Managing user access control

As an administrator for Role Based Access Control (RBAC) in IBM Cloud Pak for AIOps, you are responsible for determining and implementing the best approach for authenticating and managing users.

You use the access control features within IBM Cloud Pak for AIOps to add users and user groups, create and assign roles, and create user group profiles to fine-tune access control. For instance, you can use profiles to control the visibility of management artifact properties and content that is visible to users. Profiles and associated filters and policies can be used to control the visibility of alerts, incidents, applications, resource groups and resources.

To add to the platform, enable their access to features, and fine-tune their access, you need to complete the following tasks:

  1. Configure identity provider connections so that your users can be added to IBM Cloud Pak for AIOps.
  2. Add your users to the platform.
  3. (Optional) create, and include your users within, user groups.
  4. Create and assign roles and permissions to your users and user groups.
  5. (Optional) Define any redaction policies or restriction filters for accessing features or data for specific user groups.
  6. (Optional) Create profiles to apply redaction policies, restriction filters, and other conditions to your user groups.

Prequisites

As an administrator for Role Based Access Control (RBAC) in IBM Cloud Pak for AIOps, you are responsible for determining and implementing the best approach for authenticating and managing users. To work with profiles, and their associated restriction filters and redaction policies, you must possess an administrative user account with the Manage profiles role. For more information, see Roles and permissions.

Note: In the installation resource you are using you need to set the Enable Group Profiles radio button to True.

Enable Group Profiles

Identity provider connections

User records are stored in an internal repository database. You are recommended to use an enterprise-grade password management solution through identity provider connection, such as an LDAP server for password management. To connect to an identity provider, use the Identity Management (IM) service. You can open the IM service from the Access control page, by clicking Configure identity provider. For more information about connecting to an LDAP provider with the IM service, see Identity providers.

If you configure an identity provider connection to an LDAP server, ensure that you grant administrator privileges to a user in your LDAP server.

Important:

  • You cannot create a user from the Access control page of your cluster Cloud Pak for AIOps console. You can use the Access control page to add only an existing LDAP user to your cluster.

  • You must use the configured identity provider (LDAP) to manage users that are added from that provider system. For instance, to change or reset the password for a user, you must complete that change in your configured provider system. You cannot change or reset a user password with the Cloud Pak for AIOps console.

    To see your configured identity providers, navigate to Administration > Identity providers in the Cloud Pak for AIOps console.

Adding users and user groups

An administrator can manage the permissions that users and groups have on the platform. However, users might need additional permissions.

A user can have multiple roles. The roles can be assigned directly to a user or can be assigned to the user through a user group. If a user has multiple roles, the user has all of the permissions from all of the roles that are assigned to them.

Tip: You can see all of the roles (and permissions) that a user has from the user's profile page, which you can access from the Access control page, on the Users tab.

If you update a user's role or their group membership and the user is logged in, the user must log out and log back in for the changes to take effect. If the user does not log out, their session will be refreshed after the session times out.

Before you add users to the platform, consider the following questions:

  • Do you want to use an LDAP server to manage users' passwords?

  • Do you want to use an LDAP server to manage access to the platform?

  • Do you want to use user groups to manage users with similar access requirements?

  • Do you want to be able to add all of the users in an LDAP group to a user group?

  • Do the default roles meet my business requirements?

  • Adding users

  • Managing user groups

Role-based access control

An administrator can manage the permissions that users and groups have on the platform. However, users might need additional permissions. Cloud Pak for AIOps provides enhancements to meet customers’ RBAC/ABAC needs around data-access control for many data types such as incidents, alerts, resources, resource groups and applications.

A user can have multiple roles. The roles can be assigned directly to a user or can be assigned to the user through a user group. If a user has multiple roles, the user has all of the permissions from all of the roles that are assigned to them.

Tip: You can view all of the roles (and permissions) that a user has from the user's profile page, which you can access from the Access control page, on the Users tab.

Note: If a user role or user group is updated while an associated user is logged in, the user must log out and log back in for any changes to take effect. If they do not log out, their session is refreshed when a session timeout occurs.

Fine-tuning role-based access control with profiles

As an administrator, you can define redaction policies and restriction filters for hiding specific data for alerts, incidents, applications, resource groups, and resources in a unified way based on available properties, including custom ones. The policies and filters can be assigned to a profile that can then be applied to one or more user groups. This level of access control is an addition to the use of roles and permissions for accessing features.

By using these profiles, policies, and filters, you can determine the specific data that your users can and cannot view. With this finer level of access control you can better manage data privacy to meet your business needs.

For instance, if IBM Cloud Pak for AIOps is monitoring a network infrastructure that includes multiple devices, each device, and any related alerts, can contain properties for identifying the managing team (user group). This property can be a simple enrichment such as a field that denotes the managing group. The property can also be based on the naming characteristics of the device or alert payload. You can use profiles with redaction policies and restriction filters to ensure that users from one location (A) are not able to view resources in another location (B), such as VM resources. You can also configure the policies and filters so the same users (A) cannot view any alerts from those VM resources. This can ensure that users in one location do not have full visibility of alert and topology data coming from another location (B).

This fine-tuning configuration of access control is managed from the Profiles UI page. This page includes three key features across individual tabs:

  • Profiles
  • Restriction filters
  • Redaction policies

User preferences and authentication

When your users are added to the platform and able to access the UI and features they can complete the following user account management tasks to manage their user settings and obtain authentication keys for accessing the IBM Cloud Pak for AIOps API: