1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Configuring the Appliance
  3. Configuring Users
  4. User Authorizations

User Authorizations

Authorizations allow users to perform specific tasks, such as creating shares, rebooting the appliance, and updating the system software.

Authorizations are grouped into scopes. A particular scope might have a set of filters to narrow the scope of the authorization. For example, rather than an authorization to restart all services, a filter can be used so that this authorization can restart only the HTTP service.

The following table shows the available authorizations.

Table 2-33 Scopes, Filters, and Authorizations Available for Users and Roles

Scope BUI Scope CLI Filters BUI/CLI Authorizations

Active Directory

ad

Domain or workgroup name

  • domain/allow_domain: Join an Active Directory domain

  • workgroup/allow_workgroup: Join a workgroup

Alerts

alert

-

  • configure/allow_configure: Create custom alert actions or threshold alerts

  • post/allow_post: Post custom alerts

Analytics

stat

List of drilldowns

  • configure/allow_configure: Configure analytics hostname lookup policy

  • create/allow_create: Create a statistic with this drilldown present

  • read/allow_read: Read a statistic with this drilldown present

Appliance

appliance

Appliance name

  • audit/allow_audit: Emit an audit log entry

  • configBackup/configBackup: Create a configuration backup. Because data included in a configuration backup might be sensitive and because the configBackup authorization has the same full privileges as for the root user, be sure to read Security Considerations for Configuration Backups in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

  • configExport/configExport: Export a saved configuration. Because data included in a configuration backup might be sensitive, be sure to read Security Considerations for Configuration Backups in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

  • configImport/configImport: Import a saved configuration. Because data included in a configuration backup might be sensitive, be sure to read Security Considerations for Configuration Backups in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

  • configRestore/configRestore: Restore a saved configuration. Because data included in a configuration backup might be sensitive and because the configRestore authorization has the same full privileges as for the root user, be sure to read Security Considerations for Configuration Backups in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

  • factoryReset/allow_factoryReset: Restore the appliance to factory defaults

  • notification-suspend/allow_notification-suspend: Suspend all notifications

  • peerSetup/allow_peerSetup: Set up replication relations

  • powerOff/allow_powerOff: Power down the appliance

  • reboot/allow_reboot: Reboot the appliance

  • setName/allow_setName: Modify the appliance name

  • setTime/allow_setTime: Set the appliance time

  • shell/allow_shell: Access the underlying Oracle Solaris shell

  • systemCert/allow_systemCert: Configure system certificates

  • trustedCert/allow_trustedCert: Configure trusted certificates

Cloud targets

cloud

Cloud target name

  • backup/allow_backup: Backup snapshot data to cloud

  • delete/allow_delete: Delete cloud snapshots

  • restore/allow_restore: Restore cloud snapshots to local shares

Clustering

cluster

-

  • failback/allow_failback: Failback resources to a cluster peer

  • linkReset/allow_linkReset: Reset a failed cluster I/O device

  • takeover/allow_takeover: Takeover resources from a cluster peer

  • transfer/allow_transfer: Transfer resources to a cluster peer

Datasets

dataset

-

  • configure/allow_configure: Configure dataset retention policies and dataset auto suspend policies

Hardware

hardware

-

  • disk/allow_disk: Online and offline disks

  • disk-fault/allow_disk-fault: Manually fault a disk

  • led/allow_led: Configure LEDs on disks, appliance, and external enclosures

  • serviceProcessor/allow_serviceProcessor: Configure network properties for the service processor

  • storage-cancelSpare/allow_storage-cancelSpare: Remove a drive as a hot spare

  • storage-configure/allow_storage-configure: Configure a storage pool

  • storage-unconfigure/allow_storage-unconfigure: Unconfigure a storage pool

Keystores

keystore

Keystore name

  • listKeystore/allow_listKeystore: List keys present in a per-user keystore

  • modifyKeystore/allow_modifyKeystore: Permit keystore modifications

  • readKeystore/allow_readKeystore: Permit read access to sensitive values in a keystore

Networking

net

-

  • configure/allow_configure: Configure networking devices, datalinks, and interfaces

Projects and shares

nas

  • Storage pool

  • Project

  • Share

  • backup/allow_backup: Backup share data

  • changeAccessProps/allow_changeAccessProps: Configure who can access a share

  • changeGeneralProps/allow_changeGeneralProps: Change general properties on a share

  • changeProtocolProps/allow_changeProtocolProps: Configure protocol-specific properties

  • changeSpaceProps/allow_changeSpaceProps: Change quota and reservation on a share

  • changeUserQuota/allow_changeUserQuota: Change user and group quotas on a share

  • clearLocks/allow_clearLocks: Clear locks held on behalf of an NFS client

  • clone/allow_clone: Clone a snapshot to a normal filesystem

  • createProject/allow_createProject: Create a project

  • createShare/allow_createShare: Create a filesystem or LUN

  • destroy/allow_destroy: Remove a project or share

  • destroySnap/allow_destroySnap: Remove a snapshot

  • disableLockedSnap/allow_disableLockedSnap: Disable retention on schedule of snapshots

  • enableLockedSnap/allow_enableLockedSnap: Enable and configure retention on schedule of snapshots

  • encryption/allow_encryption: Manage encryption keys for a pool, project, or share

  • promote/allow_promote: Promote a clone

  • releaseSnapRetention/allow_releaseSnapRetention: Release a snapshot retention policy

  • rename/allow_rename: Rename a project or share

  • renameSnap/allow_renameSnap: Rename a snapshot

  • restore/allow_restore: Restore data to share

  • retainSnap/allow_retainSnap: Retain a snapshot

  • retentionAuto/allow_retentionAuto: Enable automatic retention

  • retentionMandatory/allow_retentionMandatory: Enable mandatory retention

  • retentionPeriods/allow_retentionPeriods: Alter retention periods

  • rollback/allow_rollback: Rollback a filesystem to a previous snapshot

  • rrsource/allow_rrsource: Configure data replication to other appliances

  • rrtarget/allow_rrtarget: Manage data replicated from other appliances

  • scheduleLockedSnap/allow_scheduleLockedSnap: Configure retention on schedule of snapshots

  • scheduleSnap/allow_scheduleSnap: Configure a recurring schedule of snapshots

  • scrub/allow_scrub: Check a storage pool for errors

  • shadowMigration/allow_shadowMigration: Manage shadow migration on a share

  • takeSnap/allow_takeSnap: Take a manual snapshot

Roles

role

Role name

  • changeAuths/allow_changeAuths: Configure authorizations for a role

  • changeDescription/allow_changeDescription: Change a description of a role

  • create/allow_create: Create a role

  • destroy/allow_destroy: Destroy a role

SAN

stmf

-

  • configure/allow_configure: Configure SAN hosts and targets

Services

svc

Service name

  • administer/allow_administer: Enable or disable service

  • configure/allow_configure: Configure service properties and settings

  • restart/allow_restart: Restart service

Shares property schema

schema

-

  • modify/allow_modify: Modify property schema

Update

update

-

  • delete/allow_delete: Delete system updates

  • update/allow_update: Update system software

  • upload/allow_upload: Upload system updates

Users

user

Username

  • changeAuths/allow_changeAuths: Configure authorizations for a user

  • changePassword/allow_changePassword: Change a password

  • changePreferences/allow_changePreferences: Configure preferences for a user

  • changeProperties/allow_changeProperties: Configure properties for a user

  • changeRESTTokens/allow_changeRESTTokens: Configure REST tokens for a user

  • changeRoles/allow_changeRoles: Configure roles for a user

  • create/allow_create:Create a user

  • destroy/allow_destroy: Destroy a user

Workflow

workflow

  • Owner

  • Name

  • modify/allow_modify: Delete workflow

  • read/allow_read: Execute workflow

Worksheet

worksheet

  • Owner

  • Name

  • modify/allow_modify: Modify worksheet

  • read/allow_read: Read worksheet

Related Topics

  • Adding an Administrator or User - BUI, CLI

  • Editing Exceptions for a User - BUI, CLI

  • Adding a Role - BUI, CLI

  • Editing Authorizations for a Role - BUI, CLI