Learn about users, their privileges, and user groups in IAS, and how to manage them using
different tools.
Users of IAS are classified into three broad categories: database users, platform users, and
internal system users. You can create and maintain both, database users and platform users within
the appliance and you use them to access the appliance. These users can also come from an external
LDAP directory such as Windows AD or other OpenLDAP domain. Internal system users are not exposed
and you cannot use them to access IAS.
- Database users
- Database administration is managed either by users who are part of the
bluadmin
user group, or by the default user bluadmin
. Regular database operations can be
accomplished by users who are part of the bluusers
group.
- Database users privileges:
- Can connect to a database remotely either via web console or via external IP address and port of
the database
- Can perform database operations like create tables, run workload against it, load etc.
- Can perform database admin operations like create other users, run database backups, re-org
tables, grant privileges
- Cannot ssh to nodes of the appliance
- Cannot view the OS directories or files of the node OS
- Cannot execute OS commands
- For more information on database users, see Database users.
- Platform users
- Appliance administration is managed either by users who are part of the
ibmapadmin
user group, or by the default user apuser
. All
appliance management tasks can be accomplished through one of these. Regular appliance access can be
accomplished by users who are part of the ibmapusers
group.
- Platform users privileges:
- Can log in to the nodes of the appliance
- Can execute OS commands
- Cannot log in to the web console
- Can run commands with elevated privileges (such as root) if they are admin users
- Can monitor, collect logs, and audit the system as required
- Cannot directly query the database tables or perform any database operations
- For more information on platform users, see Platform users.
- Internal users
- Users who are strictly used only internally by the appliance, and whose accounts are managed
internally in a secure way by the appliance itself, without any external involvement. These users
are not exposed and should not be used to access IAS. Modifying the attributes of internal users can
leave the appliance in a non-working state.
- Examples:
root
user of the appliance node
- By default, users have access to
root
. You must change the default
root
password and ensure that root
is used responsibly (for
example, for advanced troubleshooting). The root
user is the only user who can
install any OS packages, alter OS settings and configuration. Discuss with IBM Support any changes
made using root
authority.
-
Attention: The
root
user has all the privileges to update the operations on the appliance.
Improper handling of the appliance by the root
user might lead to system
instability, downtime, or other incidents. IBM Corporation is not liable for any such
incidents.
- Users in Db2wh containers
root
, db2inst1
, dasusr1
,
dbfenc1
- Users in hardware components
admin
user in the network switch