In EMC® Isilon® OneFS® 7.0 and 7.1, you can use role-based access control (RBAC) for administration tasks in place of a root or administrator account. A role is a collection of OneFS privileges that are limited to an area of administration. For example, you can create custom roles for security, auditing, storage, or backup tasks. Privileges are assigned to roles. As a user logs in to the cluster through the Platform API, the OneFS command-line interface, or the OneFS web administration interface, they’re granted privileges based on their role membership.
For information on how to create and manage roles through the OneFS command-line interface, see the OneFS 7.1 CLI Administration Guide – page 252 (requires login to the EMC Online Support site).
For an overview about RBAC in OneFS 7.1, watch the following video, “Enterprise Features in OneFS 7.1: Role Based Access Control.”
If you have questions or feedback, send an email to isi.knowledge@emc.com. To provide documentation feedback or request new content, send an email to isicontent@emc.com.
[youtube_sc url=”http://www.youtube.com/watch?v=k9FtpaGuqQ8&index=20&list=PLbssOJyyvHuXZ_3JKT5ugbuHPQqZm3e5f” title=”Enterprise%20Features%20of%20OneFS%207.1:%20Role%20Based%20Access%20Control”]
Video Transcript
Hello, I’m Andrey Tychkin with EMC Isilon.
In this video, we’ll talk about Role Based Access Control or RBAC, a feature of OneFS 7.1.
Role Based Access Control allows us to delegate specific administration tasks to users of the OneFS cluster.
Let’s take an example.
Let’s say I’m a NAS administrator and I want my Windows team to manage SMB administration on the cluster separate from, say, my UNIX team.
I’ll start by creating a role and giving it a meaningful name, such as SMB-ADMIN.
Once the role is created, I can add some privileges to it.
Privileges are sets of allowable actions.
They can be read-only for monitoring, or they can be read-write for actual configuration changes.
For SMB administration, I’ll need an SMB setting privilege and a WEB UI log in privilege.
We can also choose from one of the four predefined roles in OneFS which already have privileges assigned to them.
They are SecurityAdmin for RBAC administration, SystemAdmin for general system administration tasks, VMwareAdmin for managing backups of virtual machines, and AuditAdmin for Auditing.
Once we have our roles and privileges set up, all we need to do is add some members to it.
Members can be any users from authentication providers such as AD, LDAP, or NIS.
In our case, it’s our friend Mike from AD who, once he’s added to this role, he’s able to administer SMB on this cluster.
Role based access control is managed from the CLI by using the isi auth roles command.
Detailed information on RBAC is available in the OneFS Administration Guide.
If you have questions or want to implement OneFS 7.1 features in your environment, please contact your account team.
Thank you for watching.