Roles
You can assign roles to IBM® Flex System Manager management software users to control their access to resources and limit the tasks that they can perform on those resources. The authorities that you configure for a role determine the level of access that is granted to each user who is assigned to that role. Each user or group of users that access management software must have a user-role assignment.
The management software uses a role-based access control (RBAC) service with which an administrator can create custom sets of permissions, known as roles, and assign them to individual users or groups. A set of task, command-line interface (CLI), and application permissions that is applied to one or more resources defines an authorization role. Each role can be applied to many users, and each user can have many roles. Regulating user roles is an effective way to control security for your system, because it enables you to control access to every task and CLI command.
To allow users access to the management software web interface, each user must be assigned to a role. These user roles define the types of tasks that users or groups can perform. To be assigned to a role, each user or group of users must have a valid user ID or group ID in the user registry on the management server. Both individual users and a group of users can be assigned to a role. All users in a group are assigned the role of the group. If a user is assigned to one role as an individual and a different role as a member of a group, the user has access to the functions of the role that has greater access.
The management software provides reusable roles that you can assign more than once and use to build other roles. The management software also provides instance-based authorization. This enables you to define which tasks apply to which groups in a system.
The following types of management software user roles are available.
| Role name | Description |
|---|---|
| GroupRead | Grants a user the ability to view or open a group. |
| SMAdministrator | Has full authority to all tasks and commands, including security administration, product installation, and configuration. |
| SMManager | Can perform a subset of the tasks that an Administrator can perform. Typically, system administration, system health management, and configuration tasks are available. |
| SMMonitor | Can access those administrative functions that provide read-only access. Primarily, monitoring, notifications, and status tasks are available. |
| SMDefault | Does not have access to any managed resources, but can log in to management software. |
| SMUser | Includes any authenticated user, and can perform only basic operations such as viewing resources and properties. |
The Chassis Management Module (CMM) and Integrated Management Module (IMM) are associated with a particular managed resource and can be assigned to a user or a user group.
The following two types of CMM and IMM roles are available.
| Role name | Description |
|---|---|
| Supervisor | Has administrator privileges. A Supervisor can view any page and change any field and has permission for all actions that are provided by the interface. |
| Operator | The Operator role has read-only access. An Operator cannot perform any maintenance procedures (for example, restart, remote actions, firmware updates) and is unable to modify any settings. |