Table of ContentsView in Frames

Storage system access control roles

You can assign roles to a user in the AccessControl.xml file to allow or restrict only certain operations to SnapDrive and storage system resources.

You can use these default roles to restrict access or you can create new roles using the available operation types.

Role Operations Descriptions
SD.Admin All operations Allows all SnapDrive operations.
SD.Provision
  • SD.Storage.Write
  • SD.Storage.Read
  • SD.Config.Read
  • SD.Config.Write
Allows all LUN provisioning and Snapshot copy operations, including create, connect, and map, if the operations are set on the storage system.

If a LUN is disconnected by a user to whom you have assigned the default SD.Provision role, but the volume on which the LUN resides does not have Storage.Read permission, that user cannot reconnect the LUN from SnapDrive MMC using manual igroup management. This is because without the Storage.Read permission on the storage system, no igroups are listed. In this case, the user can reconnect the LUN using automatic igroup management or sdcli.exe.

SD.Discovery
  • SD.Config.Read
  • SD.Storage.Read
  • SD.Snapshot.Read
Allows all operations for discovering volumes, qtrees, igroups, and Snapshot copies.
SDBackup
  • SD.Snapshot.Read
  • SD.Snapshot.Write
Allows create, replicate, and archive backup operations.
SDRestore
  • SD.Snapshot.Restore
Allows restore operations from a Snapshot copy or archive.
SDNoAccess
  • SD.Access.None
Denies all access.

When you use this role, the storage access control tool does not allow other roles to exist.