VCS User Privileges
Cluster operations are enabled or restricted depending on the permissions with which you log on to VCS. There are various privilege levels, or categories, for users administering VCS. Each category is assigned specific privileges, and some categories overlap; for example, Cluster Administrator includes privileges for Group Administrator, which includes privileges for Group Operator. The category Cluster Guest has the fewest privileges, Cluster Administrator the most. For instructions on how to add a user and assign privileges, see Adding a User.
The following illustration shows the categories of user privileges and how they overlap with one another.
Click the thumbnail above to view full-sized image.
The following table lists the VCS user categories, with a summary of their associated privileges.
| User Category
|
Privileges
|
|---|
Cluster Administrator
|
Users in this category are assigned full privileges, including making configuration read-write, creating and deleting groups, setting group dependencies, adding and deleting systems, and adding, modifying, and deleting users. All group and resource operations are allowed. Users with Cluster Administrator privileges can also change other users' privileges and passwords.
Note Cluster Administrators can change their own and other users' passwords only after changing the configuration to read/write mode.
Users in this category can create and delete resource types.
|
Cluster Operator
|
In this category, all cluster-, group-, and resource-level operations are allowed, including modifying the user's own password and bringing service groups online.
Note Users in this category can change their own passwords only if configuration is in read/write mode. Cluster Administrators can change the configuration to the read/write mode.
Additionally, users in this category can be assigned Group Administrator privileges for specific service groups.
|
Group Administrator
|
Users in this category can perform all service group operations on specific groups, such as bringing groups and resources online, taking them offline, and creating or deleting resources. Additionally, users can establish resource dependencies and freeze or unfreeze service groups. Note that users in this category cannot create or delete service groups.
|
Group Operator
|
Users in this category can bring service groups and resources online and take them offline. Users can also temporarily freeze or unfreeze service groups.
|
Cluster Guest
|
Users in this category have read-only access, meaning they can view the configuration, but cannot change it. They can modify their own passwords only if the configuration is in read/write mode. They cannot add or update users. Additionally, users in this category can be assigned Group Administrator or Group Operator privileges for specific service groups.
Note By default, newly created users are assigned Cluster Guest permissions.
|
User categories are set implicitly, as shown in the figure in VCS User Privileges, but may also be set explicitly for specific service groups. For example, a user in category Cluster Operator can be assigned the category Group Administrator for one or more service groups. Likewise, a user in category Cluster Guest can be assigned Group Administrator and Group Operator.
Review the following sample main.cf:
Cluster vcs
UserNames = { sally = Y2hJtFnqctD76, tom = pJad09NWtXHlk,
betty = kjheewoiueo, lou = T6jhjFYkie, don = gt3tgfdgttU,
intern = EG67egdsak }
Administrators = { tom }
Operators = { sally }
...
)
Group finance_server (
Administrators = { betty }
Operators = { lou, don }
...
)
Group hr_application (
Administrators = { sally }
Operators = { lou, betty }
...
)
Group test_server (
Administrators = { betty }
Operators = { intern, don }
...
)
- User tom is Cluster Administrator.
- User sally is Cluster Operator and Group Administrator for service group hr_application.
- User betty does not have Cluster Administrator or Cluster Operator privileges. However, she is Group Administrator for the service groups finance_server and test_server. She is also Group Operator for the service group hr_application.
- User lou has no privileges at the cluster level. However, he is Group Operator for the service groups finance_server and hr_application.
- User don does not have Cluster Administrator or Cluster Operator privileges. However, he is Group Operator for the service groups finance_server and test_server.
- User intern does not have Cluster Administrator or Cluster Operator privileges. However he or she is Group Operator for the service group test_server.
| Category
|
tom
|
sally
|
betty
|
lou
|
don
|
intern
|
|---|
Cluster Administrator
|
|
–
|
–
|
–
|
–
|
–
|
Cluster Operator
|
|
|
–
|
–
|
–
|
–
|
finance_server Admin.
|
|
–
|
|
–
|
–
|
–
|
finance_server Operator
|
|
|
|
|
|
–
|
hr_application Admin.
|
|
|
–
|
–
|
–
|
–
|
hr_application Operator
|
|
|
|
|
–
|
–
|
test_server Admin.
|
|
–
|
|
–
|
–
|
–
|
test_server Operator
|
|
|
|
–
|
|
|
|
