Users and authentication in IAS

Learn about users, their privileges, and user groups in IAS, and how to manage them using different tools.

Users of IAS are classified into three broad categories: database users, platform users, and internal system users. You can create and maintain both, database users and platform users within the appliance and you use them to access the appliance. These users can also come from an external LDAP directory such as Windows AD or other OpenLDAP domain. Internal system users are not exposed and you cannot use them to access IAS.

Database users
Database administration is managed either by users who are part of the bluadmin user group, or by the default user bluadmin. Regular database operations can be accomplished by users who are part of the bluusers group.
Database users privileges:
  • Can connect to a database remotely either via web console or via external IP address and port of the database
  • Can perform database operations like create tables, run workload against it, load etc.
  • Can perform database admin operations like create other users, run database backups, re-org tables, grant privileges
  • Cannot ssh to nodes of the appliance
  • Cannot view the OS directories or files of the node OS
  • Cannot execute OS commands
For more information on database users, see Database users.
Platform users
Appliance administration is managed either by users who are part of the ibmapadmin user group, or by the default user apuser. All appliance management tasks can be accomplished through one of these. Regular appliance access can be accomplished by users who are part of the ibmapusers group.
Platform users privileges:
  • Can log in to the nodes of the appliance
  • Can execute OS commands
  • Cannot log in to the web console
  • Can run commands with elevated privileges (such as root) if they are admin users
  • Can monitor, collect logs, and audit the system as required
  • Cannot directly query the database tables or perform any database operations
For more information on platform users, see Platform users.
Internal users
Users who are strictly used only internally by the appliance, and whose accounts are managed internally in a secure way by the appliance itself, without any external involvement. These users are not exposed and should not be used to access IAS. Modifying the attributes of internal users can leave the appliance in a non-working state.
Examples:
root user of the appliance node
By default, users have access to root. You must change the default root password and ensure that root is used responsibly (for example, for advanced troubleshooting). The root user is the only user who can install any OS packages, alter OS settings and configuration. Discuss with IBM Support any changes made using root authority.
Attention: The root user has all the privileges to update the operations on the appliance. Improper handling of the appliance by the root user might lead to system instability, downtime, or other incidents. IBM Corporation is not liable for any such incidents.
Users in Db2wh containers
root, db2inst1, dasusr1, dbfenc1
Users in hardware components
admin user in the network switch