Appliance Users
There are two types of Oracle ZFS Storage Appliance users:
-
Data Services Users – Clients who access file and block resources using the supported protocols such as Network File System (NFS), Server Message Block (SMB), Fibre Channel, Internet Small Computer System Interface (iSCSI), Hypertext Transfer Protocol (HTTP), and File Transfer Protocol (FTP).
-
Administrative Users - Users who will manage the configuration and services on the appliance.
This section applies to administrative users only.
Administrative User Roles
You can grant administrators privileges by assigning custom roles to them. A role is a collection of privileges that you can assign to an administrator. You may want to create various administrator and operator roles, with different authorization levels. Staff members should be assigned any role that is suitable for their needs, without assigning unnecessary privileges.
The use of roles is more secure than the use of shared full-access administrator passwords, such as giving everyone the root password. Roles restrict users to defined sets of authorizations. In addition, user roles are traceable to individual usernames in the audit logs. By default, a role called "Basic administration" exists, which contains a minimum of authorizations.
Administrative users can be:
-
Local Users – Where all account information is saved on Oracle ZFS Storage Appliance.
-
Directory Users – Where existing NIS or LDAP accounts are used and supplemental authorization settings are saved on the appliance. Access to the appliance must be explicitly granted to existing NIS/LDAP users, who can then log in to and administer the appliance. Access cannot be granted by default.
Administrative Scopes
Authorizations let users perform specific tasks, such as creating shares, rebooting the appliance, and updating the system software. Groups of authorizations are called scopes. Each scope can have a set of optional filters that narrow the number of authorizations. For example, rather than authorization to restart all services, a filter can be used to allow restarting of only the HTTP service.