Set up a user account in order to use the ETERNUS SF Manager functions.
The privileges granted to user accounts and the corresponding ranges of control are shown in the table below.

The following section explains how to create and make settings for user accounts controlling the Web Console and for users executing commands via command input.

For user authentication when logging in on the Web Console, ETERNUS SF product uses the authentication system of the OS on the Management Server.

In order to give a user the privilege ("role") to use ETERNUS SF product, you need to create ETERNUS SF role groups to which each user account is allocated.

The table below shows the relationships between the ETERNUS SF roles that are given to ETERNUS SF role groups and the Web Console control actions that are permitted to users belonging to the respective role group.

1. Create the following two ETERNUS SF role groups.

   For Windows environment

   Create the following two groups.

   • ESFAdmin

   • ESFMon

   If using Windows domain authentication, create the ETERNUS SF role groups in the domain controller (Active Directory).
   If not using Windows domain authentication, create the ETERNUS SF role groups on the Management Server.

   Note

   • Set the Windows security policy, to permit local logon for the ETERNUS SF role groups.

   • For creating the ETERNUS SF role groups in the domain controller (Active Directory), the scope and type of each group need to be specified. Make sure to specify the following values:

     Group scope: Domain local

     Group type: Security

   For Solaris environment or Linux environment

   Create the following two groups using groupadd command and so on.

   • esfadmin

   • esfmon

2. Create user accounts for operating from the Web Console.

   For Windows environment

   If using Windows domain authentication, create user accounts in the domain controller (Active Directory).
   If not using Windows domain authentication, create user accounts on the Management Server.

   For Solaris or Linux environment

   Create a user account on Management Server using useradd command and so on.

3. Assign the created user accounts to ETERNUS SF role groups.

   For Windows environment

   Use [Computer Management] and so on.

   For Solaris environment

   Configure one of the following to the target user accounts by using a command such as the usermod command.

   • Set ETERNUS SF role groups as primary group.

   • Add ETERNUS SF role groups to secondary group.

   For Linux environment

   Configure one of the following to the target user accounts by using a command such as the usermod command.

   • Set ETERNUS SF role groups as main group.

   • Add ETERNUS SF role groups to supplementary group.

   An ETERNUS SF role is assigned to each user account.

@echo off

REM # -----------------------
REM # Creating the ESFAdmin group
REM # -----------------------
net localgroup ESFAdmin > NUL 2>&1
if errorlevel 1 (
   echo ESFAdmin group add.
   net localgroup ESFAdmin /add /comment:"ETERNUS SF V15 Administrator"
)

REM # -----------------------
REM # Creating the ESFMon group
REM # -----------------------
net localgroup ESFMon > NUL 2>&1
if errorlevel 1 (
   echo ESFMon group add.
   net localgroup ESFMon /add /comment:"ETERNUS SF V15 Moniter"
)

Commands for Express, Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM can only be executed by users with administrator privileges for the operating system.

This section explains how to create accounts for users who can execute commands.

For using Express, Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM commands, operate as a user with Administrator permissions or a user in the Administrators group.

In Windows Server 2008 or later, a User Account Control function (hereafter called "UAC") has been added to enhance security.
The cases where UAC is enabled and disabled are explained below.

• When UAC is enabled

  When any user other than the built-in Administrator account (including accounts in the Administrators group) executes a process or program that requires administrator permissions, the "Permissions granted/authorized dialog" is displayed. Permissions granted or authorized must be confirmed.

• When UAC is disabled

  Processes or programs that require administrator permissions must be executed by either the built-in Administrator account or a user account in the Administrators group.

The operating conditions are shown below.

A: Runs without displaying the permissions granted dialog box.
B: Displays the permissions granted dialog box, and runs if permissions are approved.
C: Does not run, because Administrator permissions cannot be obtained.

If you do not wish to perform the dialog process using the administrator permissions dialog box, and the conditions marked as "B" in the table above apply (for example, in batch processing), the program must be executed using administrator permissions with one of the following methods:

• In the Command Prompt, use "runas" command to execute the program as a user with administrator permissions. A password must be entered after this.

  [Batch file (test.bat) execution example]

  runas /noprofile /user:mymachine\acmuser "cmd.exe /k test.bat"

• In the Task Scheduler, specify "Execute with top level privileges" to operate the program.

• Execute the program with the Command Prompt.

  • For Windows Server 2008 or Windows Server 2008 R2

    From the Start menu, select All Programs > Accessories and right-click on Command Prompt. Specify "Run as Administrator" to run the Command Prompt. Execute the program from the Command Prompt.

  • For Windows Server 2012

    Specify "Command Prompt (Admin)" to run the Command Prompt. Execute the program from the Command Prompt.

    
    

Express (for Linux only), Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM commands can only be executed as a root, so operate root user.