Assign Access Control Lists (ACLs) in ViPR

Table of Contents

Back to Top

Introduction

An Access Control List (ACL) is a list of permissions attached to a ViPR resource that specifies which tenants are authorized to access VDC-level resources and which users or groups are authorized to access tenant-level resources. ACLs also indicate which operations are allowed on the resource. This article describes how to assign access to ViPR using access control lists (ACLs).

This article applies to EMC ViPR 2.0.

You should ensure you are familiar with the idea behind ACLs described in:
Back to Top

Set up the VDC for a tenant

You can add access control to virtual arrays and virtual pools to make them available to specific tenants.

A virtual array comprises array endpoints and host endpoints interconnected by a SAN fabric or an IP network. The virtual array can comprise both fibre channel and IP networks. In this way different array ports can be configured into different virtual arrays, allowing a physical array to contribute to more than one virtual array.

This partitioning of physical arrays into virtual arrays, coupled with the ability to assign access to specific tenants, provides control over the storage provisioning environment made available to a tenant.

Even finer grained control can be obtained by assigning specific virtual pools to tenants. For storage provisioning purposes, the physical storage pools of a virtual array are offered as virtual pools based on their performance and protection characteristics. Restricting access to a virtual pool to specific tenants could mean that if a virtual pool is configured to use a particular array type, restricting access to the virtual pool can prevent a particular tenants from accessing the array. Similarly, you could restrict access to a pool that provides a particular performance characteristic, such as SSD.

Back to Top

Set up virtual arrays and virtual pools for a ViPR tenant

When setting up a tenant, a System Administrator can configure access to virtual arrays and virtual pools.

Before you begin

  • You must have the System Administrator role in ViPR.

Prior to assigning a virtual array or virtual pool to one or more tenants, access the virtual array and virtual pool is available to all tenants. When you assign a virtual array or virtual pool to one or more tenants it will go from being unrestricted to being available only to the selected tenants. Tenants that could see the virtual pool prior to the assignment will no longer be able to do so.

For this reason restricting access to a specific tenant actually means assigning access to all of the tenants that you do want to allow access.

Procedure

  1. Virtual array configuration. To select a virtual array and make it available to specific tenants:
    1. At the ViPR UI, select Admin > Virtual Assets > Virtual Arrays.
    2. Select the virtual array that you want to assign/restrict access to.
    3. Check the Grant Access to Tenants box and choose the tenants that you want the virtual pool to be available to.
      The Tenant Access panel on the Edit Virtual Array page is shown below.
    4. Save the virtual array.

    Applying virtual array tenant restriction

    Users belonging to the specified tenants will have access to the virtual array.
  2. Virtual pool configuration. To select a virtual pool and make it available to specific tenants:
    1. At the ViPR UI, select Admin > Virtual Assets > Block Virtual Pools or Admin > Virtual Assets > File Virtual Pools.
    2. Select the virtual pool that you want to assign/restrict access to.
    3. Expand the Access Control Panel and check the Grant Access to Tenants box. Choose the tenants that you want the virtual array to be available to.
      The Tenant Access panel on the Edit/Create File Virtual Pool page is shown below.
    4. Save the virtual pool.

    Applying virtual pool tenant restriction

    Users belonging to the specified tenants will have access to the virtual pool.
Back to Top

Assign project and service catalog permissions using ACLs

Access control lists are provided to enable you to configure access to the service catalog and to projects for provisioning users.

Before you begin

ACLs will not restrict access to a Tenant Administrator: a Tenant Administrator has ultimate authority in the tenant and access to the service catalog and projects cannot be restricted using ACLs.

This task is referenced by areas that use ACLs and provides general information on assigning users and groups to ACLs.

The role that you require depends on the area to which you are applying access control.

Procedure

  1. Select Add ACL.
    An ACL entry record is displayed.


    Access Control List area

  2. From the Type drop-down, select whether you are using this entry to set access permissions for a user or a group.
  3. In the Name field, enter the name of the user or group that you are assigning permissions to.
    Both users and groups are added in the format: username@yourco.com, or groupname@yourco.com. Users and groups must have been made available to the current tenant (mapped).
  4. In the Access field, use the drop-down list to select the access permissions that you want to assign to the user or group.
  5. If you want to add further ACL entries, choose Add ACL to add another entry.
  6. If you decide you do not need an entry you have made, click the Remove button.
  7. Save the form that your are editing.