Assigning security roles for users and user groups

Assign security roles for users and user groups either at the system level or the resource level.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

About this task

System level security roles provide access control to major functional areas for managing the overall system, whereas resource level security sub-roles and permissions provide access control to individual resources, for example cloud groups, IP groups, and compute nodes.

Note: The Users page allows you to grant access control and permissions to users, and the User Groups page allows you to grant access control and permissions to user groups.

To reflect the permission changes, log out and log back in from the console.

When assigning permissions for individual resources in resource level administration, you can select the level of access (read, write, all, none) for those specific resources. For example, a user can be granted read access to some cloud group and hardware resources, and write access to other resources.

You can use the console or the command line interface to complete this task. For the command line information, see the Related information section.

Procedure

  1. Click System > Users or System > User Groups. If you are on 2.3.3.3 or later, click Security and access > Users or Security and access > User Groups.

    For more information about the navigation in 2.3.3.3 or later, see IBM Cloud Pak System user interface navigation.

  2. In the left navigation pane, select the users and user groups that you want to provide access control.
  3. In the main window, scroll to the Permissions section.
  4. In the Workload Management section, select the sub-roles that you want to assign to users. Only workload administrators with full permissions can make this assignment.
  5. In the Administrators section, select Allow delegation when full permission is selected if you want users to be able to assign their assigned roles or sub-roles to other users. Users cannot grant permissions that they themselves do not have.
  6. To provide access control to workload resources, select Workload resources administration and one of the following options:
    • View all workload resources (Read-only): Users with this administrative option can view all workload management-related configuration and status on the console such as view deployed virtual application, deployed virtual systems, and deployed shared services.
    • Manage workload resources (Full permission): Users who are assigned this option can manage all workload-related operations and resources such as deployment patterns, environment profiles, system plug-ins and shared services, plus all the functions previously mentioned in read-only view.
  7. To provide access control to cloud groups, select Cloud group administration.
    1. To provide access control at the system level, select System level administration and one of the following options:
      • View all cloud resources (Read-only): Users with this administrative option can view virtual cloud resources configuration such as cloud groups, IP groups, disk volumes, and virtual machines.
      • Manage cloud resources (Full permission): Users who are assigned this option can manage the above virtual resources.
    2. To provide access control at the resource level, select Resource level administration and do the following steps:
      1. In the list, select the resource type. Choices include Cloud Groups, IP Groups, Virtual Machines, Virtual Appliances, VM Groups, Volumes, and Volume Groups.
      2. In the table, select one or more individual resources in the Resource Name column. Use the Filter option above the table to locate resources more easily when the list is long. To select all resources in the table, select the check box beside the Resource Name column title.
      3. In the Permission column, select permissions for each resource. Options include Read, Write, All, and None. To assign permissions to all selected resources, use the All, None, and Remove All options above the table. For more information about each permission, click the Parent topic link at the end of this topic.
      4. Repeat these steps for each resource type that you want to assign permissions.
  8. To provide access control to hardware, select Hardware administration.
    1. To provide access control at the system level, select System level administration and one of the following options:
      • View all hardware resources (Read-only): View configuration and status of hardware components such as compute nodes, networks, memory, and disk storage, and also reports, events, and job queues.
      • Manage hardware resources (Full permission): Hardware administrators with full permissions can manage hardware components, reports, events, and job queues.
    2. To provide access control at the resource level, select Resource level administration and do the following steps:
      1. In the list, select the resource type. Choices include Compute Nodes, Storage Devices.
      2. In the table, select one or more individual resources in the Resource Name column. Use the Filter option above the table to locate resources more easily when the list is long. To select all resources in the table, select the check box beside the Resource Name column title.
      3. In the Permission column, select permissions for each resource. Options include Read, Write, All, and None. To assign permissions to all selected resources, use the All, None, and Remove All options above the table. For more information about each permission, click the Parent topic link at the end of this topic.
      4. Repeat these steps for each resource type that you want to assign permissions.
  9. To provide access control to auditing functions, select Auditing and one of the following options:
    • View all auditing reports (Read-only): Users who are assigned this option can only view auditing settings and download audit data.
    • Manage auditing (Full permission): Auditors with full permissions can modify auditing settings. They can also set up external storage server connection data and credential data so as to automatically archive auditing event logs to external servers for long term storage to meet security compliance requirements.
  10. To provide access control to disaster recovery functions, select Block Storage Replication and one of the following options:
    • View block storage replication profiles (Read-only)View disaster recovery (Read-only): Users who are assigned this option can view disaster recovery profiles and disaster recovery monitoring information.
    • Manage block storage replication profiles (Full permission)Manage disaster recovery (Full permission): Disaster recovery administrators with full permissions can create, validate, and enable disaster recovery profiles. These credentials enable a user to initiate a failover from the primary system in a disaster recovery relationship to the backup system. These credentials enable a user to restart disk replication.
  11. To provide access control to security functions, select Security administration and one of the following options:
    • View users/groups (Read-only): Security administrators who are assigned this option can only view users and groups.
    • View all security resources (Read-only): Security administrators who are assigned this option can only view security resources.
      Note: Administrators with this security setting cannot deploy shared services.
    • Manage security (Full permission): Security administrators with full permissions can manage security resources. Moreover, users with the security administrator full permission role and the delegation security role can grant and revoke access rights of four console managed resource types: cloud groups, IP groups, virtual machines, and virtual appliances.
  12. Click Synch user roles to synchronize roles on all systems in the domain, and in the Sync User Roles dialog that is displayed, click Sync to complete the synchronization across the remote systems.
  13. Click Done to return to the main window.

What to do next

To delete users from all systems in the domain, perform the following steps:
  1. Click Delete in the toolbar.
  2. Click Delete in the dialog that is displayed.
  3. Select the Delete users from all systems in the domain check box, and then click Delete.