Access management includes role-based logins, password encryption, basic authentication, and LDAP integration.
Role-based access control (RBAC) associates predefined users with roles. Each role grants permissions to a specific level of functionality.
The following table describes each role.
| Role | Description |
|---|---|
| security.admin | SSL and certificate management. |
| storage.admin | Full read/write access to storage system configuration. |
| storage.monitor | Read-only access to view storage system data. |
| support.admin | Access to all hardware resources on storage systems and support operations such as AutoSupport (ASUP) retrieval. |
Default user accounts are defined in the users.properties file. You can change user accounts by directly modifying the users.properties file or by using the Access Management functions in Unified Manager.
The following table lists the user logins available for the Web Services Proxy.
| Predefined user login | Description |
|---|---|
| admin | A super administrator who has access to all functions and includes all roles. For Unified Manager, you must set the password on first-time login. |
| storage | The administrator responsible for all storage provisioning. This user includes the following roles: storage.admin, support.admin, and storage.monitor. This account is disabled until a password is set. |
| security | The user responsible for security configuration. This user includes the following roles: security.admin and storage.monitor. This account is disabled until a password is set. |
| support | The user responsible for hardware resources, failure data, and firmware upgrades. This user includes the following roles: support.admin and storage.monitor. This account is disabled until a password is set. |
| monitor | A user with read-only access to the system. This user includes only the storage.monitor role. This account is disabled until a password is set. |
| rw | The rw (read/write) user includes the following roles: storage.admin, support.admin, and storage.monitor. This account is disabled until a password is set. |
| ro | The ro (read only) user includes only the storage.monitor role. This account is disabled until a password is set. |
For each password, you can apply an additional encryption process using the existing SHA256 password encoding. This additional encryption process applies a random set of bytes to each password (salt) for each SHA256 hash encryption. Salted SHA256 encryption is applied to all newly created passwords.
By default, basic authentication is enabled, which means the server returns a basic authentication challenge. This setting can be changed in the wsconfig.xml file.
Lightweight Directory Access Protocol (LDAP), an application protocol for accessing and maintaining distributed directory information services, is enabled for the Web Services Proxy. LDAP integration allows for user authentication and mapping of roles to groups.
For information on configuring LDAP functionality, refer to configuration options in the Unified Manager interface or in the LDAP section of the interactive API documentation.