There are three classes of GUI users with different permissions for each.
- Users with Administrator permission throughout a cluster can perform all possible actions through the GUI.
- Users with Operator permission on a server can view configuration and status information and can bring resources into service and take them out of service on that server.
- Users with Guest permission on a server can view configuration and status information on that server.
The best practice is to always grant permissions on a cluster-wide basis. It is possible to grant permissions on a single-server basis, but that is confusing to users and makes it impossible to perform administrative tasks.
User administration is performed by assigning users to local user groups on each server. Users assigned to the local Administrators group have Administrator permission, users in the local LK_OPERATOR group have Operator permission and users in the local LK_GUEST group have Guest permission. The local Administrators group is built in to all Windows machines, but the other two local groups are not, so you will need to create them.
The group names can be configured on English-language machines by editing the entries in the file Server_RB_en.properties which can be found in the folder $LKROOT/htdoc/com/SIOS/LifeKeeper/locale. You can also localize the group names by creating a file Server_RB_xx.properties in the same folder,where “xx” is your locale code, and editing the entries in that file.
If you are working in a Domain Controller environment with no local groups or users on your servers, you can create the LK_OPERATOR and LK_GUEST groups as trusted global security groups. You will then need to set the group security policy to allow local logon to those groups.
To enable a user or a group to login locally on a Windows server, follow the instructions described below.
- Log in to the machine using an account with local Administrator privileges.
- Open the Local Security Policy MMC in the Administrative Tools program group.
- Scroll down to Local Policies -> User Rights Assignment.
- In the details pane, double-click Allow Logon Locally policy.
- Use the Add User or Group… button to add domain groups LK_OPERATOR and LK_GUEST previously created for local login right.
Finally, you need to propagate these changes by executing the command SECEDIT /REFRESHPOLICY USER_POLICY gpupdate (for more details, see https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpupdate. Once you have done this, LifeKeeper for Windows will be able to recognize members of those groups and assign them the appropriate permissions.
Note: If you create these groups and users locally on your server, the assignments affect GUI permissions only for that server. In that case, you should repeat the assignment on all servers in the cluster. This takes more work but does make the cluster more robust as it is then not dependent on access to the domain controller.
Note: GUI group names, Administrators, LK_OPERATOR, and LK_GUEST referenced above cannot be changed.
Post your comment on this topic.