User management

Use the role-based user restrictions and user management capabilities to administer IBM Fusion HCI.

IBM Fusion HCI user interface is configured with OpenShift® Container Platform to have a single sign-on. For the first time login to IBM Fusion HCI user interface and OpenShift Container Platform web management console, use the kubeadmin, which is the default user for both. To authenticate the default user login, use the password that got generated during the installation of IBM Fusion HCI.

Note: For security reasons, create a user with cluster-admin role and delete the default kubeadmin user.

For more information about roles, see OpenShift Container Platform documentation at Default cluster roles.

User roles

Role-based access control (RBAC) objects determine whether a user is allowed to do an action within a project. By using role-based access control, you can set the resources and permissions available to a user. Role can be assigned to a user or group with role bindings. Role binding has the mapping of a role to a user or user group. You can bind your users to the following two default OpenShift cluster level roles:

Role	Permissions
`cluster-admin`	A super-user that can do any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project.
`view`	A user who cannot do any modifications, but can see most of the objects in a project. They cannot view or modify roles or bindings.

You can create more users and user groups. You can also update or delete existing users by using the cluster-admin user roles.

Add user to a role

Step 1: Get user and their role details:

To get all users and their cluster wide roles, run the following command:

oc get clusterrolebindings -o json | jq -r '.items[] | {role: .roleRef.name, users: .subjects[]?.name} | select(.users != null)'

Alternatively, you can run the following commands:

Find all Users with a specific role:

oc get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name == "<role>")
      | {role: .roleRef.name, users: .subjects[]?.name}'

For example, you want the list of all users in cluster-admin role:

oc get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name == "cluster-admin")
      | {role: .roleRef.name, users: .subjects[]?.name}'

Example output:

{
  “role”: “cluster-admin”,
   “user”: “ft-admin”
}
{
  “role”: “cluster-admin”,
   “user”: “openshift-apiserver-operator”
}
{
  “role”: “cluster-admin”,
   “user”: “openshift-config-operator”
}{
  “role”: “cluster-admin”,
   “user”: “service-ca-operator”
}

Find a specific user role in a cluster:

oc get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[]?.name ==
      "<username>") | {role: .roleRef.name, user: "<username>"}'

For example, you want to find the role of ft-admin in a cluster:

oc get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[]?.name ==
      "ft-admin") | {role: .roleRef.name, user: "ft-admin"}'

Example response:

{
  “role”: “cluster-admin”,
   “user”: “ft-admin”
}

Step 2: Add user to a role:

Add user to cluster-admin role:

oc adm policy add-cluster-role-to-user cluster-admin <username>

For example, add sf-admin user to cluster-admin role:

oc adm policy add-cluster-role-to-user cluster-admin sf-admin

Add user to view role:

oc adm policy add-cluster-role-to-user view <username>

For example, add sf-usr user to view role:

oc adm policy add-cluster-role-to-user view sf-usr

To know more about OpenShift Container Platform RBAC, see Using RBAC to define and apply permissions.

For more information about authentication and authorization, see OpenShift Container Platform documentation at Understanding authentication.

RBAC permissions for IBM Fusion HCI user interface

The following table displays the RBAC permissions for IBM Fusion HCI user interface.

Table 1. RBAC for IBM Fusion HCI users
User interface page or menu option	Cluster-admin	View user
Events	You can mark events as fixed	You cannot mark events as fixed
Applications	You can assign policies to applications You can restore application backup You can edit application details You can enable or disable applications for disaster recovery	You cannot assign policies to applications You cannot restore application backup You cannot edit application details You cannot enable applications for disaster recovery
Backup policies	You can add, edit, or delete policies You can add, edit, or delete backup locations	You cannot add, edit, or delete policies You cannot add, edit or delete backup locations For the procedure to manage the backup and restore of your application namespace as a view user through CRs, see Self-service Backup & Restore
Backup policies
Infrastrucure > Compute page	Can upsize nodes or add storage disks. Can manage node resources like moving a node to maintenance, power on a node, and so on.	Cannot upsize nodes or add storage disks. Cannot manage node resources.
Infrastructure > Network page	Can run commands on switches Can add VLANs and Links.	Cannot run commands on switches. Cannot add VLANs and Links.
Settings > Call Home page.	Can enable IBM Call Home or edit Call Home details.	Cannot enable Call Home or edit Call Home details.
Settings > Encryption page.	Can edit encryption settings. Can delete encryption settings.	Cannot edit encryption settings. Cannot delete encryption settings.
From the title bar, click the help icon and select Collect support logs.	Can generate logs and log sets. Can enable Call Home.	Cannot generate logs or log sets. Can download generated logs.
App Switcher icon in title bar > Storage outbound arrow	Can replace disk (pdisk replacement). Can download snap. Can manage events (mark as resolved, fix, hide tip, notification, and others).	Cannot configure, modify, or manage the system or its resources.
Disaster recovery	Can set up site 1, site 2, and tiebreaker in Metro Sync DR. Can upgrade local, remote and tiebreaker clusters Can failover applications from one site to another	Cannot set up site 1, site 2, and tiebreaker in Metro Sync DR. Cannot upgrade local, remote and tiebreaker clusters Cannot failover applications from one site to another
Services	Can enable and disable IBM Fusion services Can upgrade IBM Fusion services	Cannot enable and disable IBM Fusion services Cannot upgrade IBM Fusion services
Applications icon in title bar >OpenShift outbound arrow	For more information about the permissions of the role, see Using RBAC to define and apply permissions. Note: Menu option is available to navigate to OpenShift console with same login credentials.

Configure identity providers

Step 1: Configure identify providers

LDAP
Configure your organizations LDAP with OpenShift to access IBM Fusion HCI user interface. For the more information and procedure, see Configuring an LDAP identity provider.
httpasswd
Configure httpassword identity provider to create users that can access OpenShift and IBM Fusion HCI user interface. To configure the user with httpasswd identity provider, see https://docs.openshift.com/container-platform/4.15/authentication/identity_providers/configuring-htpasswd-identity-provider.html.

Step 2: Bind your user to a role or to a group.: The user or group can have cluster-admin or view roles.

Step 3: Log in to IBM Fusion HCI user interface: Log in to IBM Fusion HCI user interface by using the newly created or added user.