Manage admin groups

Contributors netapp-madkat netapp-lhalbert

You can create admin groups to manage the security permissions for one or more admin users. Users must belong to a group to be granted access to the StorageGRID system.

What you’ll need
  • You are signed in to the Grid Manager using a supported web browser.

  • You have specific access permissions.

  • If you plan to import a federated group, you have configured identity federation and the federated group already exists in the configured identity source.

Create an admin group

Admin groups allow you to determine which users can access which features and operations in the Grid Manager and the Grid Management API.

Access the wizard

  1. Select CONFIGURATION > Access control > Admin groups.

  2. Select Create group.

Choose a group type

You can create a local group or import a federated group.

  • Create a local group if you want to assign permissions to local users.

  • Create a federated group to import users from the identity source.

Local group
  1. Select Local group.

  2. Enter a display name for the group, which you can update later as required. For example, “Maintenance Users” or “ILM Administrators.”

  3. Enter a unique name for the group, which you cannot update later.

  4. Select Continue.

Federated group
  1. Select Federated group.

  2. Enter the name of the group you want to import, exactly as it appears in the configured identity source.

    • For Active Directory and Azure, use the sAMAccountName.

    • For OpenLDAP, use the CN (Common Name).

    • For another LDAP, use the appropriate unique name for the LDAP server.

  3. Select Continue.

Manage group permissions

  1. For Access mode, select whether users in the group can change settings and perform operations in the Grid Manager and the Grid Management API or whether they can only view settings and features.

    • Read-write (default): Users can change settings and perform the operations allowed by their management permissions.

    • Read-only: Users can only view settings and features. They cannot make any changes or perform any operations in the Grid Manager or Grid Management API. Local read-only users can change their own passwords.

      Note If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features.
  2. Select one or more Group permissions.

    You must assign at least one permission to each group; otherwise, users belonging to the group will not be able to sign in to StorageGRID.

  3. If you are creating a local group, select Continue. If you are creating a federated group, select Create group and Finish.

Add users (local groups only)

  1. Optionally, select one or more local users for this group.

    If you have not yet created local users, you can save the group without adding users. You can add this group to the user on the Users page. See Manage users for details.

  2. Select Create group and Finish.

View and edit admin groups

You can view details for existing groups, modify a group, or duplicate a group.

  • To view basic information for all groups, review the table on the Groups page.

  • To view all details for a specific group or to edit a group, use the Actions menu or the details page.

    Task Actions menu Details page

    View group details

    1. Select the check box for the group.

    2. Select Actions > View group details.

    Select the group name in the table.

    Edit display name (local groups only)

    1. Select the check box for the group.

    2. Select Actions > Edit group name.

    3. Enter the new name.

    4. Select Save changes.

    1. Select the group name to display the details.

    2. Select the edit icon Edit icon.

    3. Enter the new name.

    4. Select Save changes.

    Edit access mode or permissions

    1. Select the check box for the group.

    2. Select Actions > View group details.

    3. Optionally, change the group’s Access mode.

    4. Optionally, select or unselect Group permissions.

    5. Select Save changes.

    1. Select the group name to display the details.

    2. Optionally, change the group’s Access mode.

    3. Optionally, select or unselect Group permissions.

    4. Select Save changes.

Duplicate a group

  1. Select the check box for the group.

  2. Select Actions > Duplicate group.

  3. Complete the Duplicate group wizard.

Delete a group

You can delete an admin group when you want to remove the group from the system, and remove all permissions associated with the group. Deleting an admin group removes any users from the group, but does not delete the users.

  1. From the Groups page, select the check box for each group you want to remove.

  2. Select Actions > Delete group.

  3. Select Delete groups.

Group permissions

When creating admin user groups, you select one or more permissions to control access to specific features of the Grid Manager. You can then assign each user to one or more of these admin groups to determine which tasks that user can perform.

You must assign at least one permission to each group; otherwise, users belonging to that group will not be able to sign in to the Grid Manager or the Grid Management API.

By default, any user who belongs to a group that has at least one permission can perform the following tasks:

  • Sign in to the Grid Manager

  • View the Dashboard

  • View the Nodes pages

  • Monitor grid topology

  • View current and resolved alerts

  • View current and historical alarms (legacy system)

  • Change their own password (local users only)

  • View certain information on the Configuration and Maintenance pages

Interaction between permissions and Access mode

For all permissions, the group’s Access mode setting determines whether users can change settings and perform operations or whether they can only view the related settings and features. If a user belongs to multiple groups and any group is set to Read-only, the user will have read-only access to all selected settings and features.

The following sections describe the permissions you can assign when creating or editing an admin group. Any functionality not explicitly mentioned requires the Root access permission.

Root access

This permission provides access to all grid administration features.

Acknowledge alarms (legacy)

This permission provides access to acknowledge and respond to alarms (legacy system). All signed-in users can view current and historical alarms.

If you want a user to monitor grid topology and acknowledge alarms only, you should assign this permission.

Change tenant root password

This permission provides access to the Change root password option on the Tenants page, allowing you to control who can change the password for the tenant’s local root user. This permission is also used for migrating S3 keys when the S3 key import feature is enabled. Users who do not have this permission cannot see the Change root password option.

Note To grant access to the Tenants page, which contains the Change root password option, also assign the Tenant accounts permission.

Grid topology page configuration

This permission provides access to the Configuration tabs on the SUPPORT > Tools > Grid topology page.

ILM

This permission provides access to the following ILM menu options:

  • Rules

  • Policies

  • Erasure coding

  • Regions

  • Storage pools

Note Users must have the Other grid configuration and Grid topology page configuration permissions to manage storage grades.

Maintenance

Users must have the Maintenance permission to use these options:

  • CONFIGURATION > Access control:

    • Grid passwords

  • MAINTENANCE > Tasks:

    • Decommission

    • Expansion

    • Object existence check

    • Recovery

  • MAINTENANCE > System:

    • Recovery package

    • Software update

  • SUPPORT > Tools:

    • Logs

Users who do not have the Maintenance permission can view, but not edit, these pages:

  • MAINTENANCE > Network:

    • DNS servers

    • Grid Network

    • NTP servers

  • MAINTENANCE > System:

    • License

  • CONFIGURATION > Security:

    • Certificates

    • Domain names

  • CONFIGURATION > Monitoring:

    • Audit and syslog server

Manage alerts

This permission provides access to options for managing alerts. Users must have this permission to manage silences, alert notifications, and alert rules.

Metrics query

This permission provides access to the SUPPORT > Tools > Metrics page. This permission also provides access to custom Prometheus metrics queries using the Metrics section of the Grid Management API.

Object metadata lookup

This permission provides access to the ILM > Object metadata lookup page.

Other grid configuration

This permission provides access to additional grid configuration options.

Important To see these additional options, users must also have the Grid topology page configuration permission.
  • ILM:

    • Storage grades

  • CONFIGURATION > Network:

    • Link cost

  • CONFIGURATION > System:

    • Display options

    • Grid options

    • Storage options

  • SUPPORT > Alarms (legacy):

    • Custom events

    • Global alarms

    • Legacy email setup

Storage appliance administrator

This permission provides access to the E-Series SANtricity System Manager on storage appliances through the Grid Manager.

Tenant accounts

This permission provides access to the Tenants page, where you can create, edit, and remove tenant accounts. This permission also allows users to view existing traffic classification policies.