Topic
  • 3 replies
  • Latest Post - ‏2013-08-23T21:27:10Z by Sriram_Europa
Okonita
Okonita
7 Posts

Pinned topic IBM Data Studio Web Console - How do you add additional Users for Multi-User Access?

‏2013-08-16T06:27:02Z |

Hi all,

The IBM Data Studio Web Console multi-User documentation is very good in most areas but I am having difficulty understanding and adding additional users into the list of users that can access the web console.

 

Can someone please describe how to add users for multi-user DSWC usage?

For most users, I just want to allow read-only and to receive alerts. How can I do this?

 

Thanks all

okonita

  • Sriram_Europa
    Sriram_Europa
    68 Posts

    Re: IBM Data Studio Web Console - How do you add additional Users for Multi-User Access?

    ‏2013-08-21T14:55:19Z  

    Hi

    In the "Task Launcher" Panel - the Getting started section ("Learn about Configuring for multiple users") should help you. Here is a quick summary

    You need to setup a repository database to store your information first (Product setup -> Configuration Repository). This repository database can also be used to authenticate users. 

    Note - if you are picking a new repository database - it ould be empty. Tip: - in the Databases page, export your set of existing Connection information and once you have the new repository database setup, import that connection information again.   If a user has at least a connect access to the repository database, and if they have roles associated with in the Console security page - they will be able to login & have a certain set of privileges.

    more info here:

    http://pic.dhe.ibm.com/infocenter/dstudio/v4r1/topic/com.ibm.datatools.db.web.health.install.doc/topics/configure_production.html

    You would go to the Product setup -> Console security page  - and select the "repository database based authentication" as the mechanism. After this - you will need appropriate credentials to the repository DB to login. For example, you can use the repository DB instance owner credentials as the 'Administrator' login 

    In the Console Security Page, you can then also identify the roles that you want to associate with your users.  For example - you may choose to assign everybody as Viewers if you do not wish them to make changes (such as add/edit db connections).  Look at the (?) help for the Databases page  - that should give you an idea of what the different user roles mean.

    The easiest way to do this is to have 3 groups created in your OS (or LDAP or..) where your repository database is - and then GRANT privileges to individual groups (OS groups for example)  - for example,  an admgrp (Administrator), an oprgrp  (Operator) and a vwrgrp (Viewer). After that manage your users by simply assigning them to one of these groups - you would not have to work with the Console Security page after that.  

    Note that the repository database instance owner or any other user with suffiicent privileges (in a db2admns group or with DATAACCESS authority for example) may be  execute any of the functions we have in the repository database (including the DSWEBSECURITY.* that is used to identify access). So - these users would end up getting 'implicit' Admin privileges in the web console. So - make sure you identify your groups and users carefully. 

    Also note that there is a way to provide more granular privileges at a database level (Product setup -> Manage Privileges). You can use this to identify "Database Owners" - i.e. users who are not Administrators & did not add that db connection - but can now get full privileges with that database (for example to run jobs with the default credentials or change alert configurations or add new notifications). You can also grant reduced privileges, such as to Manage Alerts - which allows them to change Alert Configurations, Notifications etc.  

    An Administrator can add Alert notification records for multiple user email addresses too - in case you do not wish for individual users to be able to change such settings (you can then not make these users database owners - not even grant them Can Manage alerts privilege)

    Note that when users try views such as Health -> Current Application connections, they would need to provide appropriate credentials to that selected database - this is equivalent to running db2 list applications from the command line. If that credentials does not have the privilege to get the list of applications - that web console user will not be able to see the details (i.e. DB2 itself will not permit access).

  • Okonita
    Okonita
    7 Posts

    Re: IBM Data Studio Web Console - How do you add additional Users for Multi-User Access?

    ‏2013-08-22T18:52:01Z  

    Hi

    In the "Task Launcher" Panel - the Getting started section ("Learn about Configuring for multiple users") should help you. Here is a quick summary

    You need to setup a repository database to store your information first (Product setup -> Configuration Repository). This repository database can also be used to authenticate users. 

    Note - if you are picking a new repository database - it ould be empty. Tip: - in the Databases page, export your set of existing Connection information and once you have the new repository database setup, import that connection information again.   If a user has at least a connect access to the repository database, and if they have roles associated with in the Console security page - they will be able to login & have a certain set of privileges.

    more info here:

    http://pic.dhe.ibm.com/infocenter/dstudio/v4r1/topic/com.ibm.datatools.db.web.health.install.doc/topics/configure_production.html

    You would go to the Product setup -> Console security page  - and select the "repository database based authentication" as the mechanism. After this - you will need appropriate credentials to the repository DB to login. For example, you can use the repository DB instance owner credentials as the 'Administrator' login 

    In the Console Security Page, you can then also identify the roles that you want to associate with your users.  For example - you may choose to assign everybody as Viewers if you do not wish them to make changes (such as add/edit db connections).  Look at the (?) help for the Databases page  - that should give you an idea of what the different user roles mean.

    The easiest way to do this is to have 3 groups created in your OS (or LDAP or..) where your repository database is - and then GRANT privileges to individual groups (OS groups for example)  - for example,  an admgrp (Administrator), an oprgrp  (Operator) and a vwrgrp (Viewer). After that manage your users by simply assigning them to one of these groups - you would not have to work with the Console Security page after that.  

    Note that the repository database instance owner or any other user with suffiicent privileges (in a db2admns group or with DATAACCESS authority for example) may be  execute any of the functions we have in the repository database (including the DSWEBSECURITY.* that is used to identify access). So - these users would end up getting 'implicit' Admin privileges in the web console. So - make sure you identify your groups and users carefully. 

    Also note that there is a way to provide more granular privileges at a database level (Product setup -> Manage Privileges). You can use this to identify "Database Owners" - i.e. users who are not Administrators & did not add that db connection - but can now get full privileges with that database (for example to run jobs with the default credentials or change alert configurations or add new notifications). You can also grant reduced privileges, such as to Manage Alerts - which allows them to change Alert Configurations, Notifications etc.  

    An Administrator can add Alert notification records for multiple user email addresses too - in case you do not wish for individual users to be able to change such settings (you can then not make these users database owners - not even grant them Can Manage alerts privilege)

    Note that when users try views such as Health -> Current Application connections, they would need to provide appropriate credentials to that selected database - this is equivalent to running db2 list applications from the command line. If that credentials does not have the privilege to get the list of applications - that web console user will not be able to see the details (i.e. DB2 itself will not permit access).

    Hello Siriam_Europa,

    Thank you for your response. I truly appreciate your post and your explanation. However, after going through the steps that you outlined here, I am still not able to find the steps needed to add new users. I followed the steps outlined, created the groups as stated above but have no way to add users to any group. Note that I am the instance owner and I can see see my user id and one other user id  in the repository database. The other user in the repository is the userid created when DB2 was initially created and I did not do anything to get that userid into the repository except that I have been able to login to web console with that userid. Does this mean I need to enter my users from the DB2ADMNS group (Administrators group) managed by DB2 installation and not from Data Studio or Web Console?

    There is just no option for me to enter user IDs in Data Studio or Data Studio web console?  Can you help by describing in more detail the steps to add more user ids into the Web Console repository?

    Any help will be highly appreciated

     

    Okonita

  • Sriram_Europa
    Sriram_Europa
    68 Posts

    Re: IBM Data Studio Web Console - How do you add additional Users for Multi-User Access?

    ‏2013-08-23T21:27:10Z  
    • Okonita
    • ‏2013-08-22T18:52:01Z

    Hello Siriam_Europa,

    Thank you for your response. I truly appreciate your post and your explanation. However, after going through the steps that you outlined here, I am still not able to find the steps needed to add new users. I followed the steps outlined, created the groups as stated above but have no way to add users to any group. Note that I am the instance owner and I can see see my user id and one other user id  in the repository database. The other user in the repository is the userid created when DB2 was initially created and I did not do anything to get that userid into the repository except that I have been able to login to web console with that userid. Does this mean I need to enter my users from the DB2ADMNS group (Administrators group) managed by DB2 installation and not from Data Studio or Web Console?

    There is just no option for me to enter user IDs in Data Studio or Data Studio web console?  Can you help by describing in more detail the steps to add more user ids into the Web Console repository?

    Any help will be highly appreciated

     

    Okonita

    Hi
     
    With the repository database based authentication mechanism, you would need to add users to the user registry that authenticates access to your repository database. You would not 'add users' in DSWC
     
    Perhaps an example would help here
     
    Lets say you have six users --   user1, user2, user3  are all viewers,  opr4, opr5 need to be Operators and then you have adm6 as an administrator.
     
    Assume that DSWC server is installed on a Linux Machine 'dswc_host'  and your repository database is on a windows machine 'repodb_host' running with 'db2admin' as the instance owner.  For simplicity, let us assume that the Windows machine with the db2 instance is setup to be authenticated by the windows operating system itself (and not a Domain server or LDAP etc.). 
     
    You would then add all these users to the windows system repodb_host OS as users, if they are not already present. Then, for simplicity of administering user authorizations, create three groups in that windows OS dsadms (for DSWC Administrators), dsops (for DSWC Operators) and dsvwrs (for DSWC Viewers).  
     
    Assign  user1, user2 and user3 to the dsvwrs group,  opr4 and opr5 to the dsops group and adm6 to the dsadms group.   (Note - if you have already have convenient groups defined, use those instead)
     
    Login to DSWC as the repository database instance owner - you would provide the userid 'db2admin' and its password.  DSWC connects to the repository database (via JDBC) with these credentials to verify if your credentials are indeed correct. If the JDBC connection is possible, then there is an attempt to execute one or more of these user defined functions: DSWEBSECURITY.CANADMINISTER(), DSWEBSECURITY.CANOPERATE(), DSWEBSECURITY.CANVIEW() , using SQL via that JDBC connection. Depending on which functions the user is able to execute he is identified as an Administrator, Operator or Viewer in DSWC.  Since db2admin is the instance owner, implicitly he would have execute privileges on the DSWEBSECURITY.CANADMINISTER() function - and thus be an Administrator in DSWC.  

    Ultimately the ability to execute these user defined functions is key in deciding the authorization of the user.

     
    In the Console Security screen in DSWC, you would then GRANT Administrator access to the 'dsadms' group  (which simply runs a GRANT execute on the CANADMINISTER function), then GRANT Operator to 'dsops' group, and then GRANT Viewer to 'dsvwrs' group. FYI: you can do the GRANTs directly on the repository database via your own tools such as db2 command line scripts - the UI is just one mechanism.
     
    When each user logs in, they would provide the credentials that are validated using JDBC against the repository database running on repodb_host, and the execute of one of the CAN* functions to identify their roles. If a user does not have connect privilege to your repository database or is unknown to the repodb_host's OS user registry - then that user will not be able to login into DSWC.
     
    If the repodb_host and/or the repository database is authenticated by a Domain server or LDAP - the groups & users need to be created in that user registry. But other steps are exactly the same.