Chapter 9. IBM Systems Director Management Console management

9.1 User management and security

Virtualization means that more than one system is running on the same

hardware. Often, different systems are owned by different entities, for example,

finance or human resources departments. Depending on the company’s

structure, security measurements may require that one user administering the

Virtual Server for the finance department must not administer the Virtual Server

for the human resources department, even if it is running on the same hardware

or in the same pool. Also, it might be required that users work with different

permissions, for example, operations personnel can start and stop the Virtual

Server but not configure it. A user and security concept has to be put in place.

This configuration was already possible on the HMC, but the naming and flow of

operations has changed considerably in the SDMC. This section maps the known

concepts in HMC to those used in the SDMC and how to use them.



9.1.1 Hardware Management Console concepts

On the HMC, there were predefined users and tasks and roles. Users were

created and managed on the HMC itself and confined to the machine on which

they were created. The SDMC instead uses the concept of a user registry, just

like IBM Systems Director, because the IBM Systems Director component of the

SDMC is used for it. A user registry can be the user management base of the

underlying operating system, LDAP, or a domain controller. For more information

about how IBM Systems Director handles users and security, refer to

Implementing IBM Systems Director 6.1, SG24-7694.



Hardware Management Console users, roles, and tasks

To manage different aspects of the HMC and attached systems, the HMC used

user roles and HMC tasks to manage access and permissions to the HMC itself

as well as the attached systems.

For the SDMC, the IBM Systems Director concept was extended to create and

manage users with either registry. For a quick mapping of default users, refer to

Table 9-1.

Table 9-1 Default users on HMC and SDMC

HMC

root



root



hscroot



sysadmin



hscpe



198



SDMC



pe



IBM Systems Director Management Console: Introduction and Overview



Because the terminology and the structure of user and security management

changes from the HMC to the SDMC, the different concepts are shown here to

ease transition.



User roles

The user roles defined on the HMC are shown in Table 9-2.

Table 9-2 User roles on the HMC and SDMC

HMC user role



SDMC user role



hmcservicerep



Function

Service Representative. A service

representative is an employee who is at your

location to install, configure, or repair the

system.



hmcviewer



SMMonitor,

SMUser



Viewer. A viewer can view HMC information,

but cannot change any configuration

information.



hmcoperator



SMManager



Operator. An operator is responsible for daily

systems operation.



hmcpe



Product Engineer. A product engineer assists

in support situations, but cannot access HMC

user management functions. To provide

support access for your system, you must

create and administer user IDs with the

product engineer role.



hmcsuperadmin



SMAdministrator



Super Administrator. The super administrator

acts as the root user, or manager, of the HMC

system. The super administrator has

unrestricted authority to access and modify

most of the HMC system.



HMC tasks

Based on user roles, specific commands grouped by tasks could be executed by

the user that hold the role. For a complete listing of commands allowed by role,

refer to Hardware Management Console V7 Handbook, SG24-7491.

Tasks on the HMC were grouped by topic:

HMC Management

Systems Management

Frame Management

Control Panel Functions



Chapter 9. IBM Systems Director Management Console management



199



9.1.2 IBM Systems Director concepts

Users in IBM Systems Director are users that are defined in the configured user

registry. By default in IBM Systems Director, user creation and assignment to

user groups are handled on the user registry level. A user registry is an entity

handling users. This entity can be the local operating system of the SDMC, an

LDAP server, or a Kerberos server. Each user registry has its own set of users

that is independent of those on any other user registry in the network. The

process of identifying a user and making sure that the user is who he claims to

be is called authentication. Usually authentication is done by entering a user

name and a password.

Authorization then occurs when an authenticated user is assigned permissions to

perform tasks. The IBM Systems Director in the SDMC uses a role-based access

control (RBAC) model for authorization. A role is a collection of permissions on

operations within IBM Systems Director that are then assigned to a user. There

are predefined roles in SDMC, and roles can also be defined by a user that has

SMAdministrator authority. Furthermore, roles can be combined to form even

larger sets of permissions. To learn more about roles and their definitions, refer to

section 3.7, “Managing Credentials”, in Implementing IBM Systems Director 6.1,

SG24-7694.

It is possible to add users to the SDMC that have been defined in different user

registries, for example, using the user registry of the SDMC base operating

system. LDAP and Kerberos can be used for authentication and authorization as

well. This situation offers more flexibility and allows for a wide range of

configuration options.

As an extension to this concept, the SDMC allows for the creation of users and

user groups in the underlying base operating system of the SDMC. Some system

users and user groups are already preinstalled on that base operating system.

Note: If another user registry is employed besides the one of the underlying

basic operating system of the SDMC, all of those users not defined on the

SDMC base operating system must be created in that remote user registry.

The SDMC can only read entries in remote user registries but cannot create

them.



Users

Initially, only the following interactive user registry users are defined to the

SDMC:

root

This is the root user of the underlying operating system.



200



IBM Systems Director Management Console: Introduction and Overview



sysadmin

This is the user designed to be the primary administrator of the SDMC.

pe

This is the user designed to perform the tasks of the product engineer as

defined above for the HMC.

Users on the SDMC can be listed by using the smcli lsuser command. In

Example 9-1, this command is used to produce a full listing of user properties for

the sysadmin user.

Example 9-1 Listing the sysadmin user using the smcli lsuser command



sysadmin@sdmca:~> smcli lsuser -l sysadmin

sysadmin:

ObjectType: User

DisplayName: sysadmin

Description:

FullName: sysadmin

Email: null

TelephoneNumber: null

Mobile: null

HomePhone:

Pager: null

LastLoginDate: 2010-12-13T17:35:08-05:00

LastLoginAddress: 172.16.254.34/172.16.254.34

IsLocked: False

UniqueID: 500

IsActive: True

ActiveSessions:

ID: dqG-dKGGG9hfQoolkkbGGGG

Description:

Login Date: Mon Dec 13 17:35:08 EST 2010

Login Address: 172.16.254.34/172.16.254.34

ID: DIRCLI-10038

Description: lsuser

Login Date: Mon Dec 13 18:30:02 EST 2010

Login Address: sdmcb/172.16.20.27

AssignedRoles: {'GroupRead' applied to }

ImpliedRoles: {'SMAdministrator' applied to }

GroupMembership: {'smadmin'}



Chapter 9. IBM Systems Director Management Console management



201



User groups

The following user registry groups are employed for granting granular access

permissions:

smadmin (Administrator group)

Members of the smadmin group are authorized for all operations. They have

administrative access to IBM Systems Director and can perform all

administrative tasks. These members can define the privileges available to

the smmgr, smuser, and smmon groups. The privileges available to members

of the smadmin group cannot be restricted.

smmgr (Manager group)

Members of the smmgr group can perform management operations, which

are a subset of the functions that a member of the smadmin group can

perform.

smuser (User group)

The smuser group includes all authenticated users. Members can perform

only basic operations.

smmon (Monitor group)

Members of the smmon group can access those administrative functions that

provide read-only access, such as monitoring.

smservicerep (Service Representative Group)

Members of the service representative group can perform management

operations related to the installation, configuration, or repair of the system.



202



IBM Systems Director Management Console: Introduction and Overview



Refer to Figure 9-1 for a display of users and their initially assigned groups after

installing the SDMC. Also note that roles are assigned to groups and to users.



Figure 9-1 Systems Director Management Console: Initial users page



As shown in Example 9-2, user groups can be listed on the command line by

using the smcli lsusergp command.

Example 9-2 Listing user groups using smcli lsusergp

sysadmin@sdmca:~> smcli lsusergp -l

root:

ObjectType: User Group

DisplayName: root

Description: null

ManagedAsGroup: false

AssignedRoles:

ImpliedRoles:

Members: root

GroupMembership:

smadmin:

ObjectType: User Group

DisplayName: smadmin

Description: null

ManagedAsGroup: false



Chapter 9. IBM Systems Director Management Console management



203



AssignedRoles: {'SMAdministrator' applied to }

ImpliedRoles:

Members: ccfw,sysadmin,root

GroupMembership:

smmgr:

ObjectType: User Group

DisplayName: smmgr

Description: null

ManagedAsGroup: false

AssignedRoles: {'SMManager' applied to }

ImpliedRoles:

Members: pe

GroupMembership:

smmon:

ObjectType: User Group

DisplayName: smmon

Description: null

ManagedAsGroup: false

AssignedRoles: {'SMMonitor' applied to }

ImpliedRoles:

Members:

GroupMembership:

smservicerep:

ObjectType: User Group

DisplayName: smservicerep

Description: null

ManagedAsGroup: false

AssignedRoles:

ImpliedRoles:

Members:

GroupMembership:

smuser:

ObjectType: User Group

DisplayName: smuser

Description: null

ManagedAsGroup: false

AssignedRoles: {'SMUser' applied to }

ImpliedRoles:

Members: newUser

GroupMembership:



204



IBM Systems Director Management Console: Introduction and Overview



Roles

There are four roles that are initially defined on the SDMC:

SMAdministrator

The Administrator role has full authority to all tasks and commands, including

security administration, product installation, and configuration.

SMManager

The Manager role can perform a subset of the tasks that an Administrator can

perform. Typically, system administration, system health management, and

configuration tasks are available.

SMUser

The User role includes any authenticated user and allows only basic

operations, such as viewing resources and properties.

SMMonitor

The Monitor role can access those administrative functions that provide

read-only access. Primarily, monitoring, notifications, and status tasks are

available.

Additionally, another role is predefined in the Systems Manager Director

Console:

GroupRead

This permission grants a user the ability to view or open a group defined in

SDMC.

Roles can be listed on the command line by using the smcli lsrole command

(Example 9-3).

Example 9-3 Listing the SMAdministrator role using smcli lsrole



sysadmin@sdmca:~> smcli lsrole -l SMAdministrator

SMAdministrator:

ObjectType: InstanceAccessRole

DisplayName: SMAdministrator

Description: The Administrator role has full authority to all tasks

and commands, including security administration, product installation,

and configuration.

IsDefaultRole: false

IsSystemDefinedRole: true

Permissions: All Permissions



Chapter 9. IBM Systems Director Management Console management



205



Creating a role

To create a role, perform the following steps:

1. Expand Security and click Roles. The Roles page opens (Figure 9-2).



Figure 9-2 Initial Roles page



206



IBM Systems Director Management Console: Introduction and Overview



2. Click Create to open the Roles wizard Welcome page. Clicking Next opens

the Name page, where a name for this role has to be entered. Optionally, you

also can give a description of this role in the Description field (Figure 9-3).



Figure 9-3 Create Role wizard: Name page



Chapter 9. IBM Systems Director Management Console management



207



3. Clicking Next opens the Permissions page (Figure 9-4). You see a page with

two columns, showing Available Permissions in the left column and Selected

Permissions in the right column. Above the Available Permissions column,

you can select either All Permissions, which gives all permissions to this

role, or Selected Permissions. Any entry can be selected and added to the

set of Selected Permissions by clicking Add.



Figure 9-4 Create Role wizard: Permissions page



208



IBM Systems Director Management Console: Introduction and Overview