Application | |
| server_ifconfig | Networking>Interfaces | up
down ipsec and noipsec (Applicable only to systems running VNX OE for file earlier than version 8.x.) mtu vlan |
create
delete |
Network Administrator |
| server_ip | Networking>Routing | neighbor create | delete
route create | delete |
Network Administrator | |
| server_kerberos | Protocols>CIFS | keytab
ccache kadmin |
add
delete |
Security Administrator (not included in the NAS Administrator and Storage Administrator roles) |
| server_ldap | Networking>NIS | set | clear
service start | stop |
Network Administrator |
| server_mount | Storage>File Systems | all
force options |
FileMover Application | |
| server_mountpoint | Storage>File Systems | create
delete |
||
| server_name | System>Data Movers | <new_name> | ||
| server_nfs | Protocols>NFS | user
v4 client v4 stats zero |
service
principal v4 service |
command options mapper set and mapping can only be executed by root |
| server_nfsstat | Protocols>NFS | zero | ||
| server_nis | Networking>NIS | delete | Network Administrator | |
| server_param | System>Data Movers | facility | ||
| server_rip | Networking>Routing | ripin
noripin |
Network Administrator | |
| server_route | Networking>Routing | add
delete flush deleteAll |
Network Administrator | |
| server_security | Protocols>CIFS | modify
update |
add
delete |
Security Administrator (not included in the NAS Administrator and Storage Administrator roles) |
| server_setup | System>Data Movers | load
protocol load |
||
| server_snmp | Networking>NIS | community
location syscontact |
Network Administrator | |
| server_standby | System>Data Movers | activate
restore |
create
delete |
|
| server_stats | Storage>File Systems | monitor | noresolve
service |
|
| server_sysconfig | Networking>Devices | pci | virtual new
virtual delete |
Network Administrator |
| server_umount | Storage>File Systems | temp | all
perm |
FileMover Application |
| server_usermapper | Protocols>CIFS | disable
enable import remove |
Security Administrator (not included in the NAS Administrator and Storage Administrator roles) | |
| server_vtlu | Data Protection>VTLU | service set
storage extend storage export storage import tlu modify |
drive umount
storage delete storage new tape eject tape inject tlu delete |
FileMover Application |
| Command |
|---|
| nas_inventory |
| server_checkup |
| server_df |
| server_ping |
| server_ping6 |
| server_sysstat |
| server_uptime |
| server_version |
| Command | Notes |
|---|---|
| cs_standby | Requires root privileges |
| nas_acl | Can be executed with nasadmin privileges |
| nas_automountmap | Can be executed with nasadmin privileges |
| nas_ca_certificate | Requires root privileges to generate a certificate |
| nas_cel | Can be executed with nasadmin privileges |
| nas_checkup | Can be executed with nasadmin privileges |
| nas_connecthome | Requires root privileges to modify and test |
| nas_config | Requires root privileges |
| nas_cs | Requires root privileges |
| nas_emailuser | Can be executed with nasadmin privileges |
| nas_event | Can be executed with nasadmin privileges |
| nas_halt | Requires root privileges |
| nas_logviewer | Can be executed with nasadmin privileges |
| nas_message | Can be executed with nasadmin privileges |
| nas_mview | Requires root privileges |
| nas_rdf | Requires root privileges |
| nas_version | Can be executed with nasadmin privileges |
| server_archive | Can be executed with nasadmin privileges |
| server_cepp | Can be executed with nasadmin privileges |
| server_dbms | Requires root privileges to delete, compact, repair, and restore the database |
| server_file | Can be executed with nasadmin privileges |
| server_ipsec | Can be executed with nasadmin privileges |
| server_iscsi | Can be executed with nasadmin privileges |
| server_log | Can be executed with nasadmin privileges |
| server_mpfs | Can be executed with nasadmin privileges (Applicable only to systems running VNX OE for file earlier than version 8.x.) |
| server_mt | Can be executed with nasadmin privileges |
| server_netstat | Can be executed with nasadmin privileges |
| server_nfs | Requires root privileges to configure secure NFS mapping |
| server_pax | Requires root privileges to reset stats |
| server_snmpd | Can be executed with nasadmin privileges |
| server_stats | Can be executed with nasadmin privileges |
| server_tftp | Can be executed with nasadmin privileges |
| server_user | Can be executed with nasadmin privileges |
| server_viruschk | Can be executed with nasadmin privileges |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\