User management

User access to the Docker CLI can be managed using either local user management or central LDAP server-based user management. You can also change the user management technique of a provisioned zCX instance using the Reconfiguration workflow

Using a local user management within a zCX instance

Using this method, a Docker administrator user ID is specified during provisioning of a zCX instance. The Docker administrator has access to the Docker CLI, as well as the ability to define and delete additional zCX users. This approach is simple, and therefore useful when conducting initial testing in zCX or when a limited number of zCX instances are deployed. However, it requires that all authorized users are defined and maintained on each individual zCX instance; there is no sharing of user access across zCX instances.

Using an LDAP server for authorization across zCX instances

Using this method, the z/OS system programmer that is executing the z/OSMF provisioning workflow specifies the target LDAP server that should be used for authorization and authentication of the zCX Docker CLI users. This approach allows for consolidated user management for the zCX Docker CLI in your enterprise. It also allows you to optionally integrate your zCX Docker CLI user management with your z/OS defined users by providing two options for LDAP based authentication:

IBM® Tivoli® Directory Server for z/OS®. This LDAP server allows optional integration with RACF or other compliant security manager products using the SDBM so that you can authorize users to zCX using their existing z/OS users and credentials.
An LDAP server, such as OpenLPAP, in your enterprise.

The remainder of this chapter provides instructions to proceed with either user management method.