Configuring and reviewing permissions settings – HP Matrix Operating Environment Software User Manual
Page 18
entered is not valid, the dialog box refreshes to display Could Not Find User in red text
beneath the Enter User or Group Names field. Ensure the user or administrator is added
in the Active Directory or the local server, then retry the entry.
c.
Click OK to accept the designated user or group as the service group Owner.
6.
Click OK to create the service group and save the settings.
Configuring and reviewing permissions settings
SPM checks permissions access rights at two levels for every request: the catalog and entity levels.
Entities are every service group, service request, array, and volume service in the catalog. The
requester (logged-in user or HP Insight Dynamics user requesting SPM service) must have the
appropriate access rights at both levels for the request to be enabled. Access checks are performed
when a request arrives. Therefore, the requester must have the corresponding access rights before
SPM performs the action requested.
At the catalog level, every request made to the SPM service is classified as being a specific type
of operation. See
.
Table 1 Catalog access rights
Description
Access right
Grants a user or group general permission to make inquires about the entities in the
catalog. This access right is required to log into the SPM interface.
Catalog View
Grants a user or group general permission to make requests that add, remove, or
change entities in the catalog.
Catalog Modify
Grants a user or group permission to modify the catalog access control list, including
the owner. Grant this right only to users or groups that are considered administrators,
since anyone that can change the catalog owner can give themselves unlimited access
to SPM service.
Catalog Modify Security
Grants a user or group permission to make requests that perform diagnostics on the
service. Grant this right only to administrators, and to HP support staff when necessary.
Catalog Run Diagnostics
The access control list (ACL) is the list of access rights granted to users or groups for either the
catalog or an entity. The owner of the catalog ACL has all access rights at both the catalog and
entity level; therefore, it has unlimited access in the system. Initially, the catalog owner is set to the
local Administrators group of the server running the SPM service. That is, only members of the local
Administrators group are able to log into SPM until more users and groups are granted catalog
access.
At the entity level, every request involves reading or modifying entities. If the request access check
at the catalog level is successful, access checks against any involved entities are then performed.
To submit storage requests, the HP Insight Dynamics user requires Catalog Modify capabilities.
The access check against the user entity must find the appropriate capabilities to fulfill the request.
Not all of the entity access rights pertain to all entity types. See
Table 2 Entity access rights
Description
Access right
Grants a user or group permission to view (read) properties of the associated entity
Entity View
Grants a user or group permission to change the properties of the associated entity
Entity Modify
Grants a user or group permission to modify the access control list of the associated
entity, including the owner
Entity Modify Security
Grants a user or group permission to refresh information presented to SPM from the
resource
Resource Refresh
Grants a user or group permission to import volumes from an array.
Array Import Volumes
18
Configuring the storage catalog