| KernSafe iSCSI SAN provides four access permissions: Full Access, Virtual Write, Read-Only, and Refuse.
Full Access: The client can read from and write to the target as if it were a local disk.
Virtual Write: The client can write to a private overlay while the shared base disk remains unchanged.
Read-Only: The client can read data, but cannot write any data to the disk.
Refuse: Logon to the target is denied.
There are four authorization modes: Anonymous, CHAP, IP Filter, and Mixed.
Anonymous: All initiators receive full access without additional authorization.
CHAP: Initiators must provide a CHAP user name and secret to connect. KernSafe iSCSI SAN includes a built-in Guest user for initiators that do not present a CHAP secret.
IP Filter: Initiators are authorized according to the incoming IP address defined in the IP filter rules.
Mixed: Security policy combines CHAP and IP Filter authorization.
If you select Inherit security roles from global settings, all client security roles are inherited from the global configuration. Otherwise, each client can use its own permission set.
Notes:
• Initiators using Anonymous mode receive full access by default.
• In CHAP mode, a client without explicit credentials inherits the permissions of the Guest user. If the Guest user is deleted, the client is denied access.
• The Guest user has Virtual Write permission by default when the target has Virtual Write enabled; otherwise the Guest user receives Read-Only permission.
• If the Guest user belongs to a group, it inherits the same permission as that group.
• If you add Any Address to the IP Filter list, every initiator receives the permission assigned to that rule.
• Access permissions are upgraded to the highest matching permission when an initiator matches more than one rule. The order is: Refuse < Read-Only < Virtual Write < Full Access.
|
