with IBM Corp.An RBAC model pr ovides the user with authorization to access components in the...

IBM Cloud Object Storage System™

Version 3.14.3

Role-Based Access ControlAdministration

IBM

This edition applies to IBM Cloud Object Storage System™ and is valid until replaced by new editions.

© Copyright IBM Corporation 2016, 2019.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Key concept definitions . . . 1

Chapter 2. RBAC model . . . . . . . . 3

Chapter 3. Authorize users on a systemthat uses RBAC . . . . . . . . . . . 5

Chapter 4. Assign roles to users andgroups . . . . . . . . . . . . . . . 7

Chapter 5. Limitations to the RBACmodel. . . . . . . . . . . . . . . . 9

Notices . . . . . . . . . . . . . . 11Trademarks . . . . . . . . . . . . . . 13

Homologation statement . . . . . . . . . . 13

© Copyright IBM Corp. 2016, 2019 iii

iv RBAC Administration

Chapter 1. Key concept definitions

Role-Based Access Control (RBAC) assigns access privileges to certain management functions to Roles,which are then assigned to Users and Groups.

Privilege Authorization to access a certain resource or do a certain action.

Role A defined set of Privileges.

User A person or automated agent.

Group A defined set of Users.

© Copyright IBM Corp. 2016, 2019 1

2 RBAC Administration

Chapter 2. RBAC model

An RBAC model provides the user with authorization to access components in the system. It is based onwhich roles that user has.

These Roles are the combination of atomic Privileges: one Privilege that applies to one component. Thefigure here represents the RBAC model.

Note: Authorization is what a User can accomplish on a system. Authentication is how a User is grantedaccess to a system.

According to the figure, these relationships exist between parts of the RBAC model:v Privileges can be assigned to multiple Roles.v A User can have multiple Roles.v A Group can have multiple Roles.v A role can be assigned to multiple Users or Groups.v Users can be in multiple Groups.

User

Group

Role Privileges

has many

has many

has many

co

ss0

00

4

Figure 1. RBAC model


Chapter 3. Authorize users on a system that uses RBAC

When a user logs in to the Manager Web Interface, they see an interface based on the union of allprivileges of every role they are assigned. Users must be assigned to a particular role to see pagesrelating to that role.

Every time a User attempts to access a URL in the Manager Web Interface, it checks:v What Privilege can view the page?v What Roles have this Privilege?v Does the current User have one (or more) of those roles?

Beyond page-level Privileges, certain page elements might be shown only to certain Privileges (thusRoles, Users, and Groups).

Example of User Authorization

User Bob has the Security Officer role. Bob signs in to the Manager Web Interface and sees a page that iscalled Accounts and Groups that lists the name, username, and creation date of accounts in theorganization.

If user Sue is assigned an Operator role and signs in to the Manager Web Interface, she cannot see thepage.


Chapter 4. Assign roles to users and groups

Users and Groups can be assigned Roles during the creation process or later.

These Roles can be assigned to a User or a Group.

Table 1. Roles available to Manager Web Interface

Role Privileges

Super User Perform any action within the Manager Web Interface except read from or write to aVault.

System Administrator Perform any action within the Manager Web Interface except setting system security,managing accounts and reading from or writing to a Vault.

Security Officer Manage accounts and security within the Manager Web Interface.

Operator Monitor systems by using the Manager Web Interface.

Vault Provisioner (Vault Mode only) Create or delete Vaults by using the Provisioning API. The rolealone does not grant access to the Manager Web Interface. It is only visible on theManager Web Interface if the Provisioning API is enabled (See 'ConfigureProvisioning API' in the Manager Administration Guide). There are no accounts withthis role.

Vault User (Vault Mode only) Can read/write or read-only access to Vaults. This role alone doesnot grant access to the Manager Web Interface.

Service Account (Container Mode only) This role must be assigned to all accounts that interact withthe Service API.

User accounts either can be created to be local to the system or linked to a directory server account onActive Directory (AD), Lightweight Directory Access Protocol (LDAP) or Keystone.

Group accounts are linked to their directory server Group. Any User who is a member of that directoryserver Group receives all Roles that are assigned to that Group in the system. A directory server accountdoes not need to be created in the system for each User in each Group.

A User’s Roles are the union of Roles that are directly assigned and ones that are assigned to the Groupor Groups to which the User belongs.

How Effective Privileges Work on a system.1. A Group in the system has the role System Administrator (Admins).2. Joe is a part of the Admins Group in the directory server, but does not have an account in the system.3. Joe attempts to log in to the system by using his directory server credentials.4. The login succeeds and Joe has all of the Privileges of a System Administrator.5. A directory server account in the system is automatically created for Joe with this first login.6. Joe then is assigned the Vault User role.7. Joe’s effective Roles are System Administrator and Vault User.


Chapter 5. Limitations to the RBAC model

Groups exist only in directory server

Groups cannot be created without directory server. Users are members of a Group based on directoryserver permissions.

Manager Web Interface cannot manage directory server

The Manager Web Interface cannot set or change Privileges or Group memberships that are defined onthe configured directory server.

Currently, the operator cannot view the structure of the configured directory server from within theManager Web Interface.v Deleting a directory server account in the system does not delete it from the configured directory

server.v When creating a directory server User or Group, the operator can specify any name that matches the

expected format. The Manager Web Interface does not check for the existence of the User or Groupwithin the configured directory server before it is created.


Notices

This information was developed for products and services offered in the US. This material might beavailable from IBM® in other languages. However, you may be required to own a copy of the product orproduct version in that language in order to access it.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

The performance data discussed herein is presented as derived under specific operating conditions.Actual results may vary.

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject to change before theproducts described become available.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to the names and addresses used by anactual business enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrate programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programsin any form without payment to IBM, for the purposes of developing, using, marketing or distributingapplication programs conforming to the application programming interface for the operating platform forwhich the sample programs are written. These examples have not been thoroughly tested under allconditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of theseprograms. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

If you are viewing this information softcopy, the photographs and color illustrations may not appear.


TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the web atCopyright and trademark information at www.ibm.com/legal/copytrade.shtml.

Accesser®, Cleversafe®, ClevOS™, Dispersed Storage®, dsNet®, IBM Cloud Object Storage Accesser®, IBMCloud Object Storage Dedicated™, IBM Cloud Object Storage Insight™, IBM Cloud Object StorageManager™, IBM Cloud Object Storage Slicestor®, IBM Cloud Object Storage Standard™, IBM Cloud ObjectStorage System™, IBM Cloud Object Storage Vault™, SecureSlice™, and Slicestor® are trademarks orregistered trademarks of Cleversafe, an IBM Company and/or International Business Machines Corp.

Other product and service names might be trademarks of IBM or other companies.

Homologation statementThis product may not be certified in your country for connection by any means whatsoever to interfacesof public telecommunications networks. Further certification may be required by law prior to making anysuch connection. Contact an IBM representative or reseller for any questions.

Notices 13

http://www.ibm.com/legal/copytrade.shtml

IBM®

Printed in USA

with IBM Corp.An RBAC model pr ovides the user with authorization to access components in the...

Documents

Transcript of with IBM Corp.An RBAC model pr ovides the user with authorization to access components in the...