Manualshelf

4.0.0 HP Polyserve Matrix Server Administration Guide (T5392-96052, March 2010)

ManualsBrandsHP ManualsSoftwareHP StorageWorks Clustered Gateway Device Management Software
151152153154155156157158159160
Tips for specifying accounts
When specifying accounts for a role, you should be aware of the following:
Matrix Server uses the contents of the access token created when you logged into
the cluster to determine user and group identities.
To simplify Role-Based Security administration, specify groups instead of users
wherever possible.
Specify groups that are valid for all servers in the cluster. Domain universal groups
and domain global groups have access to all servers. You can also use domain
local groups from the domain to which the servers belong.
NOTE:
Matrix Server will not prevent you from adding users or groups that are not valid
on all nodes. For example, you can add local users or groups to a role, but these
users and groups have the permissions of the role only on the local server and
are not valid role members on the other servers.
Matrix Server follows the same rules as those for adding users and groups to
machine local groups and domain local groups. If you can add a user or group
to a filesystem ACL for a given PSFS file or directory, you can add that same user
or group to a role. If you cannot add a user or group to a filesystem ACL, do not
add that user or group to a role, as the user or group is not valid on all servers.
To add a user or group by SID, you will need to know the SID. You can find SIDs
for the currently logged-on user and group memberships by running the Windows
whoami command. To find the SID for a user or group that is not in your access
token, use the Microsoft Windows 2003 support tool getsid.exe, which is
available on the Windows 2003 installation media.
If a user account name contains more than 20 characters, you will need to specify
the account name in UPN format, as a SID, or as a pre-Windows 2000 name.
Names in NTLM format (NetBIOS-domain\username, DNS-name\username, or
isolated names without domains) will fail if the user account name contains more
than 20 characters. This restriction does not apply to group account names.
View effective rights
The My Rights tab on the Role-Based Security Control Panel lists the effective rights
that you have on the cluster. Effective rights are the sum of the rights provided by all
Configure security features156