Viewing and setting up the security policy

The ESI Service authorizes every API call based on the Windows identity of the caller. Authorization is granted based on the caller’s role membership. The following Service roles are defined by the ESI Service. If these roles are changed, the ESI Service will not work.

The ESI Service Administrator can add principal names (security groups or users) to one of these ESI Service roles. Adding a security principal to a Service role enables the administrator to delegate access control to one or more users who can add or modify members of the group. After you add the group to the Monitor role, any user who belongs to this group can make an ESI Service call.

Note: As an exception to the role assignments, the ESI Service automatically grants the Administrator role to the local administrator group on the host that is running the ESI Service. This allows any local administrator to manage the ESI Service without being explicitly added; however, the user must be running elevated credentials if UAC is enabled.

View the security policy

To view the security policy in one of the following ways:

  1. Open a web browser that supports Windows Authentication and browse to the ESI Service console. If you have changed the default port numbers, replace the following default numbers with your assigned ports:

  1. Open a PowerShell command prompt, import the toolkit with the Import-Module ESIServicePSToolkit cmdlet. Then type the following, and press Enter:

Get-EmcServicePolicy

 

Set the security policy for a user

    To view the security policy in one of the following ways:

  1. If necessary, import the ESI Service PowerShell module on the ESI host system. To import the module, open a PowerShell command prompt, type the following, and press Enter:

   Import-Module ESIServicePSToolkit

  1. Type the following where you replace <domain name>/<principal name> with the applicable domain name and principal name that you want to add to the Monitor role, and then press Enter:

Add-EmcUser "<domain name>\<principal name>" Monitor

Note: The cmdlet fails if the principal name is invalid. And if you want to add the principal name to the Administrator role, replace Monitor in the command above with Administrator.

 

Related links

 

 Setting up ESI Service

 ESI overview

 Changing HTTP connection defaults

 Home window

 Publishing and unpublishing systems to the ESI Service

 

 Changing the system refresh interval