Administrative User & Minimum Permissions

Configure administrative users and set minimum required permissions for your storage platforms.

PowerScale

Run the following commands as root on the PowerScale cluster over SSH.

Create SupernaAdmin Role and User

1. Create the SupernaAdmin role

   isi auth roles create --name SupernaAdmin --description "SupernaAdmin role"

2. Create the superna user

   isi auth users create superna --enabled yes --password 3y3gl4ss
   isi auth users modify superna --password-expires no

3. Add user to the role

   isi auth roles modify SupernaAdmin --add-user superna

Assign Required Privileges

1. Add minimum required privileges to the SupernaAdmin role

   # Core system privileges
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_LOGIN_PAPI
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_AUTH
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_ROLE
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_NFS
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_SMB
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_NETWORK
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_QUOTA
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_LOGIN_SSH
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_AUDIT
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_SYNCIQ
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_NS_IFS_ACCESS
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_NS_TRAVERSE
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_EVENT
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_HDFS
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_REMOTE_SUPPORT
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_SNAPSHOT
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_SMARTPOOLS
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_WORM
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_STATISTICS
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_JOB_ENGINE
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_CLOUDPOOLS
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_DEVICES
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_FILE_FILTER
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_HARDENING
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_NDMP
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_MONITORING
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_ANTIVIRUS
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_HTTP
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_NTP
   isi auth roles modify SupernaAdmin --add-priv ISI_PRIV_CONFIGURATION
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_IFS_BACKUP
   isi auth roles modify SupernaAdmin --add-priv-ro ISI_PRIV_IFS_RESTORE

Create and Configure SMB Share for Audit Access

1. Create the audit share

   /usr/likewise/bin/lwnet share add "superna_audit_share"="C:\\ifs\\.ifsvar\\audit\\logs"

2. Verify the share was created

   isi smb shares list

3. Configure the share to use system zone

   isi smb shares modify superna_audit_share --new-zone=system

4. Grant read permissions to the superna user

   isi smb shares permission create --share=superna_audit_share --user="superna" --permission-type=allow --permission=read --zone=system
   Additional Zones

   If you want to audit access zones beyond the System zone, you'll need to configure the share for each additional zone and grant permissions. For example, to also audit a zone named "production":

   # Configure share for additional zone
   isi smb shares modify superna_audit_share --new-zone=production
   
   # Grant permissions for additional zone
   isi smb shares permission create --share=superna_audit_share --user="superna" --permission-type=allow --permission=read --zone=production

   Repeat both commands for each additional zone you want to include in your audit monitoring.

Set Linux Permissions for Audit Path Access

1. Set permissions on the audit directory

   chmod -R +a user "superna" allow dir_gen_all,object_inherit,container_inherit,inherited /ifs/.ifsvar/audit/
   chmod -a user "superna" allow dir_gen_all,object_inherit,container_inherit,inherited /ifs/.ifsvar/audit/
   chmod +a user "superna" allow dir_gen_all,object_inherit,container_inherit /ifs/.ifsvar/audit/

2. Set permissions on the audit logs directory

   chmod -R +a user "superna" allow dir_gen_all,object_inherit,container_inherit,inherited /ifs/.ifsvar/audit/logs
   chmod -a user "superna" allow dir_gen_all,object_inherit,container_inherit,inherited /ifs/.ifsvar/audit/logs
   chmod +a user "superna" allow dir_gen_all,object_inherit,container_inherit /ifs/.ifsvar/audit/logs

3. Create a symlink for REST API access to audit logs

   ln -s /ifs/.ifsvar/audit/logs /ifs/auditlogs
   info

   This symlink is required because audit logs need to be listed from the audit directory, but /ifs/.ifsvar is not available through the PowerScale REST API. The symlink makes the audit logs accessible at /ifs/auditlogs, which can be accessed via the REST API.

important

When adding a PowerScale to the Superna 5 inventory, please enter eyeglass when entering the credentials, and not the role name.

Qumulo

Configure administrative user and minimum required permissions for your Qumulo cluster through the Qumulo web interface.

Create Eyeglass User

1. Navigate to Local Users & Groups

   In the Qumulo web interface, go to Cluster → Local Users & Groups

2. Create the eyeglass user

   Click Create User and configure:

   • Username: eyeglass
   • Password: Set a secure password for the user
   • Confirm Password: Re-enter the password

   Click Create to save the user.

Create Eyeglass Role

1. Navigate to Role Management

   In the Qumulo web interface, go to Cluster → Role Management

2. Create a new role

   Click Create Role and configure:

   • Role Name: EyeglassAdminRole
   • Description: Administrative role for Superna Eyeglass access

Assign Required Privileges

1. Add minimum required privileges to the EyeglassAdminRole

   Select the following permissions for the role:

   # Active Directory privileges
   AD_READ
   AD_USE
   
   # Analytics and auditing privileges
   ANALYTICS_READ
   AUDIT_READ
   AUDIT_WRITE
   
   # File system privileges
   FILE_FULL_ACCESS
   LOCAL_USER_READ
   
   # Network and export privileges
   NETWORK_READ
   NFS_EXPORT_READ
   
   # Quota management privileges
   QUOTA_READ
   
   # Replication privileges
   REPLICATION_SOURCE_READ
   REPLICATION_TARGET_READ
   
   # SMB privileges
   SMB_SESSION_READ
   SMB_SESSION_WRITE
   SMB_SHARE_READ
   SMB_SHARE_WRITE
   
   # Snapshot privileges
   SNAPSHOT_POLICY_READ
   SNAPSHOT_POLICY_WRITE
   SNAPSHOT_READ
   SNAPSHOT_WRITE
   
   # S3 privileges
   S3_BUCKETS_READ
   
   # Tenant management privileges
   TENANT_READ

Add User to Role

1. Assign the eyeglass user to the role

   In the EyeglassAdminRole configuration:

   • Click Add Member
   • Select the eyeglass user
   • Click Add to assign the user to the role

2. Verify the configuration

   Ensure the eyeglass user is listed as a member of the EyeglassAdminRole with all required privileges assigned.

important

TENANT_READ permission is required to support multitenancy functionality.