Users and authentication

Learn about users, their privileges, and user groups in Cloud Pak for Data System, and how to manage them using different tools.

Users of Cloud Pak for Data System are classified into three broad categories: application users (Cloud Pak for Data), platform users, and internal system users. You can create and maintain both, application users and platform users within the system. These users can also come from an external LDAP directory such as Windows AD or other OpenLDAP domain. Internal system users are not exposed and you cannot use them to access Cloud Pak for Data System.

Application users
The users of the Cloud Pak for Data application who might be assigned different roles, for example:
  • Administrator admin
  • Business Analyst
  • Data Engineer
  • Data Scientist
  • Data Steward
These users connect to data, govern it, find it, and use it for analysis. They will typically use the Cloud Pak for Data standalone web client to perform their tasks. You can edit the default roles or create new roles if the default set of permissions don't align with your business needs. The default Cloud Pak for Data user (admin) is automatically assigned all of the roles, including the platform administrator role. However, you can edit this user to remove the following roles:
  • Business Analyst
  • Data Engineer
  • Data Scientist
  • Data Steward
For more information on these users, see Predefined user roles.
Platform users
These users have access to the hardware platform and they can manage or monitor the hardware and software in the system. Two roles are available:
  • Platform administrator with default user apadmin
  • Platform users with default permissions. They cannot run any commands with root privileges.
They monitor the platform and perform various administrative tasks when required. Platform administrators will typically use the Cloud Pak for Data System web client for monitoring and system management, but they can also log in to the standalone web client. They can also ssh to the nodes of the platform and run various administrative commands, as described in System command line.
Note:

The default platform administrator apadmin user has an alias name admin for the web console operations. The web console can use both, admin or apadmin, which internally point to the same user : apadmin and they both have the same password. It is advised that the web console operations are operated using username admin and the platform CLI operations are operated with username apadmin.

Internal users
Users who are strictly used only internally by the platform, and whose accounts are managed internally in a secure way by the platform itself, without any external involvement. These users are not exposed and should not be used to access the system. Modifying the attributes of internal users can leave the system in a non-working state. Examples:
root user of the platform nodes
With a strong focus on security and ease of operation, it is by design that customer local Linux users are not given unrestricted access to the host operating system.

At installation, the customer is provided with root user password to use on control nodes and NPS container if required. It is absolutely critical to security that the customer changes the default password for the root user on all control nodes and NPS container using the passwd command as soon as possible.

All tasks which require escalated privileges should be completed as apadmin Linux user, or as users added to the ibmapadmin Linux group. This group has sufficient access to administer the platform, and automate maintenance tasks. If the user requires root privileges they must be added to the ibmapadmin group by the system administrator and access root commands through sudo.

Users in hardware components
For example, admin user in the network switch
platadmin and platuser in platform nodes
By default, platform users such as apadmin and other external LDAP/AD users can only login to the Cloud Pak for Data System control nodes. If you want to login to the worker nodes, perform the following steps:
  1. Log in to the control nodes.
  2. su as either platadmin or platuser.
  3. ssh to the worker nodes.

    Internal ssh access for platadmin and platuser is configured as passwordless access.

Both, application and platform users can be managed by apusermgmt command. By assigning a role -g {Admin,User} you define whether the user has access to the platform, or to the application. For more information, see apusermgmt command.

To integrate Cloud Pak for Data System with an external LDAP or Active Directory server, use the ap_external_ldap command. For more information, see Configuring an external LDAP server for global user authentication.

Best practices

Cloud Pak for Data System user records are stored in an internal repository database and have limited management capabilities. However, it is strongly recommended that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management. You can use SAML SSO and LDAP together or individually.