Limiting the user information that is returned by usermgmt API calls

By default, a user without the Administer platform or Manage users permission can see detailed information about other IBM Cloud Pak® for Data users by running usermgmt API calls. You can set the usermgmt_limit_user_info parameter to limit the information that is returned by the API calls.

Who needs to complete this task?
To complete this task, you must be either:
  • A cluster administrator
  • An administrator of the project where Cloud Pak for Data is installed
When do you need to complete this task?
Complete this task before you give users access to Cloud Pak for Data.

4.6.5 or laterStarting with Cloud Pak for Data Version 4.6.5, the usermgmt_limit_user_info is set to true by default.

About this task

By default, when a user without the Administer platform or Manage users permission runs usermgmt API calls, they can see detailed user records. For example:

[
   {
       "uid": "1000331009",
       "username": "user@email.com",
       "displayName": "First Last",
       "email": "user@email.com",
       "approval_status": "approved",
       "permissions": [
           "sign_in_only",
           "administrator",
           "can_provision"
       ],
       "user_roles": [
           "zen_user_role",
           "zen_administrator_role"
       ],
       "current_account_status": "enabled",
       "internal_user": false,
       "deletable": true,
       "authenticator": "external",
       "created_timestamp": 1663963657537,
       "last_modified_timestamp": 1665614744277,
       "misc": {
           "dark_mode": false
       },
       "role": "Admin",
       "groups": [
           {
               "group_id": 10000,
               "name": "All users",
               "description": "All users are implicitly part of this group",
               "created_by": "",
               "created_at": "",
               "updated_at": "",
               "misc": {},
               "members_count": "5"
           }
       ],
       "group_roles": []
   },
   .
   .
   .
]

However, if you set the usermgmt_limit_user_info parameter to true, the API calls return a subset of the properties in the user record. For example:

[
   {
       "uid": "1000331009",
       "username": "user@email.com",
       "displayName": "First Last",
       "email": "user@email.com",
       "permissions": [
           "User"
       ],
       "role": "User",
       "user_roles": [
           "sign_in_only"
       ],
       "groups": [],
       "group_roles": []
   },
   .
   .
   .
]

The limited record includes only the parameters that are necessary for other features, such as adding a user to a project and deployment space.

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task:
    oc login ${OCP_URL}
  2. Run the following command to limit the information that is returned by usermgmt API calls:
    oc patch configmap product-configmap \
    --namespace ${PROJECT_CPD_INSTANCE} \
    --type=merge \
    --patch '{"data": {"usermgmt_limit_user_info":"true"}}'
  3. Restart the usermgmt pods:
    oc delete pod -n=${PROJECT_CPD_INSTANCE} -l component=usermgmt

Results

The information that is returned by usermgmt API calls is limited.
Tip: If you need to return more detailed user records, you can re-run the preceding commands with "usermgmt_limit_user_info":"false".