Adding users for console access

When you add a user to the platform for accessing the IBM Cloud Pak for AIOps console and tools, a user profile (or record) is created for the user.

When a user is given access to the platform, a profile is created for the user. This profile lists the user's roles and permissions. The user can also now access the Cloud Pak for AIOps console.

All users that are added to the platform are also automatically included within a default All users group. This group is used to give all users access to the Cloud Pak for AIOps console and common features, such as their profile and settings. You cannot edit or delete this group.

You can add a user to the platform in the following ways:

  • You can give a user from a connected LDAP service access by directly assigning that user a role.

  • You can include a user from a connected LDAP service into a user group. When you add a user to a user group, the platform automatically assigns the user each role that is assigned to the group.

  • You can give all members of an LDAP group access to the platform by adding that LDAP group to a user group.

Important:

  • You cannot create a user from the Access control page of your cluster Cloud Pak for AIOps console. You can use the Access control page to add only an existing LDAP user to your cluster.

  • You must use the configured identity provider (LDAP) to manage users that are added from that provider system. For instance, to change or reset the password for a user, you must complete that change in your configured provider system. You cannot change or reset a user password with the Cloud Pak for AIOps console.

    To see your configured identity providers, navigate to Administration > Identity providers in the Cloud Pak for AIOps console.

Before you begin

  • Required permissions: To manage access to the Cloud Pak for AIOps console, you must have one of the following permissions:

    • Administer platform
    • Manage users

  • Connect to an LDAP service. You need to connect to an LDAP service as an identity provider to create the users that you want to add IBM Cloud Pak for AIOps.

    • To configure an LDAP connection, you must be an Administrator with permissions to manage users. For more information, see Configuring an LDAP connection.

    • Any user that needs access to IBM Cloud Pak® for AIOps must exist in your LDAP service with their user name and email attributes set. If these attributes are not set for a user, you might not be able to find and add the user to IBM Cloud Pak® for AIOps.

  • Required information for creating a user: You need at least one of the following types of information about a user from your connected LDAP service to add the user to IBM Cloud Pak for AIOps:

    • Full name: If you use this information when adding a user, you must enter the name exactly as it is specified in the LDAP service.
    • Username: This value maps to the field that you specified for the User search field in the LDAP configuration
    • Email address: If you use this information when adding a user, enter the email address exactly as it is specified in the LDAP service.

  • User groups: You can create user groups to simplify the process of managing large groups of users. User groups make it easier to manage a large number of users with similar access requirements.

    By default, an All users group is included. As the name suggests, all users are automatically included in this group. The group is used to give all platform users access to the console and common features, such as their profile and settings. You cannot edit or delete this group.

    For more information, see Managing user groups.

Procedure

To give users access to the console:

  1. Log in to the IBM Cloud Pak for AIOps console as an administrator with permissions to manage users.

  2. From the navigation menu, select Administration > Access control.

  3. From the Users tab, click Add user.

  4. Search for the user's profile information by entering one of the following details about the user:

    • Full name
    • Username
    • Email

    Limitations:

    • You cannot select a specific LDAP service to use for adding users. All connected LDAP services are searched for the specified user ID, username, or email.
    • You cannot use an external lookup service for finding and adding users from the LDAP service to IBM Cloud Pak for AIOps.
    • You need to know the user ID, user name, or email of a user within the connected LDAP service to find and add that user.

  5. Click Next.

  6. Set the platform access permissions for the user. Privileges on the platform are controlled by permissions. Users are granted permissions through role assignment. Users can be assigned roles directly or inherit roles from user groups that they are included within. Users within a user group inherit all roles and permissions that associated with the user group.

    Select either of the options to set permissions for the user:

    • Assign roles directly

      Select this option to directly assign one or more existing roles or create a role for the user.

      1. Optional. Create a new role to assign to the user. For more information about existing roles and permissions, or about creating a role, see Roles and permissions.

      2. Select the checkbox for each role that you want to assign to the user. If you created a new role for the user, you must still select the checkbox for that role.

      3. Click Next.

    • Add to user group

      Select this option to add a user to an existing user group or groups. For more information about user groups, including how to create a group, see Managing user groups.

      1. Select the checkbox for each user group or groups that you want to include the user within.

      2. Click Next.

  7. Review the Summary of the user profile, user groups, roles, and access. When finished, click Add.

What to do next

  • Edit the user details and roles, such as to add more roles or to add the user to a user group. When you are editing a user, you can complete the following changes:

    • View, add, and remove roles
    • View, add, and remove permissions
    • Add the user to a user group
    • Remove the user from a group
    • Change the user full name
    • Change the user email
    • Delete the user from IBM Cloud Pak for AIOps

    You can also add a user group, such as to add and manage roles for all users that you include in the group.

  • Login as the newly added user

    As a user directly added from the LDAP service or from an added user group, log in to the console and verify that the expected roles and permissions exist.

    Upon login, either your Home page or the Administrator panel is displayed. Users with an administrator role view the Administrator panel upon login, while all other users view their Home page. From the main navigation menu, browse through your available tools and pages to ensure that you can view the correct data and complete the tasks for your assigned permissions.