Administrator Guide

Table Of Contents
If your environment requires additional security, you might consider a dedicated management network. (See Congure a
Management Network for more information.)
Administration accounts allow you to specify how much control individual administrators will have over the PS Series group,
according to their account type:
Group administrators (all permissions)
Read-only accounts (read access only to a group and can selectively enable conguration/diagnostic collection)
Pool administrators (manage only selected pools, and if group read-only, can enable conguration/diagnostic collection)
Volume administrators (create and manage owned volumes in selected pools)
Administration accounts can be managed locally or remotely:
Local accounts — If you have relatively few administration accounts, this method is practical because account authentication
occurs within the group. The default administration account, grpadmin, is a local account created automatically when the group
is rst congured.
Remote using Active Directory (LDAP) — If you use Active Directory in your environment, you can congure a group to use
LDAP to authenticate administration accounts. You can grant group, pool, or volume administrator privileges to individual Active
Directory users or to entire Active Directory groups.
Remote using a RADIUS server — If you have a large number of administration accounts, you can use an external Remote
Authentication Dial-in User Service (RADIUS) server to authenticate administration accounts.
NOTE: You cannot simultaneously use RADIUS and Active Directory to authenticate administrator accounts. However,
you can always add local accounts.
The default administration account, grpadmin, provides full access to Group Manager’s features and allows you to perform all group
operations. Some operations, such as upgrading array rmware, can be performed only by the grpadmin user.
NOTE: Dell recommends that you set up an account for each administrator, with no users sharing a single account.
Further, Dell recommends that the group administrator monitor the activity of other accounts.
Types of Administration Accounts
Table 13. Types of Administration Accounts lists administration account types and their privileges. The attributes can be applied to
both local accounts and Active Directory accounts or groups.
Table 13. Types of Administration Accounts
Account Type Description
grpadmin Can perform all group management tasks, including managing the group, storage pools, members,
NAS clusters, volumes, and accounts. Group Administrator can also enable secure erase to
securely erase data so that it cannot be recovered.
Only the grpadmin account can update member rmware or fetch diagnostic les using FTP. You
cannot rename, delete, or change the account type for the grpadmin account.
Group administrator Can perform the same tasks as the grpadmin account, except updating member rmware.
Read-only Can view information about all group objects except NAS clusters, but cannot change the group
conguration. Read-only users can also save diagnostics and save the group conguration.
Pool administrator Can view the volumes, members, snapshots, and other objects only in the pool or pools for which
the account has authorization. They cannot manage members. Optionally, pool administrators can
view information about all group objects except NAS clusters.
Pool administrators can assign volumes to volume administrators, provided that the pool
administrator has access to the pool containing the volumes, and the volume administrator has
sucient free quota space.
Pool administrators cannot change the resources to which they have access.
54
About Group-Level Security