Administration Guides

RBAC Requirements - Read Me First

Home


Overview

Follow the guidelines in this section when adding groups or users to roles.

New in 2.5.6 20258 or later Releases

  1. Adding users or groups will now validate the user or group can be resolved when saving the role, if the user or group can not be resolved to a SID or GUI from Active Directory an error will be displayed and the user or group will not be saved to the role.


  1. General Requirements:

    1. The proxy authentication requires the system zone to have an AD authentication provider added to allow for the password to be validated and AD group membership retrieved from AD.
    2. SMB protocol port 445 open between Eyeglass VM and the cluster
    3. Trusted Domains - AD Domain that is not directly added to PowerScale as an authentication provider can be used when adding users or groups . The trusted domains must trust the AD domain added to the system zone. 
    4. SMB2 protocol for AD authentication of users with an SMB share in the system zone.
    5. System Zone authentication is the only supported proxy login and requires an AD provider in the system zone.
    6. SMB protocol must be enabled in system zone.
      1. Login will attempt to validate password on all clusters added to Eyeglass using SMB and system zone authentication requests over SMB.
  2. Use Case: Applying AD Groups to an Eyeglass Role -  Requirements below

    1. Verify the user account you are logging has AD groups displayed from PowerScale CLI.  If no groups are shown, open an EMC SR.
      1. isi auth users view dfs1@ad1.test --show-groups (The output MUST show Additional Groups: assigned to the user, the group used in the Eyeglass role must be listed in the output from this command.
    2. AD group and AD domain Syntax Rules 2.5.6 20258 or later

      1. Upgrade to 2.5.6 2058 or later
      2. Group name cannot have special characters other than dash or underscore or space
  3. Use Case:  Applying a user directly to an Eyeglass Role - Requirements below

    1. The user you add must be the UPN format (user principal name) user@domain name.   
      1. A user added to a role must use the UPN defined in AD (see screenshot example).  You can verify the UPN with this Isilon CLI command isi auth users view dfs1@ad1.test --show-groups 

© Superna LLC