Understanding Users and Roles

A user is one of the types shown in the following two tables. Only administrator types can be assigned authorizations or roles.

Table 2-31 Administrator User Types

BUI User Type	CLI User Type	Description
Local	local	This appliance administrator is defined for this appliance only. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID. A password must be specified. This user can be granted authorizations directly or by assigning custom roles. Although local users are supported for data services, local groups are not supported.
Directory	directory	This appliance administrator is managed by a directory service: NIS, LDAP, or Active Directory (AD). See NIS Configuration, LDAP Configuration, or Active Directory Configuration. The user must be an existing UNIX NIS/LDAP user or an AD name@domain user. User ID and Password are automatically assigned and cannot be set. If both NIS and LDAP are configured on the appliance and the services return different information for a particular user, the appliance uses the data provided by NIS. When the appliance RADIUS service is enabled, all directory users log in using RADIUS. This user can be granted authorizations directly or by assigning custom roles.
Auto	auto	This user type is automatically created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. This then allows the user to set preferences, such as for the initial login screen and the session timeout duration. For more information about configuring user preferences, see Setting Preferences - BUI, CLI.

Table 2-32 Non-Administrator User Types

BUI User Type	CLI User Type	Description
Data-only	data	A data-only user is defined locally for data (such as SMB, NFS, FTP) with no administrator access. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID. A password must be specified.
No-login	nologin	A no-login user is not allowed to log in to the appliance. A username and UID are reserved for identity mapping purposes. The username must be a new UNIX username. A custom UID can be specified; otherwise, the system will assign the UID.

A role is a collection of authorizations that can be assigned to an administrator user type. Administrator users are assigned the "basic" role by default. The basic role enables the user to log in to the administrative interface and read most system configuration parameters. The basic role does not allow a user to make changes to the system. A user can be assigned additional roles and can be assigned additional authorizations directly. Local and directory roles can be edited to add or delete authorizations. System roles are delivered with the appliance, can be assigned directly to users, and can be cloned to local or directory roles, but they cannot be modified or deleted.

• Using roles is more secure than giving users the root password.

• Use roles to easily grant users only the set of authorizations that they require. For example, different roles could have authorizations to modify different services.

• Because users are operating under their own user names, you can more easily identify which real person performed a particular action.

The appliance includes a set of system-delivered sample roles to encourage the use of roles instead of shared root access. These roles are available after upgrading to a software version that provides this feature. Existing roles are not changed during upgrade.

The following system roles are provided with the appliance:

• $All—All Authorizations

• $Backup—Backup and Replication Managemen

• $Securitymgr—Security and Key Management

• $Sharemgr—Basic Share Management

• $Svcmgr—Service Management

• $Update—Update Management

• $Usermgr—User Management

The $All system role is special. Its authorization list is generated dynamically so that it always includes the complete set of authorizations known to the running software version.

A directory role specifically associates a role with an existing LDAP group or Active Directory (AD) group with the same name. A system role can be cloned to create a directory role with a similar initial authorization set. As an example for LDAP, role "ZFS_Admins" is associated with LDAP group "ZFS_Admins". By creating the same LDAP directory role on multiple appliances, administrative privileges are granted to members of that LDAP group. Add or remove LDAP group members on the LDAP server configured for the appliances to centrally control who can log in to the appliance as an administrator. Also, on each appliance, you can assign different authorizations for the same directory role.

An automatic directory user is created when a user belonging to a directory role, but who was not explicitly added, logs in to the appliance for the first time. When automatic directory users are no longer authorized to be administrators, remove multiple users at once by using workflow "Destroy Unauthorized Directory Users" or remove them individually by manually removing them in the configuration-users area of the appliance software. For information about executing workflows, see Uploading and Executing Workflows Using the BUI and Executing Workflows using the CLI.

In addition to local and directory roles that you create, the product includes system-defined roles. System-defined roles cannot be modified or deleted. A system-defined role can be cloned to a local role or directory role and can be assigned to local and directory users. The following system-defined roles are supported:

zfssa:configuration roles> list
NAME                     DESCRIPTION                      TYPE
$All                     All Authorisations               System
$Backup                  Backup and Replication Manage... System
$Securitymgr             Security and Key Management      System
$Sharemgr                Basic Share Management           System
$Svcmgr                  Service Management               System
$Update                  Update Management                System
$Usermgr                 User Management                  System
basic                    Basic administration             Local

The $All role is special. It contains all the authorizations known to the currently running instance.

Note:

For the ZFS storage appliance product in Oracle Cloud Infrastructure, the initial opc user is assigned the $All role.

Note:

After upgrading to a software version that includes system roles, the new system roles become available for assignment and cloning. Existing local and directory roles are not modified by the upgrade.

Related Topics

• Managing User Properties

• User Authorizations

• Adding an Administrator or User - BUI, CLI

• Changing a User Password - BUI, CLI

• Editing Exceptions for a User - BUI, CLI

• Adding a Role - BUI, CLI

• Editing Authorizations for a Role - BUI, CLI

• Adding a User Who can Only View the Dashboard - BUI, CLI