IBM DS6000 Series ユーザーズマニュアル
Chapter 10. DS CLI
203
10.6 User security
The DS CLI software must authenticate with the DS MC or CS Server before commands can
be issued. An initial setup task will be to define at least one userid and password whose
authentication details are saved in an encrypted file. A profile file can then be used to identify
the name of the encrypted password file. Scripts that execute DS CLI commands can then
use the profile file to get the password needed to authenticate the commands.
be issued. An initial setup task will be to define at least one userid and password whose
authentication details are saved in an encrypted file. A profile file can then be used to identify
the name of the encrypted password file. Scripts that execute DS CLI commands can then
use the profile file to get the password needed to authenticate the commands.
User security employs the concept of
groups
to control which functions a particular userid is
allowed to perform. A userid can be a member of more than one group. The groups are:
admin - can perform all tasks - this is the only group that can create and change userids
op_storage - can perform any configuration task
op_volume - can configure logical volumes and volume groups
op_copy_services - can perform Copy Services commands
service - can perform service commands
monitor - has read-only access to commands
no_access - cannot perform any tasks
The functions of these groups are fairly self describing and are fully detailed both in the IBM
TotalStorage DS8000 Command-Line Interface User’s Guide
TotalStorage DS8000 Command-Line Interface User’s Guide
, SC26-7625 and IBM
TotalStorage DS6000 Command-Line Interface User’s Guide
, SC26-7681, and the help
screens. If a userid is not a member of any group, then it is automatically placed into the
no_access group to prevent it from performing any functions.
no_access group to prevent it from performing any functions.
The default userid supplied with an S-HMC or DS Storage Manager is
admin
(whose default
password is also
admin
). During setup it is advisable that a new userid be created in the
admin group (for use if the password for the
admin
userid is lost). Note that userid
management can be performed by using either the DS CLI or by using the DS Storage
Manager GUI. Userids created by either interface will be usable via either interface.
Manager GUI. Userids created by either interface will be usable via either interface.
For an example of how a userid and profile are created, refer to “Procedure to create an
encrypted password file” on page 213.
encrypted password file” on page 213.
10.7 Usage concepts
It is important to understand the various concepts that frame DS CLI usage.
10.7.1 Command modes
The DS CLI can be operated in three modes. In the examples that follow, the
lsuser
command is used. The
lsuser
command is used to display which users have been created
and to which groups they are a member.
Single command mode
At a shell prompt, the user specifies a single DS CLI command which is immediately
executed, and a return code is presented. To avoid having to enter authentication details, a
profile or a password file would have to be created first. This is shown in Example 10-1.
executed, and a return code is presented. To avoid having to enter authentication details, a
profile or a password file would have to be created first. This is shown in Example 10-1.
Example 10-1 Using DS CLI via a single command
C:\Program Files\IBM\dscli>dscli lsuser
Name Group
=========================
admin admin
csadmin op_copy_services
Name Group
=========================
admin admin
csadmin op_copy_services