Managing roles of users and groups

Assign certain roles to users and groups to control which sections of the local management interface and web services they can access.

About this task

By default, role-based authorization is disabled on the appliance. You must first enable this function from the management interface to make use of it.

With Management Authorization, you can perform the following tasks:

  • Add or remove a role.
  • Assign a role to groups or users in local or remote LDAP user registry.
    Note: You can search for remote LDAP users or groups by entering a search pattern and clicking Search. Then, select the user or group from the search results and click Add.
  • Edit permissions for a role.

The roles for a user session are determined when a user first logs in. If the authorization configuration is modified and deployed when a user is logged in, the changes take effect immediately.

You can customize the default roles to better suit your environment. You can also remove all default roles and create new ones from scratch.
Note: If you plan to use the default roles, you must carefully review these roles to ensure that they are appropriate for your environment.

The default roles are not updated after an appliance firmware upgrade. If the appliance firmware upgrade introduces new features, existing roles are not updated to include permission for any new features. The default roles can be manually updated in the Management Authorization page. See Step 3 "Editing permissions for a role.

The authorization settings do not affect the main system account admin, which always has read and write permission to all features. The admin account can be used for recovery.

Permissions can be set for all features in the appliance except for the Home: Appliance Dashboard. Any user who can authenticate can view Home: Appliance Dashboard, even if they are not assigned to any roles.

To ensure complete flexibility with the role configuration, the permissions for each feature are controlled separately. Some pages in the local management interface, such as the Management Authorization page, use multiple features. As a result, users might need permissions for more than one feature to use all of the features on a particular page of the local management interface. For example, to access all of the functions on the Management Authorization page, the user needs permissions for the following features:
  • Account Management
  • Management Authorization
If a user clicks a link or attempts to complete an action for which they do not have the appropriate permission, an error message is returned. The error message includes the details about which permission is required for the selected action.

When you search for remote LDAP users or groups, consider the following points:

  • Users are assumed to be contained in the Base DN and are identified based on the User Attribute that is set on the Management Authentication page.
  • Groups are also assumed to be contained in the Base DN that is defined on the Management Authentication page.
  • Groups are identified based on cn.
  • Groups must be among the following types: group, groupofUniqueName, or groupOfNames.

Authorization enforcement applies to the local management interface, web services, and client certificate authentication.

Authorization enforcement in the local management interface
When a user logs in the local management interface, the menu displays only the pages that the user has access to. When users attempt to go to a page to which they do not have access, a page is displayed that explains that the user does not have authorization to view the page. When a user views a page with read-only permission, users cannot modify the configuration or change the state of any services on the page. If a user attempts to do so, a message is displayed stating that the user does not have permission to perform the requested action.
Authorization enforcement in web services
If a user has read-permission for a feature, they can perform GET requests against the associated Web services. If a user has write-permissions on a feature, they can issue any of the associated GET, POST, PUT, and DELETE web services. When a user attempts to issue a web service request that they are not authorized to perform, they receive a response with the HTTP status code 403 Forbidden and a message that states that they are not authorized to complete the transaction.
Authorization enforcement in client certificate authentication
If you want to use client certificates to authenticate to the local management interface, ensure that the authorization framework can map the DN of the presented client certificate to a user that exists in the registry that is used for authentication.

For example, a certificate is presented with DN: cn=testUser,ou=qa,o=ibm,c=au.

When you use a remote LDAP user registry for authentication, the authorization decision is made for a user that matches the entire DN in the user registry.

For example, a user that matches cn=testUser,ou=qa,o=ibm,c=au is searched for in the remote LDAP user registry, and the policy that is associated with that user is enforced.

When you use the local user database, the authorization decision is made for a user that matches the CN of the presented DN. For example, the user that is called testUser is searched for in the local user database, and the policy that is associated with that user is enforced.

Authorization enforcement in the Command Line Interface
Access to the command line interface from the console or SSH can be restricted by using the ‘CLI and CLI Web Service’ feature. Only those users who have 'write’ access to this feature will be permitted to access the command line interface.

A user can be assigned multiple roles. In this case, the user receives the highest cumulative permission from these roles for each feature. For example, if they are assigned two roles and one role has read-permission for a feature but the second role has write-permission for the feature, the user is granted write-permission.

Note: The appliance caches authentication details to reduce load on the user registry. The authentication details might be used for up to 10 minutes after they are changed. This behavior can be changed by using an advanced tuning parameter. Add the advanced tuning parameter lmi.authCache.baenabled with a value of false to disable this caching. See Managing advanced tuning parameters.
A performance penalty is incurred when you use this parameter. The user registry is queried when:
  • A user logs in the local management interface through the browser.
  • A request to the web services API by using Basic Authentication is received.

There is some degradation of performance in environments that make heavy use of the web services API by using Basic Authentication.

Procedure

  1. Select System > System Settings > Management Authorization.
  2. Under Roles, select the Enable Authorization Roles check box.
  3. Follow the prompts to complete the action you want to take.
    Tip: Use the quick filter to retrieve group names, user names, and features.
    Adding a role
    1. In the Roles panel on the left, click New.
    2. In the Create New Role window, enter a name for the new role.
    3. Click OK.
    Removing a role
    1. In the Roles panel on the left, select the role to delete.
    2. Click Delete.
    3. In the Removing Role window, verify that the role name to delete is correct and then click Yes.
    Assigning a role to local groups or users
    1. In the Roles panel on the left, select the role to edit membership for.
    2. In the Role Membership panel on the right, select the Local User Database tab if it is not already selected.
    3. Click Edit above the group name table or the user name table.
    4. In the Edit Local Members window, select or clear the check box on the Groups and Users tabs as needed.
    5. Click OK.
    Assigning a role to LDAP groups or users
    1. In the Roles panel on the left, select the role to edit membership for.
    2. In the Role Membership panel on the right, select the Remote LDAP User Registry tab if it is not already selected.
    3. In the Edit Remote LDAP Members window, modify LDAP groups and users on the Groups and Users tabs as needed.
      • To add an LDAP group or user, enter the details in the text field and then click Add.
      • To remove an LDAP group or user, select the entry and then click Delete.
    4. Click OK.
    Editing permissions for a role
    1. In the Roles panel on the left, select the role to edit permissions for.
    2. In the Features panel on the right, select the permission that you want from the drop-down list in each row.

      If you upgrade from a previous version of the appliance, new role membership features are set to None by default. Configure the permissions, if necessary.

      Note: The displayed features reflect the features that are available in the activated offerings. If you deactivate a product, the features that are specific to that product are removed from any existing roles. If you reactivate the product in the future, these features and the associated permissions are added to the roles again. Any permissions from a prior activation are re-instantiated. If it is the first time that the product is activated, the product-specific features are added to each role with no assigned permissions.
    3. Click Save to save the permission settings.