Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (6.89 MB, 436 trang )
9.1 User management and security
Virtualization means that more than one system is running on the same
hardware. Often, different systems are owned by different entities, for example,
finance or human resources departments. Depending on the company’s
structure, security measurements may require that one user administering the
Virtual Server for the finance department must not administer the Virtual Server
for the human resources department, even if it is running on the same hardware
or in the same pool. Also, it might be required that users work with different
permissions, for example, operations personnel can start and stop the Virtual
Server but not configure it. A user and security concept has to be put in place.
This configuration was already possible on the HMC, but the naming and flow of
operations has changed considerably in the SDMC. This section maps the known
concepts in HMC to those used in the SDMC and how to use them.
9.1.1 Hardware Management Console concepts
On the HMC, there were predefined users and tasks and roles. Users were
created and managed on the HMC itself and confined to the machine on which
they were created. The SDMC instead uses the concept of a user registry, just
like IBM Systems Director, because the IBM Systems Director component of the
SDMC is used for it. A user registry can be the user management base of the
underlying operating system, LDAP, or a domain controller. For more information
about how IBM Systems Director handles users and security, refer to
Implementing IBM Systems Director 6.1, SG24-7694.
Hardware Management Console users, roles, and tasks
To manage different aspects of the HMC and attached systems, the HMC used
user roles and HMC tasks to manage access and permissions to the HMC itself
as well as the attached systems.
For the SDMC, the IBM Systems Director concept was extended to create and
manage users with either registry. For a quick mapping of default users, refer to
Table 9-1.
Table 9-1 Default users on HMC and SDMC
HMC
root
root
hscroot
sysadmin
hscpe
198
SDMC
pe
IBM Systems Director Management Console: Introduction and Overview
Because the terminology and the structure of user and security management
changes from the HMC to the SDMC, the different concepts are shown here to
ease transition.
User roles
The user roles defined on the HMC are shown in Table 9-2.
Table 9-2 User roles on the HMC and SDMC
HMC user role
SDMC user role
hmcservicerep
Function
Service Representative. A service
representative is an employee who is at your
location to install, configure, or repair the
system.
hmcviewer
SMMonitor,
SMUser
Viewer. A viewer can view HMC information,
but cannot change any configuration
information.
hmcoperator
SMManager
Operator. An operator is responsible for daily
systems operation.
hmcpe
Product Engineer. A product engineer assists
in support situations, but cannot access HMC
user management functions. To provide
support access for your system, you must
create and administer user IDs with the
product engineer role.
hmcsuperadmin
SMAdministrator
Super Administrator. The super administrator
acts as the root user, or manager, of the HMC
system. The super administrator has
unrestricted authority to access and modify
most of the HMC system.
HMC tasks
Based on user roles, specific commands grouped by tasks could be executed by
the user that hold the role. For a complete listing of commands allowed by role,
refer to Hardware Management Console V7 Handbook, SG24-7491.
Tasks on the HMC were grouped by topic:
HMC Management
Systems Management
Frame Management
Control Panel Functions
Chapter 9. IBM Systems Director Management Console management
199
9.1.2 IBM Systems Director concepts
Users in IBM Systems Director are users that are defined in the configured user
registry. By default in IBM Systems Director, user creation and assignment to
user groups are handled on the user registry level. A user registry is an entity
handling users. This entity can be the local operating system of the SDMC, an
LDAP server, or a Kerberos server. Each user registry has its own set of users
that is independent of those on any other user registry in the network. The
process of identifying a user and making sure that the user is who he claims to
be is called authentication. Usually authentication is done by entering a user
name and a password.
Authorization then occurs when an authenticated user is assigned permissions to
perform tasks. The IBM Systems Director in the SDMC uses a role-based access
control (RBAC) model for authorization. A role is a collection of permissions on
operations within IBM Systems Director that are then assigned to a user. There
are predefined roles in SDMC, and roles can also be defined by a user that has
SMAdministrator authority. Furthermore, roles can be combined to form even
larger sets of permissions. To learn more about roles and their definitions, refer to
section 3.7, “Managing Credentials”, in Implementing IBM Systems Director 6.1,
SG24-7694.
It is possible to add users to the SDMC that have been defined in different user
registries, for example, using the user registry of the SDMC base operating
system. LDAP and Kerberos can be used for authentication and authorization as
well. This situation offers more flexibility and allows for a wide range of
configuration options.
As an extension to this concept, the SDMC allows for the creation of users and
user groups in the underlying base operating system of the SDMC. Some system
users and user groups are already preinstalled on that base operating system.
Note: If another user registry is employed besides the one of the underlying
basic operating system of the SDMC, all of those users not defined on the
SDMC base operating system must be created in that remote user registry.
The SDMC can only read entries in remote user registries but cannot create
them.
Users
Initially, only the following interactive user registry users are defined to the
SDMC:
root
This is the root user of the underlying operating system.
200
IBM Systems Director Management Console: Introduction and Overview
sysadmin
This is the user designed to be the primary administrator of the SDMC.
pe
This is the user designed to perform the tasks of the product engineer as
defined above for the HMC.
Users on the SDMC can be listed by using the smcli lsuser command. In
Example 9-1, this command is used to produce a full listing of user properties for
the sysadmin user.
Example 9-1 Listing the sysadmin user using the smcli lsuser command
sysadmin@sdmca:~> smcli lsuser -l sysadmin
sysadmin:
ObjectType: User
DisplayName: sysadmin
Description:
FullName: sysadmin
Email: null
TelephoneNumber: null
Mobile: null
HomePhone:
Pager: null
LastLoginDate: 2010-12-13T17:35:08-05:00
LastLoginAddress: 172.16.254.34/172.16.254.34
IsLocked: False
UniqueID: 500
IsActive: True
ActiveSessions:
ID: dqG-dKGGG9hfQoolkkbGGGG
Description:
Login Date: Mon Dec 13 17:35:08 EST 2010
Login Address: 172.16.254.34/172.16.254.34
ID: DIRCLI-10038
Description: lsuser
Login Date: Mon Dec 13 18:30:02 EST 2010
Login Address: sdmcb/172.16.20.27
AssignedRoles: {'GroupRead' applied to
ImpliedRoles: {'SMAdministrator' applied to
GroupMembership: {'smadmin'}
Chapter 9. IBM Systems Director Management Console management
201
User groups
The following user registry groups are employed for granting granular access
permissions:
smadmin (Administrator group)
Members of the smadmin group are authorized for all operations. They have
administrative access to IBM Systems Director and can perform all
administrative tasks. These members can define the privileges available to
the smmgr, smuser, and smmon groups. The privileges available to members
of the smadmin group cannot be restricted.
smmgr (Manager group)
Members of the smmgr group can perform management operations, which
are a subset of the functions that a member of the smadmin group can
perform.
smuser (User group)
The smuser group includes all authenticated users. Members can perform
only basic operations.
smmon (Monitor group)
Members of the smmon group can access those administrative functions that
provide read-only access, such as monitoring.
smservicerep (Service Representative Group)
Members of the service representative group can perform management
operations related to the installation, configuration, or repair of the system.
202
IBM Systems Director Management Console: Introduction and Overview
Refer to Figure 9-1 for a display of users and their initially assigned groups after
installing the SDMC. Also note that roles are assigned to groups and to users.
Figure 9-1 Systems Director Management Console: Initial users page
As shown in Example 9-2, user groups can be listed on the command line by
using the smcli lsusergp command.
Example 9-2 Listing user groups using smcli lsusergp
sysadmin@sdmca:~> smcli lsusergp -l
root:
ObjectType: User Group
DisplayName: root
Description: null
ManagedAsGroup: false
AssignedRoles:
ImpliedRoles:
Members: root
GroupMembership:
smadmin:
ObjectType: User Group
DisplayName: smadmin
Description: null
ManagedAsGroup: false
Chapter 9. IBM Systems Director Management Console management
203
AssignedRoles: {'SMAdministrator' applied to
ImpliedRoles:
Members: ccfw,sysadmin,root
GroupMembership:
smmgr:
ObjectType: User Group
DisplayName: smmgr
Description: null
ManagedAsGroup: false
AssignedRoles: {'SMManager' applied to
ImpliedRoles:
Members: pe
GroupMembership:
smmon:
ObjectType: User Group
DisplayName: smmon
Description: null
ManagedAsGroup: false
AssignedRoles: {'SMMonitor' applied to
ImpliedRoles:
Members:
GroupMembership:
smservicerep:
ObjectType: User Group
DisplayName: smservicerep
Description: null
ManagedAsGroup: false
AssignedRoles:
ImpliedRoles:
Members:
GroupMembership:
smuser:
ObjectType: User Group
DisplayName: smuser
Description: null
ManagedAsGroup: false
AssignedRoles: {'SMUser' applied to
ImpliedRoles:
Members: newUser
GroupMembership:
204
IBM Systems Director Management Console: Introduction and Overview
Roles
There are four roles that are initially defined on the SDMC:
SMAdministrator
The Administrator role has full authority to all tasks and commands, including
security administration, product installation, and configuration.
SMManager
The Manager role can perform a subset of the tasks that an Administrator can
perform. Typically, system administration, system health management, and
configuration tasks are available.
SMUser
The User role includes any authenticated user and allows only basic
operations, such as viewing resources and properties.
SMMonitor
The Monitor role can access those administrative functions that provide
read-only access. Primarily, monitoring, notifications, and status tasks are
available.
Additionally, another role is predefined in the Systems Manager Director
Console:
GroupRead
This permission grants a user the ability to view or open a group defined in
SDMC.
Roles can be listed on the command line by using the smcli lsrole command
(Example 9-3).
Example 9-3 Listing the SMAdministrator role using smcli lsrole
sysadmin@sdmca:~> smcli lsrole -l SMAdministrator
SMAdministrator:
ObjectType: InstanceAccessRole
DisplayName: SMAdministrator
Description: The Administrator role has full authority to all tasks
and commands, including security administration, product installation,
and configuration.
IsDefaultRole: false
IsSystemDefinedRole: true
Permissions: All Permissions
Chapter 9. IBM Systems Director Management Console management
205
Creating a role
To create a role, perform the following steps:
1. Expand Security and click Roles. The Roles page opens (Figure 9-2).
Figure 9-2 Initial Roles page
206
IBM Systems Director Management Console: Introduction and Overview
2. Click Create to open the Roles wizard Welcome page. Clicking Next opens
the Name page, where a name for this role has to be entered. Optionally, you
also can give a description of this role in the Description field (Figure 9-3).
Figure 9-3 Create Role wizard: Name page
Chapter 9. IBM Systems Director Management Console management
207
3. Clicking Next opens the Permissions page (Figure 9-4). You see a page with
two columns, showing Available Permissions in the left column and Selected
Permissions in the right column. Above the Available Permissions column,
you can select either All Permissions, which gives all permissions to this
role, or Selected Permissions. Any entry can be selected and added to the
set of Selected Permissions by clicking Add.
Figure 9-4 Create Role wizard: Permissions page
208
IBM Systems Director Management Console: Introduction and Overview