Managing GUI users

GUI users of the IBM Spectrum Scale system can monitor, configure, and manage the IBM Spectrum Scale system You can create users who can perform different administrative tasks on the system. Use the Services > GUI > Users page to create users.

Note: Only users with SecurityAdmin or UserAdmin role can create a GUI user.

User roles and permissions

Each GUI user must be part of a user group or multiple groups that are defined on the system. When you create a new user, you need to assign the user to one of the default user groups or to a custom user group. User groups are assigned with predefined roles that authorize the users within that group to a specific set of operations on the GUI.

Predefined roles are assigned to user groups to define the working scope within the GUI. If a user is assigned to more than one user group, the permissions are additive, not restrictive. The predefined role names cannot be changed. The following are the default user groups:
  • Administrator

    Manages all functions on the system except those deals with managing users, user groups, and authentication.

  • SecurityAdmin

    Manages all functions on the system, including managing users, user groups, and user authentication.

  • SystemAdmin

    Manages clusters, nodes, alert logs, and authentication.

  • StorageAdmin

    Manages disks, file systems, pools, filesets, and ILM policies.

  • SnapAdmin

    Manages snapshots for file systems and filesets.

  • DataAccess

    Controls access to data. For example, managing access control lists.

  • Monitor

    Monitors objects and system configuration but cannot configure, modify, or manage the system or its resources.

  • ProtocolAdmin

    Manages Object Storage and data export definitions of SMB and NFS protocols.

  • UserAdmin

    Manages access for GUI users. Users who are part of this group have edit permissions only in the Users, Groups and Password Policy tabs of the Services > GUI page of the GUI.

    If a GUI node fails, the application fails over to the new node. The GUI master node fails over automatically.

  • CsiAdmin

    Manages the Container Storage Interface (CSI).

  • ContainerOperator

    Manages the container operations.

After installing the system and GUI package, you need to create the first GUI user to log in to the GUI. This user can create other GUI administrative users to perform system management and monitoring tasks. When you launch the GUI for the first time after the installation, the GUI welcome page provides options to create the first GUI user from the command-line prompt by using the following command: /usr/lpp/mmfs/gui/cli/mkuser <user_name> -g SecurityAdmin

User groups

Users who are part of Security Administrator and User Administrator user groups can create role-based user groups where any users that are added to the group adopt the role that is assigned to that group.

Roles apply to users on the system and are based on the user group to which the user belongs. A user can be part of multiple user groups so that a single user can play multiple roles in the system. You can assign the following roles to your user groups:
  • Administrator

    Users can access all functions on the GUI except those deals with managing users and user groups.

  • Security Administrator

    Users can access all functions on the GUI, including managing users and user groups.

  • System Administrator

    Users manage clusters, nodes, and alert logs.

  • Storage Administrator

    Users manage disks, file systems, pools, and filesets.

  • Snapshot Administrator

    Users manage snapshots for file systems, filesets.

  • Monitor

    Users can view objects and system configuration but cannot configure, modify, or manage the system or its resources.

  • Data Access
    Users can perform the following tasks:
    • Edit owner, group, and ACL of any file or path through the Files > File System ACL > Files and Directories page.
    • Edit owner, group, and ACL for a non-empty directory of a file system, fileset, NFS export, or SMB share.
    • Create or delete object containers through the Object > Accounts page.
  • Protocol Administrator

    Users manage Object Storage and data export definitions of SMB and NFS protocols.

  • User Administrator

    Users manage GUI users and user groups.

  • CSI Administrator

    Users manage Container Storage Interface (CSI).

  • Container Operator

    Manages the container operations.

Note: Default groups are not created for the user role User Administrator in case the user is upgrading the IBM Spectrum Scale cluster from 4.2.0.x to a later release.

A default group is not created for the user role CSI Administrator in case the user is upgrading the IBM Spectrum Scale cluster from 5.0.3 or earlier.

For more information about how to create a GUI user and assign user roles, see Create GUI users and assign user permissions.

User repository

You can manage GUI users locally within the system and in an external authentication server such as Microsoft Active Directory (AD) or Lightweight Directory Access Protocol Server (LDAP).

Managing users locally in the IBM Spectrum® Scale system

By default, the IBM Spectrum Scale system uses an internal authentication repository for GUI users. That is, the users who are created using the Services > GUI page are stored in the internal repository.

Managing GUI users in an external AD or LDAP server

By default, the IBM Spectrum Scale system uses an internal authentication repository for GUI users. You can configure an external authentication server either through GUI or CLI.
Note: You can configure external authentication only for GUI users who monitor and manage the cluster. The authentication method used for NFS and SMB users is different.

You can use the Configure External Authentication option that is available under the External Authentication tab to configure an external LDAP-based authentication method for authenticating the GUI users.

Use the Test Connection option that is available under the External Authentication tab to find out whether a user credential is available in the internal or external repository.

For more information about how to use the GUI configure an external authentication method for the GUI users, see Configuring external authentication for GUI users.

Managing GUI user passwords

Use the various controls that are available under the Password Policy tab to enforce strong passwords for the GUI users whose credentials are stored in the internal repository.

Note: Only users with User Admin or SecurityAdmin role can modify the password policy of a user. If the password is expired for a user, the GUI logs off that user due to security reasons.
For more information about how to create password policy and to modify password, see the following topics: