- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
Data Protection roles
Data Protection (Replication) tasks are often performed by third-party personnel. In the earlier releases, a user needed storage administrator-level privileges to perform data protection tasks; however, allowing third-party personnel this level of access could pose a security threat. To solve this problem, VNX systems have three Data Protection roles:
NOTE: None of these roles allows the user to create new data protection objects such as snapshots, clones, SAN Copy sessions, or mirrors. The user can control only existing data protection objects. Users can view the domain for objects that they cannot control; this allows them to have a fuller understanding of their environment.
- Local Data Protection - Has privileges only to do SnapView (snapshots and clones) and Snapsure (Checkpoints) tasks; however, data recovery operations like rollback a snapshot or reverse synchronize a clone are not allowed. Also, this role does not have privilege to create new storage objects.
- Data Protection - Includes all local data protection privileges, MirrorView, and SAN Copy tasks; however, data recovery tasks such as promoting a secondary and fracturing a mirror are not allowed. Also, this role does not have privilege to create new storage objects.
- Data Recovery - Includes all local data protection and data-protection role privileges and the ability to do data recovery tasks; however, this role does not have privilege to create new storage objects.
Capabilities of data protection roles lists the data protection tasks and which roles have privilege to perform those tasks. VNX for File CLI role-based access provides detailed information about how role-based access is used to determine which of the VNX for file CLI commands (task) a particular user can execute.
| Task | Local data protection | Data protection | Data recovery |
|---|---|---|---|
| Snapview | |||
| Start a (consistent) snap session | Yes | Yes | Yes |
| Stop a (consistent) snap session | Yes | Yes | Yes |
| Activate a session to a snapshot LUN | Yes | Yes | Yes |
| Deactivate a session from a snapshot LUN | Yes | Yes | Yes |
| Synchronize a clone | Yes | Yes | Yes |
| Fracture a clone | Yes | Yes | Yes |
| Roll back a snap session | No | No | Yes |
| Reverse synchronize a clone | No | No | Yes |
| Mirrorview | |||
| Synchronize a mirror / consistency group | No | Yes | Yes |
| Fracture a mirror / consistency group | No | No | Yes |
| Control the update parameters of an asynchronous mirror | No | Yes | Yes |
| Modify the update frequency of an asynchronous mirror | No | Yes | Yes |
| Throttle a mirror / consistency group | No | Yes | Yes |
| Promote a synchronous or asynchronous secondary mirror / consistency group | No | No | Yes |
| SAN Copy | |||
| Start a session | No | Yes | Yes |
| Stop a session | No | Yes | Yes |
| Pause a session | No | Yes | Yes |
| Resume a session | No | Yes | Yes |
| Mark a session | No | Yes | Yes |
| Unmark a session | No | Yes | Yes |
| Verify a session | No | Yes | Yes |
| Throttle a session | No | Yes | Yes |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\