Unisphere - EMC Unity Family Security Configuration Manual

Access Control

Unisphere

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
12
Note
You can reset the storage system factory default account passwords by pressing the
password reset button on the storage system chassis. The Unisphere Online Help
provides more information.
Authentication for access to Unisphere is performed based on the credentials of the
user (local or LDAP) account. User accounts are created and subsequently managed
through the Unisphere Manage Administration page. The authorizations that apply to
Unisphere depend on the role associated with the user account.
Before a user can download the Unisphere UI content to a management workstation,
the user must provide credentials for authentication and establish a session on the
storage system. When the user specifies the network address of the storage system
as the URL in a web browser, the user will be presented with a login page from which
the user can select to authenticate either as a local user or through an LDAP directory
server. The credentials that the user provides will be authenticated and, upon
successful authentication, a UI management session will be created on the storage
system. Subsequently, the Unisphere UI will be downloaded and instantiated on the
user's management workstation. The user then will be able to monitor and manage the
storage system within the capabilities of the role assigned to the user.
LDAP
The Lightweight Directory Access Protocol (LDAP) is an application protocol for
querying directory services running on TCP/IP networks. LDAP provides central
management of authentication and identity and group information used for
authorization on the storage system. Integrating the system into an existing LDAP
environment provides a way to control user and user group access to the system
through Unisphere CLI or Unisphere.
After you configure LDAP settings for the system, you can manage users and user
groups, within the context of an established LDAP directory structure. For instance,
you can assign access roles (Administrator, Storage Administrator, Operator, VM
administrator) to the LDAP user or groups. The role applied will determine the level of
authorization the user or group will have in administering the storage system. The
system uses the LDAP settings only for facilitating control of access to Unisphere CLI
and Unisphere, not for access to storage resources.
Session rules
Unisphere sessions have the following characteristics:
Expiration term of one hour
l
Session timeout is not configurable
l
Session IDs are generated during authentication and used for the duration of each
l
session
Password usage
Unisphere account usernames and passwords must meet these requirements, as
shown in Table 5 on page 13.