Setting up users and teams
You can restrict access to Unified Management Server 1.2 by selecting one of the following security models: SAF-based and data set-based security.
ZWEYAML
member:components:
izp:
security:
useSAFOnly: true
- Ensure the assigned user has permission to refresh user metadata or team metadata in Unified Management Server.
- Ensure that the security administrator has provided super administrator with READ access to
IZP.FUNCTION.USERS.GET
orIZP.FUNCTION.TEAMS.GET
. - It is recommended to using the User and Team management methods, although the USERLIST and TEAMLIST data sets are the default options for backward compatibility.
- Configure and migrate the user profile or team profile.
- Define new profiles and assign users to them. For details, refer to Defining a security class for UMS.Note: These assigned users will have access to refresh the users and teams.If the UMS server and UI start successfully after the UMS installation and configuration, the refresh button will be visible for the user.
Table 1. IZP profiles and their privileges Class Profile name Access required Function IZP IZP.FUNCTION.USERS.GET READ Refresh user information. IZP IZP.FUNCTION.TEAMS.GET READ Refresh team membership information. IZP IZP.FUNCTION.ROLES.GET READ Determine the role of a user. Important: If you are not a super administrator, you can only view your own storage usage and limits whenuseSafOnly
is enabled.
Configuring user profile
Unified Management Server will query data from SAF through RACROUTE to acquire a list of users with access to a role profile. These users will represent all sets of UMS users. For details, refer to UMS roles and responsibilities and Defining a security class for UMS.Class | Profile | Role |
---|---|---|
IZP | IZP.SUPER* | Super User |
IZP | IZP.ADMIN* | Admin User |
- Regardless of whether
useSafOnly
is set to true or false, access to UMS depends on having READ access to a role profile in the IZP class. If you have already provided a set of user access to the profiles, then migration is not required. You can always add or remove profiles by permitting or revoking their access. - When the
useSafOnly
is set to false, only the users with access to a role profile are included in the USERLIST, which is required for login.
Therefore, the list of UMS users can differ depending on whether
useSafOnly
is true or false.
Configuring team profile
The security administrator creates and manages team profiles. Each Unified Management Server team will have a corresponding profile. This could be a generic profile or one that specifies the eight-character SAF qualifier (or saf_id). Using this profile and ID, you can assign membership to a team.
For details on the UMS teams, see the following topics: UMS roles and responsibilities, Key concepts, and Managing teams.
- If
useSafOnly
is set to false, the teams are stored as a member in the TEAMLIST. - If
useSafOnly
is set to true, a team is instead stored as a profile in the IZP classIZP.TEAM.{saf_id}
. The {saf_id} is a unique qualifier assigned to a team, which is used in the SAF profile to determine team membership.
- Create a team profile in the IZP class in the
format:
Where, {saf_id} is the name of the data set member of the team you want to migrate. For example,IZP.TEAM.{saf_id}
RDEFINE IZP IZP.TEAM.{saf_id} UACC(NONE)
- Grant the required access to the created profiles.
Where, READ is a team member and UPDATE is a team administrator. You should compare to the JSON data stored in the TEAMLIST member that corresponds to the team you want to migrate to verify the ID and team role. For example,
PERMIT IZP.TEAM.{saf_id} CLASS(IZP) ID(<ID>) ACCESS(READ)
PERMIT IZP.TEAM.{saf_id} CLASS(IZP) ID(<ID>) ACCESS(UPDATE)
PERMIT IZP.TEAM.{saf_id} CLASS(IZP) ID(<ID>) DELETE
Assigning membership
To assign membership, you must provide user access to a team profile. The UPDATE access or higher indicates a team administrator and READ access indicates a team member.
'PERMIT IZP.TEAM.A CLASS(IZP) ID(USERID) ACCESS(UPDATE)'
(IZP.FUNCTION.TEAMS.GET)
should refresh
the team membership. To refresh, use the icon displayed on the upper-right corner of the
Users page.