Required Permissions
File Access Manager requires different permissions, based on the tasks that require those permissions. The user configured in the Application configuration wizard must have the following permissions on the Access Zone:
- Share Read permissions to all shares
- Full Control permission for each normalized folder
- Member of the local Backup Operators group
- Member of the local Administrator group
- Permissions to access the OneFS Platform API
Add required permissions by creating a new role and associating the user with that role in one of the following ways:
Add Permissions via the Cluster Management Web Interface
- Log in to the OneFS Cluster Management Web interface and performing the following actions:
- Click on ‘Access -> Membership and Roles’
- Select the ‘Role’s tab
- Click on the ‘Create Role’ button
- Enter a name for the Role (ex. FileAccessManager)
- Click on the ‘Add a member to this role’ button, and add the File Access Manager user which will be used in the Application configuration wizard
-
Scroll down and click on the ‘Add a privilege to this role’ button and add the following Privileges:
- ‘Platform API: Log in to the Platform API and WebUI’ – read_only Access
- Auth: Configure Identities and authentication sources – read_only Access
- Audit: Configure audit capabilities – read_only Access
- SMB: configure SMB server – read_only Access
Add Permissions via the Cluster Management Shell
Run the following commands from the cluster management shell:
isi auth roles create FileAccessManager
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_LOGIN_PAPI
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_SMB
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUTH
isi auth roles modify FileAccessManager --add-priv-ro=ISI_PRIV_AUDIT
isi auth roles modify FileAccessManager --add-user=’<domain>\<user>’
Add Permissions via built-in roles:
Associate the user with the SystemAdmin and SecurityAdmin built-in roles.
isi auth roles modify SystemAdmin --add-user=’<domain>\<user>’
isi auth roles modify SecurityAdmin --add-user=’<domain>\<user>’
Permissions Required for Each File Access Manager Task
The user must have the permissions listed below in order to perform these tasks:
Crawling
Share Read permissions to all the shares on the file server.
Be a member of the local Backup Operators group on the Access Zone.
Permission Collection
Share Read permissions to all the shares on the Access Zone.
Be member of the local Backup Operators group on the Access Zone.
Be a member of the local Administrators group to read the Share Permissions.
Permissions to the OneFS Platform API to read the local Users and Groups.
Access Fulfillment
Full Control permission on the normalized folders to be able to set the permissions.
Data Classification
Share Read permissions for all the shares on the Access Zone.
Be member of the local Backup Operators group on the Access Zone.