To provide users with authorization and access to System Manager, you must map the IdP user attributes and group memberships to the storage array's predefined roles.
Before you begin
An IdP administrator has configured user attributes and group membership in the IdP system.
The IdP metadata file is imported into System Manager.
A Service Provider metadata file for each controller is imported into the IdP system for the trust relationship.
About this task
In this task, you use System Manager to map IdP groups to local user roles.
Procedure
Click the link for mapping System Manager roles.
The Role Mapping dialog box opens.
Assign IdP user attributes and groups to the predefined roles. A group can have multiple assigned roles.
Field Details
Setting
Description
Mappings
User Attribute
Specify the attribute (for example, "member of") for the SAML group to be mapped.
Attribute Value
Specify the attribute value for the group to be mapped.
Roles
Click in the field and select one of the storage array's roles to be mapped to the Attribute. You must individually select each role you want to include. The Monitor role is required in combination with the other roles to log in to System Manager. The Security Admin role is also required for at least one group.
The mapped roles include the following permissions:
Storage admin – Full read/write access to the storage objects (for example, volumes and disk pools), but no access to the security configuration.
Security admin – Access to the security configuration in Access Management, certificate management, audit log management, and the ability to turn the legacy management interface (SYMbol) on or off.
Support admin – Access to all hardware resources on the storage array, failure data, MEL events, and controller firmware upgrades. No access to storage objects or the security configuration.
Monitor – Read-only access to all storage objects, but no access to the security configuration.
Note:The Monitor role is required for all users, including the administrator. System Manager will not operate correctly for any user without the Monitor role present.
If desired, click Add another mapping to enter more group-to-role mappings.
Note: Role mappings can be modified after SAML is enabled.
When you are finished with the mappings, click Save.