Understanding Users and Roles

A user is one of the types shown in the following two tables. Only administrator types can be assigned authorizations or roles.

Table 2-31 Administrator User Types

BUI User Type	CLI User Type	Description
Local	`local`	This appliance administrator is defined for this appliance only. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID. A password must be specified. This user can be granted authorizations directly or by assigning custom roles. Although local users are supported for data services, local groups are not supported.
Directory	`directory`	This appliance administrator is managed by a directory service: NIS, LDAP, or Active Directory (AD). See NIS Configuration, LDAP Configuration, or Active Directory Configuration. The user must be an existing UNIX NIS/LDAP user or an AD `name@domain` user. User ID and Password are automatically assigned and cannot be set. If both NIS and LDAP are configured on the appliance and the services return different information for a particular user, the appliance uses the data provided by NIS. When the appliance RADIUS service is enabled, all directory users log in using RADIUS. This user can be granted authorizations directly or by assigning custom roles.
Auto	`auto`	This user type is automatically created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. This then allows the user to set preferences, such as for the initial login screen and the session timeout duration. For more information about configuring user preferences, see Setting Preferences - BUI, CLI.

Table 2-32 Non-Administrator User Types

BUI User Type	CLI User Type	Description
Data-only	`data`	A data-only user is defined locally for data (such as SMB, NFS, FTP) with no administrator access. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID. A password must be specified.
No-login	`nologin`	A no-login user is not allowed to log in to the appliance. A username and UID are reserved for identity mapping purposes. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID.

A role is a collection of authorizations that can be assigned to an administrator user type. Administrator users are assigned the "basic" role by default. The basic role enables the user to log in to the administrative interface and read most system configuration parameters. The basic role does not allow a user to make changes to the system. A user can be assigned additional roles and can be assigned additional authorizations directly. A role can be edited to add or delete authorizations.

Using roles is more secure than giving users the root password.

Use roles to easily grant users only the set of authorizations that they require. For example, different roles could have authorizations to modify different services.
Because users are operating under their own user names, you can more easily identify which real person performed a particular action.

A directory role specifically associates a role with an existing LDAP group or Active Directory (AD) group with the same name. As an example for LDAP, role "ZFS_Admins" is associated with LDAP group "ZFS_Admins". By creating the same LDAP directory role on multiple appliances, administrative privileges are granted to members of that LDAP group. Add or remove LDAP group members on the LDAP server configured for the appliances to centrally control who can log in to the appliance as an administrator. Also, on each appliance, you can assign different authorizations for the same directory role.

An automatic directory user is created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. When automatic directory users are no longer authorized to be administrators, remove multiple users at once by using workflow "Destroy Unauthorized Directory Users" or remove them individually by manually removing them in the configuration-users area of the appliance software. For information about executing workflows, see Uploading and Executing Workflows Using the BUI and Executing Workflows using the CLI.