Understanding Users and Roles
A user is one of the types shown in the following two tables. Only administrator types can be assigned authorizations or roles.
Table 2-31 Administrator User Types
BUI User Type | CLI User Type | Description |
---|---|---|
Local |
|
|
Directory |
|
|
Auto |
|
This user type is automatically created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. This then allows the user to set preferences, such as for the initial login screen and the session timeout duration. For more information about configuring user preferences, see Setting Preferences - BUI, CLI. |
Table 2-32 Non-Administrator User Types
BUI User Type | CLI User Type | Description |
---|---|---|
Data-only |
|
|
No-login |
|
|
A role is a collection of authorizations that can be assigned to an administrator user type. Administrator users are assigned the "basic" role by default. The basic role enables the user to log in to the administrative interface and read most system configuration parameters. The basic role does not allow a user to make changes to the system. A user can be assigned additional roles and can be assigned additional authorizations directly. A role can be edited to add or delete authorizations.
Using roles is more secure than giving users the root password.
-
Use roles to easily grant users only the set of authorizations that they require. For example, different roles could have authorizations to modify different services.
-
Because users are operating under their own user names, you can more easily identify which real person performed a particular action.
A directory role specifically associates a role with an existing LDAP group or Active Directory (AD) group with the same name. As an example for LDAP, role "ZFS_Admins" is associated with LDAP group "ZFS_Admins". By creating the same LDAP directory role on multiple appliances, administrative privileges are granted to members of that LDAP group. Add or remove LDAP group members on the LDAP server configured for the appliances to centrally control who can log in to the appliance as an administrator. Also, on each appliance, you can assign different authorizations for the same directory role.
An automatic directory user is created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. When automatic directory users are no longer authorized to be administrators, remove multiple users at once by using workflow "Destroy Unauthorized Directory Users" or remove them individually by manually removing them in the configuration-users area of the appliance software. For information about executing workflows, see Uploading and Executing Workflows Using the BUI and Executing Workflows using the CLI.
Related Topics