EMC® VNX® Series Security Configuration Guide for VNX

Main Unisphere roles

The main roles include:

• Operator - Read-only privilege for storage and domain operations; no privilege for security operations.
• Network Administrator - All operator privileges and privileges to configure DNS, IP settings, and SNMP.
• NAS Administrator - Full privileges for file operations. Operator privileges for block and security operations.
• SAN Administrator - Full privileges for block operations. Operator privileges for file and security operations.
• Storage Administrator - Full privileges for file and block operations. Operator privileges for security operations.
• Security Administrator - Full privileges for security operations including domains. Operator privileges for file and block operations.
• Administrator - Full privileges for file, block, and security operations. This role is the most privileged role.
• VM Administrator - Enables you to view and monitor basic storage components of your VNX system through vCenter by using VMware's vSphere Storage APIs for Storage Awareness (VASA).

As a security and system integrity best practice, superusers (administrators in Unisphere) should not run with full administrative privileges for day-to-day operations. The security administrator role should be used to segment authorized actions between separate accounts. By dividing administrative privileges into security administrator and storage administrator roles, storage administrator accounts will be authorized only to perform storage related actions, and security administrator accounts will only be authorized to perform domain and security related functions. With the security administrator role, accounts with full administrative privileges can be reduced to one and duties can be separated for day-to-day operations.

Unisphere requires the creation of user accounts, where a user account is identified as the unique combination of username, role, and scope. This ability provides flexibility in setting up user accounts. It is expected that most IT personnel will be assigned a global operator account so they can monitor every storage system in the domain. Also, they can be assigned local storage administrator accounts for each specific storage system they are authorized to configure.

You can create global user accounts, each with privileges appropriate to their responsibilities. To create new global user accounts in your local domain, log in to Unisphere and use All Systems > Domains > Users (task list) > Manage Global Users. Alternatively, select your system, and then use Settings > Security > User Management (task list) Global Users. You can only access the global users feature from Settings if your selected system is a system in your local domain.

You can create local user accounts for file and block systems, each with privileges appropriate to their responsibilities. A local user for block can only manage block features on the local system. Similarly, a local user for file can only manage file server features on the local system. To create new local user accounts for block, log in to Unisphere and select your VNX for block system, and then use Settings > User Management (task list) Local Users for Block. To create new local user accounts for file, log in to Unisphere and select your VNX for file system, and then use Settings > User Management (task list) Local Users for File.

For more information on creating user accounts, refer to the Unisphere online help.