4.1.1 Setting Up User Account

Set up a user account in order to use the ETERNUS SF Manager functions.
The privileges granted to the Web Console user and the command execution user accounts, and their controllable ranges are shown in the table below.

ETERNUS SF Role	Administrator Privilege of Operating System
ETERNUS SF Role	Yes	No
Yes	Operations are possible from the Web Console and the command line.	Operations are possible only from the Web Console.
No	Operations are possible only from the command line.	Operations are neither possible from the Web Console nor from the command line.

The following section explains how to create and set up the Web Console user and the command execution user accounts, and how to change the user (esfpostgres) password internally using the ETERNUS SF system.

Note

As the user (esfpostgres) used internally by the ETERNUS SF system is required to run the ETERNUS SF system, do not delete the user account. When the product is installed, a default value is set to a password, so change the password before using the ETERNUS SF system. Also, change the password periodically when running the ETERNUS SF system, as well.
Periodically change the account name and password for the Web Console user and the command execution user.

4.1.1.1 Creating User Accounts for Operating from Web Console

For user authentication when logging in on the Web Console, ETERNUS SF product uses the authentication system of the OS on the Management Server.

In order to give a user the privilege ("role") to use ETERNUS SF product, you need to create ETERNUS SF role groups to which each user account is allocated.

The table below shows the relationships between the ETERNUS SF roles that are given to ETERNUS SF role groups and the Web Console control actions that are permitted to users belonging to the respective role group.

Table 4.1 For Windows Environment
ETERNUS SF Role Group	ETERNUS SF Role	Permitted Web Console Controls
ESFAdmin	Administrator	All operations
ESFMon	Monitor	Only display-related operations

Table 4.2 For Solaris or Linux Environment
ETERNUS SF Role Group	ETERNUS SF Role	Permitted Web Console Controls
esfadmin	Administrator	All operations
esfmon	Monitor	Only display-related operations

Create the following two ETERNUS SF role groups.
For Windows Environment
Create the following two groups.
- ESFAdmin
- ESFMon
If using Windows domain authentication, create the ETERNUS SF role groups in the domain controller (Active Directory).
If not using Windows domain authentication, create the ETERNUS SF role groups on the Management Server.
Note
Set the Windows security policy, to permit local logon for the ETERNUS SF role groups.
For creating the ETERNUS SF role groups in the domain controller (Active Directory), the scope and type of each group need to be specified. Make sure to specify the following values:
Group scope: Domain local
Group type: Security
For Solaris or Linux Environment
Create the following two groups using groupadd command and so on.
- esfadmin
- esfmon
Create user accounts for operating from the Web Console.
For Windows Environment
If using Windows domain authentication, create user accounts in the domain controller (Active Directory).
If not using Windows domain authentication, create user accounts on the Management Server.
For Solaris or Linux Environment
Create a user account on Management Server using useradd command and so on.
Assign the created user accounts to ETERNUS SF role groups.
For Windows Environment
Use [Computer Management] and so on.
For Solaris Environment
Configure one of the following to the target user accounts by using a command such as the usermod command.
- Set ETERNUS SF role groups as primary group.
- Add ETERNUS SF role groups to secondary group.
For Linux Environment
Configure one of the following to the target user accounts by using a command such as the usermod command.
- Set ETERNUS SF role groups as main group.
- Add ETERNUS SF role groups to supplementary group.
An ETERNUS SF role is assigned to each user account.

Point

ETERNUS SF role groups can also be created via command line input. The example below shows a batch file for creating a role group.
Execute the batch file on the domain controller when using Windows domain authentication. Otherwise execute the batch file on the Management Server.

@echo off

REM # -----------------------
REM # Creating the ESFAdmin group
REM # -----------------------
net localgroup ESFAdmin > NUL 2>&1
if errorlevel 1 (
   echo ESFAdmin group add.
   net localgroup ESFAdmin /add /comment:"ETERNUS SF Administrator"
)

REM # -----------------------
REM # Creating the ESFMon group
REM # -----------------------
net localgroup ESFMon > NUL 2>&1
if errorlevel 1 (
   echo ESFMon group add.
   net localgroup ESFMon /add /comment:"ETERNUS SF Monitor"
)

4.1.1.2 User Account of Windows

Commands for Express, Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM can only be executed by users with administrator privileges for the operating system.

This section explains how to create accounts for users who can execute commands.

Point

By assigning a user account created here to an ETERNUS SF role group, you can enable the same user to both operate from the Web Console and execute commands.

For Windows

In Windows Server 2008 or later, a User Account Control function (hereafter called "UAC") has been added to enhance security.
The cases where UAC is enabled and disabled are explained below.

When UAC is enabled
When any user other than the built-in Administrator account (including accounts in the Administrators group) executes a process or program that requires administrator permissions, the "Permissions granted/authorized dialog" is displayed. Permissions granted or authorized must be confirmed.
When UAC is disabled
Processes or programs that require administrator permissions must be executed by either the built-in Administrator account or a user account in the Administrators group.

The operating conditions are shown below.

Table 4.3 Relationship Between Account and UAC
Account Type	UAC: Enabled	UAC: Disabled
Built-in Administrator account	A	A
User account in the Administrators group	B	A
Standard user account	B	C

A: Runs without displaying the permissions granted dialog box.
B: Displays the permissions granted dialog box, and runs if permissions are approved.
C: Does not run, because Administrator permissions cannot be obtained.

If you do not wish to perform the dialog process using the administrator permissions dialog box, and the conditions marked as "B" in the table above apply (for example, in batch processing), the program must be executed using administrator permissions with one of the following methods:

In the Command Prompt, use "runas" command to execute the program as a user with administrator permissions. A password must be entered after this.
[Batch file (test.bat) execution example]
```
runas /noprofile /user:mymachine\acmuser "cmd.exe /k test.bat"
```
In the Task Scheduler, specify "Execute with top level privileges" to operate the program.
Execute the program with the Command Prompt.
- For Windows Server 2008 or Windows Server 2008 R2
  From the Start menu, select All Programs > Accessories and right-click on Command Prompt. Specify "Run as Administrator" to run the Command Prompt. Execute the program from the Command Prompt.
- For Windows Server 2012 or later
  Specify "Command Prompt (Admin)" to run the Command Prompt. Execute the program from the Command Prompt.

4.1.1.3 User Account of Linux/Solaris

Express (for Linux only), Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM commands can only be executed as a root, so operate root user.

4.1.1.4 Esfpostgres User Password Change Procedure

Change the esfpostgres user password with the following procedure.

For Windows
1. Log on with a user that has Administrator privileges.
2. Activate the command prompt with "Run as Administrator".
3. Execute the following batch to stop the ETERNUS SF Manager service.
```
> $INS_DIR\Common\bin\Stop_ESFservice.bat
```
  $INS_DIR is "Program Directory" specified at the ETERNUS SF Manager installation.
4. Execute the following command to change the esfpostgres user password.
```
> net user esfpostgres *
```
5. Open ETERNUS SF Manager Postgres Service from Service Control Manager and change the password used when logging on.
  Set the same password as the esfpostgres user for the password.
6. Execute the following batch to start the ETERNUS SF Manager service.
```
> $INS_DIR\Common\bin\Start_ESFservice.bat
```
  $INS_DIR is the "Program Directory" that was specified when ETERNUS SF Manager was installed.
For Solaris/Linux
1. Log in to the server as "root" (superuser).
2. Execute the following command to stop the ETERNUS SF Manager daemon.
```
# /opt/FJSVesfcm/bin/stopesf.sh
```
3. Execute the following command to change esfpostgres user password.
```
# passwd esfpostgres
```
4. Execute the following command to start the ETERNUS SF Manager daemon.
```
# /opt/FJSVesfcm/bin/startesf.sh
```