| Each target can grant one of four access permissions: Full Access, Virtual Write, Readonly, or Refuse.
Full Access: The initiator can read from and write to the target normally.
Virtual Write: The initiator can issue write operations, but the redirected changes are stored separately and do not modify the original data set directly.
Readonly: The initiator can read data but cannot commit writes to the target.
Refuse: Logon to the target is denied.
The available authorization modes are Anonymous, CHAP, IP Filter, and Mixed.
Anonymous: No additional authentication is required. Access is granted according to the anonymous policy.
CHAP: Initiators authenticate with a CHAP user name and secret. The built-in Guest account is used when an initiator connects without explicit CHAP credentials and the configuration allows it.
IP Filter: Access is determined by the client address rules defined under IP Filters.
Mixed: The effective policy is evaluated from both CHAP and IP filter rules.
If Global Authorization is enabled, the target inherits the global security configuration. If it is disabled, the target uses its own authorization settings.
Notes:
Anonymous access is typically used only in trusted environments.
If the Guest account is removed, initiators that rely on Guest-based CHAP access can no longer log on.
Virtual Write permission is meaningful only when the target has Virtual Write enabled.
IP filter rules can be used to assign a uniform policy to all initiators by creating a broad match such as Any.
When multiple rules apply, the most permissive effective access level wins according to the product policy.
|
