PowerVC

 View Only

Register HMC with a non-hscroot user from PowerVC

By Sharat S posted Sun December 11, 2022 11:21 PM

  

Overview

Until the 2.0.3 release, the PowerVC users registered the Hardware Management Console (HMC) to PowerVC with the hscroot user which is a super admin. This user provides privileges to run all the tasks on HMC. However, for PowerVC, the super admin access is not required as it requires privileges to perform only a handful of tasks. 

In some of the on-premise customer environments, HMC administrator is different from the PowerVC administrator. The HMC administrator does not want to give full HMC access to PowerVC because it creates a security gap. Therefore, to meet the security requirements in the 2.1.0 release, we introduced a new non-hscroot user to on-premise customers to register HMC to PowerVC. Accordingly, this user only has a specific set of privileges required by PowerVC to initiate a session with HMC, execute the APIs and get the response.

hscroot user vs the new non-hscroot user

  • hscroot user: The hscroot user is a super admin user. This user has 176 task privileges across four HMC tasks.
  • non-hscroot user: This user has a specific set of privileges required by the PowerVC to execute all the PowerVC REST APIs successfully. PowerVC only requires access to 59 task privileges across three HMC tasks.
The privileges required by the PowerVC are listed below:
task list for non-hscroot user

Creating new user in HMC 

Creating the new user using the CLI

  1. Perform SSH into HMC as an administrator.
  2. Execute these commands.
    1. Create a new role with the required tasks.
      hscroot@ch-hmc-01:~> mkaccfg -t taskrole -i "name=pvcrole,parent=hmcsuperadmin, "resources=cec:CECPowerOff+CECPowerOn+ChangeCECPassword+ChangeCECProperty+ChangeCoD+ChangePowerManagement+CoDPoolManagement+CreateLPAR+EditCECMTMS+ListCECProperty+ListCoDInformation+ListCoDNotifications+ListSSP+ListUtilizationData+ManageCoDNotifications+ManageDumps+ManageSPP+ManageSSP+ManageSriovAdapter+ManageUtilizationData+ManageVirtualNetwork+ManageVirtualStorage+MoveSriovAdapter+PartitionConfigurationImage+RebuildCEC+RecoverPartitionData+RemoveCEConnection+ViewDumps+ViewPowerManagement+ViewSPP,lpar:ActivateLPAR+CapturePartitionTemplate+ChangeLPARProperty+ChangeProfileProperty+CloseVTerm+Connect5250VTerm+CreateProfile+Delete5250VTerm+DeleteLPAR+DeleteProfile+DisableEnableVirtualEthernet+DlparOperation+HibernateLPAR+ListLPARProperty+ListProfileProperty+ManageLPARDebugData+ManageProfile+MigrateLPAR+Open5250VTerm+OpenVTerm+PartProfileCopy+RRStartLPAR+RebootLPAR+RemoteRestartLPAR+ShutdownLPAR+VirtualIOServerCommand,HMCConsole:ChangeHMCFileSystems+ListHMCConfiguration+ViewHMCFileSystems"”​
    2. Assign the new role to the new user.
      hscroot@ch-hmc-01:~> mkhmcusr -u pvcuser -a pvcrole -d pvcuser --passwd abcd1234​

Creating the new user using the HMC GUI

  1. Login to HMC as an administrator.
  2. From the User management menu, select Tasks and resource roles.
User management menu > Task and resource roles
    3.  Select Task Roles.
    4.  Select Add from the Edit drop-down.
   
Customise user controls dialog
    5.  Enter a name in the Role name field.
    6.  Select hmcsuperadmin from the Based on drop-down.
    7.  Select the required tasks from the Available Tasks pane, then click Add to move the selected tasks to the Currents Tasks pane.
Add role dialog

    8.  
Click OK.
    9.  From the User management menu, click User profiles and access.
User profile and access

   10. Select Add from the drop-down.
User profiles dialog
   11. Enter User ID and Password.
   12. Select the newly created role.
   13. Click OK.
Add user dialog

Registering HMC with the new user
    1.  Login to PowerVC.
    2.  From the Hosts menu, click HMCs, then click Add.
Add HMC

    3.  Populate the new user details and click Add to register HMC with the new user.
Add HMC with new user

Switching to the new user

Users who have already registered to HMC as a hscroot user can switch the user.

  1. From the Hosts menu, click HMCs.
  2. Click an HMC to update the credentials.
  3. Edit the credentials of the new user.
  4. Click Save.
    Edit HMC connection

Important information

The specific set of privileges required by PowerVC have been identified. The PowerVC team is working with the HMC team to get the new user created implicitly from the HMC so the overhead of creating the new user manually can be removed. For now, create a user with the roles specified and register HMC with the newly created non-hscroot user.

Keep watching our social outlets for more interesting information about PowerVC! Find us on FacebookLinkedInTwitter, and YouTube.
Do comment your queries, if any, in the comments section.

Blog authors:
Sharat Sharma S
Arun Mani

1 comment
144 views

Permalink

Comments

Tue September 17, 2024 06:07 AM

Very Informative.