A tenant must at all times have at least one user that can manage user and group accounts. This means that the tenant must have at least one user or group account with the security role. If the tenant does not have such a group account and the passwords for all user accounts with the security role have been lost, the tenant is in a state in which no users can manage user and group accounts.
To recover from this state, you can use the resetSecurityGroup query parameter to do either of these:
•Assign the security role to an existing HCP group account. In this case, the value of the resetSecurityGroup parameter must be the name or external group ID of an existing HCP group account.
•Create a new HCP group account with only the security role. In this case, the value of the resetSecurityGroup parameter must be the name or SID of an AD group defined in the AD forest supported by HCP. You can specify the name in either of these formats:
group-name
group-name@ad-domain-name
If you omit the domain name, HCP uses the AD domain specified in the system configuration.
Be sure to use the second format if a group with the specified name exists in more than one domain in the AD forest or if the group name looks like a SID.
To reset the security group for a tenant, you need a system-level user account with the administrator role.
You use the resetSecurityGroup query parameter with a POST request against the groupAccounts resource, as in this example:
curl -k -i -d "<groupAccounts/>" -H "Content-Type: application/xml"
-H "Authorization: HCP YWxscm9sZXM=:04EC9F614D89FF5C7126D32ACB448382"
"https://finance.hcp.example.com:9090/mapi/tenants/finance/groupAccounts
?resetSecurityGroup=hcp-admin@ad.example.com”
As an alternative to resetting the security group, you can reset the passwords of all users with the security role. For information on doing this, see Query parameter for resetting security user passwords.
© 2016 Hitachi Data Systems Corporation. All rights reserved.