Setting up users and teams

You can restrict access to Unified Management Server 1.2 by selecting one of the following security models: SAF-based and data set-based security.

Note: Only one security model can be active at a time. It is recommended to configure SAF-based security because data set-based security, although supported, will be deprecated in a future release. For details, see Deprecated and removed functions in Unified Management Server.
Important: For more information on SAF-based management of users and teams, see Security enhancement for IBM Unified Management Server.
You can enable SAF-based security by specifying the following in your ZWEYAML member:
components:
  izp:
    security:
      useSAFOnly: true
Notes:
  • Ensure the assigned user has permission to refresh user metadata or team metadata in Unified Management Server.
  • Ensure that the security administrator has provided super administrator with READ access to IZP.FUNCTION.USERS.GET or IZP.FUNCTION.TEAMS.GET.
  • It is recommended to using the User and Team management methods, although the USERLIST and TEAMLIST data sets are the default options for backward compatibility.
To setup a user or team profile, the super administrator should perform the following:
  1. Configure and migrate the user profile or team profile.
  2. Define new profiles and assign users to them. For details, refer to Defining a security class for UMS.
    Note: These assigned users will have access to refresh the users and teams.
    Table 1. IZP profiles and their privileges
    Class Profile name Access required Function
    IZP IZP.FUNCTION.USERS.GET READ Refresh user information.
    IZP IZP.FUNCTION.TEAMS.GET READ Refresh team membership information.
    IZP IZP.FUNCTION.ROLES.GET READ Determine the role of a user.
    If the UMS server and UI start successfully after the UMS installation and configuration, the refresh button will be visible for the user.
    Important: If you are not a super administrator, you can only view your own storage usage and limits when useSafOnly is enabled.

Configuring user profile

Unified Management Server will query data from SAF through RACROUTE to acquire a list of users with access to a role profile. These users will represent all sets of UMS users. For details, refer to UMS roles and responsibilities and Defining a security class for UMS.
Table 2. Users with access to role profiles
Class Profile Role
IZP IZP.SUPER* Super User
IZP IZP.ADMIN* Admin User
  • Regardless of whether useSafOnly is set to true or false, access to UMS depends on having READ access to a role profile in the IZP class. If you have already provided a set of user access to the profiles, then migration is not required. You can always add or remove profiles by permitting or revoking their access.
  • When the useSafOnly is set to false, only the users with access to a role profile are included in the USERLIST, which is required for login.

Therefore, the list of UMS users can differ depending on whether useSafOnly is true or false.

Configuring team profile

The security administrator creates and manages team profiles. Each Unified Management Server team will have a corresponding profile. This could be a generic profile or one that specifies the eight-character SAF qualifier (or saf_id). Using this profile and ID, you can assign membership to a team.

For details on the UMS teams, see the following topics: UMS roles and responsibilities, Key concepts, and Managing teams.

  • If useSafOnly is set to false, the teams are stored as a member in the TEAMLIST.
  • If useSafOnly is set to true, a team is instead stored as a profile in the IZP class IZP.TEAM.{saf_id}. The {saf_id} is a unique qualifier assigned to a team, which is used in the SAF profile to determine team membership.
After configuration the team profiles, you need to migrate them using the following steps:
  1. Create a team profile in the IZP class in the format:
    IZP.TEAM.{saf_id}
    Where, {saf_id} is the name of the data set member of the team you want to migrate. For example,
    RDEFINE IZP IZP.TEAM.{saf_id} UACC(NONE)
  2. Grant the required access to the created profiles.

    Where, READ is a team member and UPDATE is a team administrator. You should compare to the JSON data stored in the TEAMLIST member that corresponds to the team you want to migrate to verify the ID and team role. For example,

    PERMIT IZP.TEAM.{saf_id}  CLASS(IZP) ID(<ID>) ACCESS(READ)
    PERMIT IZP.TEAM.{saf_id}  CLASS(IZP) ID(<ID>) ACCESS(UPDATE)
    PERMIT IZP.TEAM.{saf_id}  CLASS(IZP) ID(<ID>) DELETE

Assigning membership

To assign membership, you must provide user access to a team profile. The UPDATE access or higher indicates a team administrator and READ access indicates a team member.

For example, to add a user as a team administrator to team 'A' (with a generated {saf_id}) issue the following command: 
'PERMIT IZP.TEAM.A CLASS(IZP) ID(USERID) ACCESS(UPDATE)'
Note: For the membership to be reflected in UMS, a user with access to the required function profile (IZP.FUNCTION.TEAMS.GET) should refresh the team membership. To refresh, use the icon displayed on the upper-right corner of the Users page.