Changing user groups

Edit online

You can use the command-line interface (CLI) to change user groups. User groups organize users of a system by role.

About this task

Roles apply to both local and remote users on the system and are based on the user group to which the user belongs. A local user can belong only to a single group; therefore, the role of a local user is defined by the single group that the user belongs to. Remote users can belong to one or more groups; therefore, the roles of remote users are assigned according to the groups that the remote user belongs to.

In addition to assigning roles to user groups, you can use user groups to control how user access different management interfaces and functions that are supported on the system. You can create a user group with specific roles and further control how users within that group interact with objects on the system by allowing or restricting the user group to functions or interfaces. With this capability, you can also control access from scripts or automated services, such as IBM Storage Insights, that access the system automatically. The following interfaces and functions can be enabled or disabled with user groups:
Table 1. Supported access control for management interfaces and functions with user groups
Management interface or function Supported interface for configuration
Management GUI access Command-line interface
Command-line interface access Command-line interface
REST API access Command-line interface
Multifactor authentication Management GUI and command-line interface
Ability to require a password and key for access Command-line interface
You can use this feature to enable or disable access to interfaces from automated scripts or services, such as data collection for IBM Storage Insights or other automated processes. You can further secure the system by creating an ID for the automation service with only the role that they require to access the information necessary to the application or service. Generally, to configure a user group and access controls for an automation services, you need to complete the following steps:
  1. Create a separate user group for automation IDs.
  2. Create the automation users with appropriate role. For example, for data collection for IBM Storage Insights, the Monitor role allows the service to view objects and the system configuration settings. Other automated services or scripts can require different role-based access depending on the operations the service completes on the system
  3. Disables interfaces for these automation IDs. Depending on the automated service, you can control which interfaces the automation service can use to complete tasks on the system. For example, with IBM Storage Insights data collection, you can limit these automation IDs to command-line access only, since other interfaces and functions are not necessary.
  4. In cases where SSH keys are used to establish a connection between the system and the automated service, ensure that the key itself is secured and use these SSH keys with the automated service only.

To change a user group in the management GUI, select Access > Users. Select a user group and select Properties from the Actions menu.

To change a user group using the CLI, use the chusergrp CLI command.

Procedure

  1. Use the chusergrp CLI command to change the attributes of an existing user group.
    For example, enter the following command:
    chusergrp -role role_name -remote yes | no group_id_or_name
    where role_name specifies the role that is associated with any users that belong to this group and group_id_or_name specifies the group to be changed. The remote parameter specifies whether the group is visible to the authentication server.
  2. Issue the lsusergrp CLI command to display the user groups that were created on the system.
    For example, enter the following command:
    lsusergrp usergrp_id_or_name
    where group_id_or_name specifies the user group to view. If you do not specify a user group ID or name, all user groups on the system are displayed.

Example

If you plan to disable or enable interface access or functions, you can use the either the mkusergrp or chusergrp command. Both commands provide the following parameters to disable and enable access and functions:
-disablegui
Specifies if the user group has management GUI access disabled or not. Value can be yes or no.
-disablecli
Specifies if the user group has command-line interface access disabled or not. Value can be yes or no.
-disablerest
Specifies if the user group has REST-API access disabled or not. Value can be yes or no.
-passwordkeyrequired
Specifies if the user group requires a password and SSH key. Value can be yes or no.
-multifactor
Specifies if the user group has multifactor authentication enabled or not. Value can be yes or no.
The following examples show the command operations for a some common uses cases for these parameters:
Limiting access to automated service
Create or change a user group with the appropriate role and restrictions:
mkusergrp -name automatedservice -role Monitor -passwordkeyrequired yes -disablecli no -disablerest yes
Modifying the authentication setting for this user group will affect logins for all users in the group. 
Are you sure you want to continue? (y/yes to confirm)  yes
To change an existing user group, run the following command:
chusergrp -name automatedservice -role Monitor -disablegui yes -disablecli no -disablerest yes
Modifying the authentication setting for this user group will affect logins for all users in the group. 
Are you sure you want to continue? (y/yes to confirm)  yes
In both of these examples, a user group was dedicated to an automated service, such as the data collector for IBM Storage Insights, that disabled access to the management GUI and REST APIs, but allows access through the command-line interface. Users in this group can only perform functions that are allowed by the Monitor role, such as viewing and collecting data that is related to operations on the system.
Enabling a password and SSH key for a user group
chusergrp -name serviceusergroup -role Service -passwordkeyrequired yes 
Modifying the authentication setting for this user group will affect logins for all users in the group. 
Are you sure you want to continue? (y/yes to confirm)  yes
Enabling multifactor authentication for a user group
chusergrp -name mfagroup -role Administrator --multifactor yes 
Modifying the authentication setting for this user group will affect logins for all users in the group. 
Are you sure you want to continue? (y/yes to confirm)  yes
Note:
  • Before you can enable multifactor authentication on the user group, you must ensure all prerequisites are completed as well as configuring a multifactor authentication service on the system.
  • Multifactor authentication is not supported on Common Information Model (CIM). Therefore, user groups configured with multifactor authentication, or password and SSH key authentication are disabled for Common Information Model (CIM) interface.