Professional Documents
Culture Documents
PRODUCT GUIDE
P/N 300-000-879
REV A07
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.emc.com
Copyright 2002, 2003, 2004, 2005 EMC Corporation. All Rights Reserved.
Printed January, 2005
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE
INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
Trademark Information
ii
Contents
Preface............................................................................................................................. ix
Chapter 1
Access Control
Symmetrix Access Control Operations Overview ...................... 1-2
Access Control Command Summary .................................... 1-3
Access Control Database ......................................................... 1-4
How to Create or Modify Access Control Data........................... 1-6
Command File Execution ........................................................ 1-6
Minimum Access Control Configuration.............................. 1-7
Initial ACL Setup ...................................................................... 1-8
How to Create and Manage Access Groups ................................ 1-9
Setting Up an Access Group ................................................... 1-9
User Access IDs (PINs) for the AdminGrp ......................... 1-10
Editing and Managing an Access Group ............................ 1-11
How to Create and Manage Limited Access to Access Pools . 1-13
Setting Up Access Pools......................................................... 1-13
Editing and Managing Access Pools.................................... 1-14
How to Create and Manage Access Control Entries................. 1-16
How to Obtain Access Control Information .............................. 1-20
How to Release Pending Locked Sessions ................................. 1-22
Grant/Deny Access Strategies ..................................................... 1-23
Initially Grant All Rights to Everybody .............................. 1-23
Granting and Denying Default and Legacy Access........... 1-23
BCV Setup Strategy ................................................................ 1-25
TimeFinder/Snap Setup Strategy......................................... 1-26
SRDF Setup Strategy .............................................................. 1-26
How to Backup and Restore the Access Control Database...... 1-27
Create a Backup File ............................................................... 1-27
Restore the Backup File to the Access Control Database .. 1-27
iii
Contents
iv
Figures
Figures
1-1
1-2
1-3
1-4
ACLs and ACEs in the Symmetrix Access Control Database ................. 1-4
An Access Controlled Symmetrix Site ....................................................... 1-5
Creating Access Pools ................................................................................. 1-13
Removing Devices from a Pool ................................................................. 1-15
Figures
vi
Tables
Tables
1-1
1-2
1-3
1-4
vii
Tables
viii
Preface
Organization
ix
Preface
Related
Documentation
Conventions Used in
this Manual
CAUTION
A caution contains information essential to avoid damage or
degraded integrity to storage of your data. The caution might
also apply to protection of your software or hardware.
Preface
Typographical Conventions
This manual uses the following type style conventions in this guide:
bold text
italic text
fixed space
courier font
Canada:
Worldwide:
(508) 497-7901
xi
Preface
For the list of EMC sales locations, please access the EMC home page
at:
http://www.emc.com/contact/
Your Comments
xii
1
Access Control
Access Control
1-1
Access Control
1-2
Access Control
Access Control
Command
Summary
Table 1-1
Description
symacl
For more information about the syntax of the symacl command, refer
to the EMC Solutions Enabler Symmetrix CLI Command Reference.
For a detailed introduction to Solutions Enabler, SYMCLI, and the
Symmetrix array, refer to the EMC Solutions Enabler Symmetrix Base
Management CLI Product Guide.
1-3
Access Control
1
Access Control
Database
Groups
Pools
AdminGrp
access ID
UNIXHost
PRODdevs
006 - 011
01C - 01F
ProdB
access ID
WinHost
poolA
012 - 019
022 - 02A
HR
poolHR
081 - 0AA
access ID
WinHR1
ACLs
accgroup=UnknwGrp
rights=ALL
devices=ALL_DEVS
ACE
accgroup=AdminGrp
accgroup=HR
ACE
ACE
accgroup=AdminGrp
accgroup=Sales
rights=BASE
accpool=Salepool
rights=ADMIN
devices=ALL_DEVS
ACE
accgroup=Sales
rights=SDDR
accpool=Salepool
ACE
ACE
accgroup=ProdB
rights=RDF
accpool=PRODdevs
accgroup=GroupA
rights=ALL
accpool=poolA
ACE
UnknwGrp
rights=BCV
accpool=poolHR
rights=BASE
devices=ALL_DEVS
accgroup=ProdB
rights=BASE
accpool=PRODdevs
GroupA
access ID
NodeB
rights=BASE
accpool=poolHR
ACE
ACE
Sales
access ID
WinSale2
ACLs
accgroup=HR
ACE
Default
Figure 1-1
1-4
Access Control
WinHost
RDF
Symmetrix
Remote
(Salepool)
SunHost1
WinSale2
(HRpool)
WinHR1
UXNodeB
Figure 1-2
HRpool Registered
to WinHR1 in Group HR
poolA Registered to
UXNodeB in GroupA
1-5
Access Control
Command File
Execution
Preview
Prepare
Commit
After you first create the command file, the preview operation verifies
the syntax and correctness of the contents of the entries in the
command file.
The prepare operation (also before you commit) performs the preview
checks but also verifies the appropriateness of the requested access
control modifications against the current state of the access control
database in the Symmetrix array.
1-6
Access Control
The commit operation performs both the preview and prepare checks
and then commits the contents of the command file to the Symmetrix
access control database.
Note that it is not mandatory to execute a preview or prepare action prior to a
commit. However, these actions can ensure that the commit action will not be
rejected or can be used to debug the command file entries.
Minimum Access
Control
Configuration
Table 1-2
ID Names
AdminGrp
SunHost1
ACCPIN
UnknwGrp
unknown
1-7
Access Control
1
Initial ACL Setup
Table 1-3
The initial UnknwGrp setup also grants ALL rights to any devices not
already assigned to a pool (!INPOOLS).
Initial Delivered ACLs Setup
Access Groups
Access Pools
AdminGrp
ADMIN
ALL
ALL_DEVS
UnknwGrp
BASE
ALL_DEVS
UnknwGrp
ALL
!INPOOLS
VLOGIX Behavior
1-8
Access Control
Setting Up an
Access Group
Create a Group
You can now commit the file or wait until you have added access IDs
to the group. To commit the file (addnewgroups.cmd) that executes
the creation of the groups, enter:
symacl -sid 12345 commit -file addnewgroups.cmd
1-9
Access Control
1
Add Host Access IDs
to a Group
1-10
Access Control
If a host is ever prompted for a PIN, the host should enter 1234PIN.
The addnewgroups.cmd file must be commited to execute the
addition of these new IDs:
symacl -sid 12345 commit -file addnewgroups.cmd
Then you must commit the file (moveaces.cmd) to execute the move
of this ACE to GroupA.
Remove all ACEs from
a Group
1-11
Access Control
1
At some point, you must commit the file (removeaces.cmd) to
execute the removal of the ACEs from group HR.
Delete a Group
Note that when you need to delete a group you either must have
removed all ACEs from the group or you can optionally remove all
ACEs with the [remove_aces=true] option within this delete
command.
For example, in the command file (deletegroup.cmd), to delete group
HR and any registered ACEs in that group, enter:
delete accgroup HR remove_aces=true;
1-12
Access Control
Setting Up Access
Pools
Symmetrix
PoolA
16
PoolB
19
12
0E
0A
Figure 1-3
1-13
Access Control
1
In this example, 16 devices are assigned to PoolB.
Create a Pool
You can now commit the file or wait until you have added devices to
the pool. To now commit the file (addnewpool.cmd) to execute the
creation of the pool, enter:
symacl -sid 12345 commit -file addnewpool.cmd
Editing and
Managing Access
Pools
You can edit and manage the existing access pool information in the
access control database.
1-14
Access Control
Symmetrix
PoolA
Removed -
16
19
12
PoolB
0E
0A
Figure 1-4
You can delete an access pool and optionally at the same time remove
any associated access control entries (ACEs) with the specified pool.
Note that all ACEs must be removed before you can delete a pool.
To delete an access pool and remove all ACEs, use the following
command syntax in the command file:
delete accpool PoolName [remove_aces=true];
1-15
Access Control
Grant Rights to an
Access Group
Once you have created an access group, you need to determine and
grant, to the access group, the rights (AccessType) of access to a
specified pool or to all the devices in the Symmetrix (or all devices
not in a pool) using the following command syntax:
grant access=<AccessType,,,> to accgroup GroupName
for <accpool PoolName> | <ALL|NON-POOLED devs>;
1-16
Commands Affected
ADMINb
ADMINRDb
ALLb
All
BASE
BASECTRL
symld <controls>
Access Control
Table 1-4
Commands Affected
BCV
symmir <controls>
CACHCTRL
CFGDEV
symconfigure
CFGSYM b
symconfigure
CHECKSUM
symchksum <controls>
CREATEDVb
symconfigure
DIRCTRLb
symcfg <online/offline>
ECCa, b
Not applicable
ERASE
symerase
OPTMZR
symoptmz <controls>
POWRPATHa, b
Not applicable
QOS
RDF
symrdf <control
SDDF
symchg
1-17
Access Control
1
Table 1-4
Commands Affected
SDR
symconfigure
SNAP
symsnap
VLOGIXa, b
symmask, symmaskdb
a. See the appropriate product documentation for use of these access types.
b. These access types must be granted to either ALL devices or all NON-POOLED devices in a
Symmetrix.
Before you can grant a group the rights to any value-added non-base
feature, you must first grant the group BASE rights.
To grant BASE rights to access group ProdB for all devices, use the
following command in the command file (grantrights.cmd):
grant access=BASE to accgroup ProdB for ALL devs;
To grant RDF rights to access group ProdB for pool PRODdevs, use
the following command in the command file (grantrights.cmd):
grant access=RDF to accgroup ProdB
for accpool PRODdevs;
1-18
Access Control
To grant BCV and SDR rights to access group HR for pool poolHR,
use the following command in the command file:
grant access=BCV, SDR to accgroup HR for accpool
poolHR;
Note that these command examples created three ACEs for BASE,
BCV, and the SDR rights, which now could be committed.
To make any non-registered (unknown) host have BASE rights to
access group UnknwGrp for all devices in the Symmetrix
environment, use the following command in the command file:
grant access=BASE to accgroup UnknwGrp for ALL devs;
To remove SDR rights from access group HR for poolHR, use the
following command in the command file:
remove access=SDR from accgroup HR for accpool poolHR;
1-19
Access Control
Using the list argument in the following command, you can list
information about groups, pools, and ACLs with the following
syntax:
symacl [-sid SymmID|ALL] list -accgroup |
-accpool |
-acl |
-v
The following example lists all the ACEs (with their pools and access
types) for the entire Symmetrix environment:
symacl list -acl
1-20
Access Control
Showing Access
Control Information
Using the show actions when you dont have administrative rights,
you only see access objects that are associated with the access group
to which your host belongs.
To show detail information about a specified group or pool, use the
following syntax:
symacl -sid SymmID|ALL show accgroup GroupName |
show accpool PoolName
For example, the following command shows all the detail about
access group ProdB on Symmetrix 0133:
symacl -sid 0133 show accgroup ProdB
The following command example shows all the detail about the
PRODdevs access pool on Symmetrix 0133:
symacl -sid 0133 show accpool PRODdevs
You can get the access ID for the host you are using. The following
command will return a unique access ID in an encrypted format:
symacl -unique
For example:
12301558-94200021-00347892
1-21
Access Control
Verifying a Locked
Session
This command can tell you how long the session has been locked and
who locked it.
1-22
Access Control
ACE
accgroup=UnknwGrp
ALL
devices=ALL_DEVS
Granting and
Denying Default
and Legacy Access
1-23
Access Control
1
If this ID is removed from the group UnknwGrp or this group is
removed, and then you need to add it back to a certain group, use the
following syntax:
add default accid name IdName to accgroup GroupName;
Once the default ID has been added to the group, then all legacy
applications and hosts whose access IDs are not yet or never will be
registered in the access control database, will default to using the
ACEs established for this group.
If the default ID is not present, then the access ID of all hosts that
need to communicate to the Symmetrix must be registered in the
database and granted sufficient access rights to accomplish the
functions they need to perform.
Finally, an ACE was created for group UnknwGrp granting them
ALL rights to all the Symmetrix devices. In this scenario, all users and
hosts can perform any of the SYMCLI command set operations.
Establishing an
Administrator
As shown in Figure 1-1 on page 1-4 and Figure 1-2 on page 1-5, the
delivered setup allows at least one host assigned with administrative
(ADMIN) privileges to be designated the administrator of the
information in the access control database.
In the following example, when the Symmetrix was initially
configured, an access group named AdminGrp was created. Then a
UNIX workstation named SunHost1 with an encrypted access ID (of
the form xxxxxxxx-yyyyyyyy-zzzzzzzz) was added to the AdminGrp
group. (The access ID was obtained by running symacl -unique.)
Group
AdminGrp
xxxx-yyyy-zzzz
SunHost1
ACE
accgroup=AdminGrp
ADMIN
devices=ALL_DEVS
ACE
accgroup=AdminGrp
ALL
devices=ALL_DEVS
Next, two ACEs were created; one granting ADMIN rights and one
granting ALL rights to group AdminGrp for all devices in the
Symmetrix.
1-24
Access Control
ACE
accgroup=UnknwGrp
ALL
devices=non-pooled
General Absolute
Control Strategy
Whatever strategy you apply during the initial building of the access
control database, you need to survey all user needs, organize their
limitations into groups, determine what Symmetrix devices to
allocate to who, and what access rights are appropriate for each
group. It is highly recommended to use the preview and prepare
actions on your first major command file before you commit it;
particularly if it is an extensive list. The preview and prepare will
identify any coding errors or mistakes in the logic.
1-25
Access Control
1
TimeFinder/Snap
Setup Strategy
Source and Target
Strategy
1-26
Access Control
Create a Backup
File
1-27
Access Control
1-28
Index
A
Abort
locked session 1-22
Access control commands
introduction 1-3
Access control database 1-5
Access control entries
creating 1-16
see also ACEs 1-5
Access control lists
see also ACLs 1-5
Access groups 1-4
access IDs (PINs) 1-10
adding access IDs 1-10
creating 1-9
deleting 1-12
editing/managing 1-11
granting rights 1-16
listing 1-20
moving access IDs 1-11
removing access IDs 1-11
removing ACEs 1-11
removing rights 1-19
setting up 1-9
showing 1-21
unknown 1-24
Access IDs 1-4, 1-10
viewing 1-21
Access pools 1-2, 1-13
add devices 1-14
creating 1-13
deleting 1-15
editing/managing 1-14
listing 1-20
remove device 1-14
setting up 1-13
showing 1-21
Access types 1-16
ACEs
listing 1-20
showing 1-21
ACLs
listing 1-20
Admin rights 1-13, 1-16
Administrator
establishing 1-24
Authority
admin rights 1-13, 1-16
B
Backup database 1-27
BCV strategy 1-25
C
Command file 1-6
command types 1-6
commit 1-7
prepare 1-6
preview 1-6
Commit command file 1-7
Creating access pools 1-13
D
Database
backup 1-27
i-1
Index
restore 1-27
Databases
access control 1-5
Device pools. See Access pools
U
Unknown access groups 1-24
User access IDs, PINs 1-10
G
Granting rights 1-16
Groups 1-9
L
Listing ACLs 1-20
Locked session
release 1-22
M
Managing access groups 1-9
Managing access pools 1-13
P
Pools 1-13
Prepare command file 1-6
Preview command file 1-6
R
Release locked session 1-22
Restore database 1-27
Rights 1-16
removing 1-19
S
Showing ACEs 1-21
SRDF devices 1-3
SRDF strategy 1-26
Strategies
access control 1-23
SYMCLI commands
symacl 1-3
T
TimeFinder strategy 1-25
TimeFinder/Snap strategy 1-26
i-2