Security restrictions in the multisystem environment

There are security restrictions to be aware of when working in the multisystem environment.

Take note of the following security restrictions:
  • Users who are configured on Lightweight Directory Access Protocol (LDAP) servers that are integrated with the system can work in the multisystem environment. These users are known as LDAP users.
  • Configure all systems in the multisystem management domain to use the same LDAP infrastructure.
  • LDAP users are on-boarded automatically. In the multisystem environment, when one system in the domain initiates a request that spans multiple systems in the domain, the user is created automatically if the user does not exist on the other systems. During user creation, LDAP groups associated with the user are also created if they do not exist. However, the membership for the newly created LDAP group will not be synced with the other systems. A manual sync of group membership is required.
  • If an LDAP user is deleted from a system by a system administrator, the deletion can be triggered by the originating system to other systems. The deletion process is similar to the process for propagating access control lists (ACLs) and user roles. A manual sync is required.
  • Security roles of LDAP users and user groups are not synchronized automatically among the systems. A manual administrative action is required to synchronize security roles because of this.
  • ACLs are not synchronized automatically among the systems except in the case of copying a catalog artifact from one system to another. Because of this, manual administrative action is required to synchronize or reconcile ACLs between systems.
  • If you customize the console certificate used by your systems, you should import this certificate into the trust store for each system in your multisystem domain using the command-line interface. You should perform this import for the following conditions:
    • After adding a new system to your domain
    • After the console certificate is changed for any system in the domain
    • After every Cloud Pak System release upgrade
    • After a Platform System Manager (PSM) failover (system initiated or manually using the command-line interface)
  • After upgrade to a new Cloud Pak System version, a user with no System level permissions might not be able to view a Multi Cloud environment profile. To resolve this issue, the user must be assigned one of the following permissions:
    • System level, Cloud group administration role with permission to View all cloud resources (Read-only)
    • Clone the environment profile and assign access to this new profile