4.1.1 Setting Up User Account

Set up a user account in order to use the ETERNUS SF Manager functions.
The privileges granted to the Web Console user and the command execution user accounts, and their controllable ranges are shown in the table below.

ETERNUS SF Role	Administrator Privilege of Operating System
ETERNUS SF Role	Yes	No
Yes	Operations are possible from Web Console and the command line.	Operations are possible only from Web Console.
No	Operations are possible only from the command line.	Operations are neither possible from Web Console nor from the command line.

The following section explains how to create and set up the Web Console user and the command execution user accounts, and how to change the user (esfpostgres) password internally using the ETERNUS SF system.

Note

As the user (esfpostgres) used internally by the ETERNUS SF system is required to run the ETERNUS SF system, do not delete the user account. When the product is installed, a default value is set to a password, so change the password before using the ETERNUS SF system. Also, change the password periodically when running the ETERNUS SF system, as well.
If ETERNUS SF Manager is installed in multiple servers, the esfpostgres user cannot be shared between those servers. For example, if multiple servers with the domain controller role exist in a single domain under the Windows environment and the domain controllers share the user information with the replication function, ETERNUS SF Manager can only be installed in a single domain controller. Install the second and subsequent ETERNUS SF Managers in the member servers.
Periodically change the account name and password for the Web Console user and the command execution user.

4.1.1.1 Creating User Accounts for Operating from Web Console

For user authentication when logging in on Web Console, ETERNUS SF product uses the authentication system of the OS on the Management Server.

In order to give a user the privilege ("role") to use ETERNUS SF product, you must create ETERNUS SF role groups to which each user account is allocated.

The table below shows the relationships between the ETERNUS SF roles that are given to ETERNUS SF role groups and the Web Console control actions that are permitted to users belonging to the respective role group.

Table 4.1 For Windows Environments
ETERNUS SF Role Group	ETERNUS SF Role	Permitted Web Console Controls
ESFAdmin	Administrator	All operations
ESFMon	Monitor	Only display-related operations

Table 4.2 For Solaris or Linux Environments
ETERNUS SF Role Group	ETERNUS SF Role	Permitted Web Console Controls
esfadmin	Administrator	All operations
esfmon	Monitor	Only display-related operations

Create the following two ETERNUS SF role groups.
For Windows Environments
Create the following two groups.
- ESFAdmin
- ESFMon
If using Windows domain authentication, create the ETERNUS SF role groups in the domain controller (Active Directory).
If not using Windows domain authentication, create the ETERNUS SF role groups on the Management Server.
Note
Set the Windows security policy, to permit local logon for the ETERNUS SF role groups.
For creating the ETERNUS SF role groups in the domain controller (Active Directory), the scope and type of each group must be specified. Make sure to specify the following values:
Group scope: Domain local or Universal
Group type: Security
If any name is specified to create an ETERNUS SF role group or if a group whose scope is specified with Universal is used as the ETERNUS SF role group, perform the operation described in "Appendix K Customizing Role Group Configuration File".
For Solaris or Linux Environments
Create the following two groups using the "groupadd" command and so on.
- esfadmin
- esfmon
Create user accounts for operating from Web Console.
For Windows Environments
If using Windows domain authentication, create user accounts in the domain controller (Active Directory).
If not using Windows domain authentication, create user accounts on the Management Server.
For Solaris or Linux Environments
Create a user account on Management Server using the "useradd" command and so on.
Assign the created user accounts to ETERNUS SF role groups.
For Windows Environments
Use [Computer Management] and so on.
For Solaris Environments
Configure one of the following to the target user accounts by using a command such as the "usermod" command.
- Set ETERNUS SF role groups as primary group.
- Add ETERNUS SF role groups to secondary group.
For Linux Environments
Configure one of the following to the target user accounts by using a command such as the "usermod" command.
- Set ETERNUS SF role groups as main group.
- Add ETERNUS SF role groups to supplementary group.
An ETERNUS SF role is assigned to each user account.

Point

ETERNUS SF role groups can also be created via command line input. The example below shows a batch file for creating a role group.
Execute the batch file on the domain controller when using Windows domain authentication. Otherwise execute the batch file on the Management Server.

@echo off

REM # -----------------------
REM # Creating the ESFAdmin group
REM # -----------------------
net localgroup ESFAdmin > NUL 2>&1
if errorlevel 1 (
   echo ESFAdmin group add.
   net localgroup ESFAdmin /add /comment:"ETERNUS SF Administrator"
)

REM # -----------------------
REM # Creating the ESFMon group
REM # -----------------------
net localgroup ESFMon > NUL 2>&1
if errorlevel 1 (
   echo ESFMon group add.
   net localgroup ESFMon /add /comment:"ETERNUS SF Monitor"
)

4.1.1.2 User Account of Windows

Commands for Express, Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM can only be executed by users with administrator privileges for the operating system.

This section explains how to create accounts for users who can execute commands.

Point

By assigning a user account created here to an ETERNUS SF role group, you can enable the same user to both operate from Web Console and execute commands.

The cases where User Account Control (hereafter referred to as "UAC") of Windows operating system is enabled and disabled are explained below.

When UAC is enabled
When any user other than the Administrator account (including accounts in the Administrators group) executes a process or program that requires administrator privileges, the "Permissions granted/authorized dialog" is displayed. Permissions granted or authorized must be confirmed.
When UAC is disabled
A process or program that requires administrator privileges must be executed by either an Administrator account or a user account in the Administrators group.

The operating conditions are shown below.

Table 4.3 Relationship Between Account and UAC
Account Type	UAC: Enabled	UAC: Disabled
Administrator account	Y	Y
User account in the Administrators group	N (*1)	Y
Standard user account	N (*1)	N

Y: A process or program runs without displaying the permissions granted/authorized dialog.
N: A process or program does not run because the user does not have administrator privileges.
*1: The permissions granted/authorized dialog is displayed and the process or program runs if the user is authorized. However, the message output by the process or program is not displayed.

When UAC is enabled and a process or program is executed by any user other than the Administrator account, use one of the methods below to execute that process or program with administrator privileges:

Table 4.4 How to Disable Interactive Processes in the Permissions Granted/Authorized Dialog
Disabling Interactive Processes	User Account in the Administrators Group	Standard User Account
Specify "Command Prompt (Admin)" to run the Command Prompt. Execute the program from the Command Prompt.	Can Disable	Can Disable
In the task scheduler, start the process with "Execute with maximum permissions" specified.	Can Disable	Cannot Disable

4.1.1.3 User Account of Linux/Solaris

Express (for Linux environments only), Storage Cruiser, AdvancedCopy Manager and AdvancedCopy Manager CCM commands can only be executed as a root, so operate root user.

4.1.1.4 Esfpostgres User Password Change Procedure

Change the esfpostgres user password with the following procedure.

For Windows
1. Log on with a user that has Administrator privileges.
2. Activate the command prompt with "Run as Administrator".
3. Execute the following batch to stop the ETERNUS SF Manager service.
```
> $INS_DIR\Common\bin\Stop_ESFservice.bat
```
  $INS_DIR is "Program Directory" specified at the ETERNUS SF Manager installation.
4. Execute the following command to change the esfpostgres user password.
```
> net user esfpostgres *
```
5. Open ETERNUS SF Manager Postgres Service from Service Control Manager and change the password used when logging on.
  Set the same password as the esfpostgres user for the password.
6. Execute the following batch to start the ETERNUS SF Manager service.
```
> $INS_DIR\Common\bin\Start_ESFservice.bat
```
  $INS_DIR is the "Program Directory" that was specified when ETERNUS SF Manager was installed.
For Solaris/Linux
1. Log in to the server as "root" (superuser).
2. Execute the following command to stop the ETERNUS SF Manager daemon.
```
# /opt/FJSVesfcm/bin/stopesf.sh
```
3. Execute the following command to change esfpostgres user password.
```
# passwd esfpostgres
```
4. Execute the following command to start the ETERNUS SF Manager daemon.
```
# /opt/FJSVesfcm/bin/startesf.sh
```