Understanding security roles for PureApplication® System

Protect your cloud environment by configuring security roles to control how different users interact with the system.

When you assign security roles to individual users and user groups, you designate the types of resources such as cloud groups that they can access, and the tasks that they can perform. This topic describes security roles in detail; use it as reference material when you administer users and user groups.

The system provides security role-based access control at both the system level and resource level. This combination of access control provides a balance between security roles at the overall system level and more granular access control at the resource level, for example individual cloud groups, IP groups, virtual appliances, compute nodes, and more. System level permissions take precedence over instance level permissions. The role-based authorization design is based on both the separation of duty security principle and the least privileged security principle.

System level administration

System level administration refers to the security roles and access control permissions that are required to administer the overall system. User administration responsibility is divided into the following major functional areas, and each has a set of administrator roles:
  • Workload resources administration
  • Cloud group administration
  • Hardware administration
  • Auditing
  • Block storage replication administration
  • Security administration

In general, administering each area of responsibility requires users to have either a full-permission security role or a read-only view security role. Occasionally, the full-permission security role is referred to as the administrative writer role and the read-only view role as the administrative reader role. An administrative writer role naturally includes the reader role and also has privileges to perform all administrative operations. An administrative reader role can only view configuration and monitor status but cannot modify configuration.

Table 1 lists each security role and the administrative console menus that are visible to users who are granted the security role. A detailed description of each security role is provided later in this topic.

Table 1. Visibility of console menus for each security role
Security role View Instances menu View Patterns menu View Catalog menu View Reports menu View Cloud menu View System menu View Auditing settings
(System > Auditing)
Workload resources administration with permission to View all workload resources (Read-only) Yes Yes Yes Yes Yes Yes No
Workload resources administration with Manage workload resources (Full permission) Yes Yes Yes Yes Yes Yes No
Cloud group administration with permission to View all cloud resources (Read-only) Yes Yes Yes Yes Yes Yes (but only Product Licenses menu option) No
Cloud group administration with Manage all cloud groups (Full permission) Yes Yes Yes Yes Yes Yes No
Hardware administration with View all hardware resources (Read-only) permission Yes
(but not the Shared Services menu option)		 Yes Yes Yes Yes
(but only the Environmental Profiles menu option)		 Yes No
Hardware administration with Manage hardware resources (Full permission) Yes Yes Yes Yes Yes Yes No
Auditing with View all auditing reports (read-only) permission Yes
(but not the Shared Services menu option)		 Yes Yes Yes Yes
(but only the Environmental Profiles menu option)		 Yes (but not the Block Storge Replication menu option) Yes
Auditing with Manage auditing (Full permission) Yes
(but not the Shared Services menu option)		 Yes Yes Yes Yes
(but only the Environmental Profiles menu option)		 Yes (but not the Block Storge Replication menu option) Yes
Security administration with permission to View users/groups (Read-only) permission Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 Yes (but not the Block Storge Replication menu option) No
Security administration with View all security resources (Read-only) permission Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 Yes (but not the Block Storge Replication menu option) No
Security administration with Manage security (Full permission) Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 Yes (but not the Block Storge Replication menu option) No
Block storage replication administration with View block storage replication profiles (Read-only) permission Yes
(but not the Shared Services menu option)		 Yes Yes No No Yes (but only the Block Storage Replication menu option) No
Block Storage Replication administration with Manage block storage replication profiles (Full permission) Yes
(but not the Shared Services menu option)		 Yes Yes No No Yes (but only the Block Storage Replication menu option) No
Note the default security role assignments:
  • A user is automatically granted the deployer security role to deploy workload resources. This security role assignment cannot be revoked. This security role assignment is not displayed on the console. The user will still require additional Cloud level permissions to deploy to an environment profile.
  • The "admin" user ID of the individual who initializes the system is automatically granted the following administration roles as well as permissions for delegation:
    • Workload resources administration with Manage workload resources (Full permission) permission
    • Cloud group administration (Full permission) and cloud group resource level administration permission
    • Hardware administration (Full permission) and hardware resource level administration permission
    • Block Storage Replication administration with Manage block storage replication profiles (Full permission) permission
    • Security administration with Manage security (Full permission) permission
    • Auditing with Manage auditing (Full permission) permission
An SSH account is automatically created for the admin account when the admin user logs in to the console for the first time. An SSH account is also created for any local or LDAP user account that has full hardware administrative permissions.
Important: If a user name contains an @ symbol, the shell account is created with a truncated user ID that is the string that precedes the @ symbol. For example, if the user name is username@ibm.com, the system creates a shell account with the login ID username.

For users with full hardware administrative permissions, the user name before the domain (or @ symbol) must be unique across all domains. Only one shell account is created for each user name. If the user names are not unique, the password matches only one of the users with duplicate user names. For example, user abc@d1.com and abc@d2.com will share a shell account user ID (abc), but the shell account password is modified to match the user who logged in most recently.

The following list describes each security role. As indicated in the list, the authority to access a type of resource does not equate with the authority to access all instances of that resource. In some cases, users can access a resource only if they are granted authority by the creator of that resource. This implementation of resource level access control is explained in the next section.

Workload resources administration
  • View all workload resources (Read-only)

    Users with this administrative option can view all workload management-related configuration and status on the console, such as view deployed virtual application, deployed virtual systems, and deployed shared services.

  • Manage workload resources (Full permission)

    Users who are assigned this option can manage all workload-related operations and resources such as deployment patterns, environment profiles, system plug-ins and shared services, plus all the functions previously mentioned in read-only view. Users are also granted administration privileges on database configuration management and performance monitoring operations.

Cloud group administration
  • View all cloud resources (Read-only)

    Users with this administrative option can view virtual cloud resources configuration such as cloud groups.

  • Manage cloud resources (Full permission)

    Users who are assigned this option can manage the above virtual resources.

Hardware administration
  • View all workload resources (Read-only)

    View configuration and status of hardware components such as computer node, networks, memory, and disk storage, and also reports, events, and job queues.

  • Manage workload resources (Full permission)

    Hardware administrators with full permissions can manage hardware components, reports, events, and job queues.

Auditing
  • View all auditing reports (Read-only)

    Users who are assigned this option can only view auditing settings and download audit data.

  • Manage auditing (Full permission)

    Auditors with full permissions can modify auditing settings. They can also set up external storage server connection data and credential data so as to automatically archive auditing event logs to external servers for long term storage to meet security compliance requirements.

Block Storage Replication administration
  • View block storage replication profiles (Read-only)

    Users who are assigned this option can view block storage replication profile related information.

  • Manage block storage replication profiles (Full permission)

    Block storage replication administrators with full permissions can create, validate, enable or disable and delete block storage replication profiles.

Security administration
  • View users/groups (Read-only)

    Security administrators who are assigned this option can only view users and groups.

  • View all security resources (Read-only)
    Security administrators who are assigned this option can only view security resources.
    Note: Administrators with this security setting cannot deploy shared services.
  • Manage security (Full permission)

    Security administrators with full permissions can manage security resources. Moreover, users with the security administrator full permission role and the delegation security role can grant and revoke access rights of four console managed resource types: cloud groups, IP groups, virtual machines, and virtual appliances.

Resource level administration

Resource level administration refers to the security roles and access control permissions that are required to administer individual resources in the system, for example cloud groups, IP groups, compute nodes, storage devices, and more. At the resource level, administration responsibility for the Workload resources administration, Cloud group administration, Hardware administration, and Security administration functional areas is further divided into sub-roles to support the least privileged security principle. For example, users and groups who are responsible for creating and administering deployment patterns can be granted the Create new patterns security role, and not the full-permission Workload resources administration writer role.

Users and groups who are granted the Workload resources administration writer role are automatically granted all workload administrative sub-roles. The Security administration role has an additional user administrative reader role that allows a user or group to view a list of users and groups. This additional role is useful when an administrator is authorized to grant or revoke security roles from other users and groups so that they would have visibility to the list of users and groups.

The Cloud group administration role provides resource level access control for individual cloud resources, including cloud groups, IP groups, virtual machines, virtual appliances, virtual machine groups, volumes, and volume groups. Also, the Hardware administrator role provides resource level access control for individual hardware resources, including compute nodes, storage devices, and network devices. This model of providing more granular access control at the resource level is designed to limit access to only those resources that need to be managed at a particular time. The level of access (read, write, all, none) assigned to specific resources can be selected individually. For example, a user may be granted read access to some resources, and write access to other resources.

The following list describes each major functional area that is covered under the Workload Management category. Users can access a resource instance only if they are granted authority by the creator of that instance.

Deploy patterns in the cloud
This security role is automatically granted to all users by the system, and cannot be revoked. With this basic security role, users can view the classic virtual system instances, patterns, and catalog content to which they are granted access. They can deploy virtual system patterns and virtual application patterns, but cannot add, delete, or modify any of those items unless they are granted access permission to a particular resource instance. This security role assignment is not displayed on the console because every user has this fixed role assignment.
Create new patterns
Only a workload administrator with full permissions can assign this permission to users. Pattern creators can create both virtual system patterns and virtual application patterns. These users can also modify or delete any patterns that they create, or to which they have access. While users can view the list of catalog images, this permission does not authorize users to accept the licenses for the catalog images.
Create new environment profiles
Only a workload administrator with full permissions can make this assignment. With this permission, users create environment profiles to group related cloud topology settings for easy deployment of virtual system patterns. Environment profile creators can also modify or delete any profile that they create, or to which they have access.
Create new catalog content
Only a workload administrator with full permissions can make this assignment. With this permission, users can add objects to the system catalog. They can also modify or delete any catalog content that they create, or to which they have access. While users can view the list of catalog images, this permission does not authorize users to accept the licenses for the catalog images.
Use IBM License Metric Tool (ILMT)
Only a workload administrator with full permissions can make this assignment. IBM® License Metric Tool users do not gain any additional access in the system to create patterns, profiles, and so on. Instead, they can start tool-related REST API calls to manage product licensing. (Use the license tracking permission to designate users to run licensing scripts or agents while limiting those users' ability to perform administrative tasks on the system.)
Note: This user type applies only to IBM License Metric Tool 7.x, which is no longer supported.
Manage cloud group resources
Only a cloud group administrator who has been assigned full permissions and role delegation can make this assignment. With full permission, users can manage multiple cloud groups resources, including cloud group instances, IP groups, virtual machines, virtual appliances, virtual machine groups, volumes, and volume groups. With access control at the resource level, users can manage only those resources to which they have access. Cloud group resource managers can modify or delete any cloud group resource that they create, or to which they have full access.

The level of access (read, write, all, or none) assigned to specific cloud group resources can be selected individually on the System > Users or System > User Groups pages in the console.

Manage hardware resources
Only a hardware administrator who has been assigned full permissions and role delegation can make this assignment. With full permission, users can manage multiple hardware resources, including compute nodes, storage devices, network devices, and virtual LANs. With access control at the resource level, users can manage only those resources to which they have access. Hardware resource managers can modify or delete any hardware resource that they create, or to which they have full access.

The level of access (read, write, all, or none) assigned to specific hardware resources can be selected individually on the System > Users or System > User Groups pages in the console.

The following table describes the visibility of console menus for each security sub-role. Note that the options that are visible in each menu depend on the access permissions that users are assigned at the resource level.

Table 2. Visibility of console menus for each security role
Security sub-role View Instances menu View Patterns menu View Catalog menu View Reports menu View Cloud menu View System menu View Auditing settings
(System menu > Auditing)
Create new patterns Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 No No
Create new environment profiles Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 No No
Create new catalog content Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 No No
IBM License Metric Tool (ILMT) user
Note: This user type applies only to IBM License Metric Tool 7.x, which is no longer supported.
 Yes
(but not the Shared Services menu option)		 Yes Yes No Yes
(but only the Environmental Profiles menu option)		 No No
Manage cloud group resources Yes
(but not the Shared Services menu option)		 Yes Yes Yes Yes
(but only the Environmental Profiles menu option)		 No No
Manage hardware resources Yes
(but not the Shared Services menu option)		 Yes Yes Yes Yes
(but only the Environmental Profiles menu option)		 No No

Access control with security roles

All users are not authorized to grant or revoke security roles. To grant or revoke security roles, a user must have at least one full-permission administrative writer role from one of the six responsibility areas. Moreover, a user or group who has a full-permission administrative role further needs the delegation security role to allow delegation when full permission is selected. Again, this is based on separation of duty and least-privileged security principles, that not all administrative users need to be granted delegation authority. When full-permission administrative users are granted the delegation security role, such users can grant and revoke security roles from themselves and from other users and groups. Those users, however, can only grant or revoke security roles that they have but not any security roles that they do not have. In other words, administrators can only delegate or revoke their own authorization to and from others but cannot garner any new authorization that they do not originally begin with. A user can only gain more privileges if administrators grant their own privileges to the user.

Resource instance-based access control in PureApplication System

The product implements a resource instance-based access control framework for some resource types. Users must have the required security role to create instances of those resources. A user who creates a new resource instance is automatically granted full resource instance access permission to the newly-created resource instance. A user needs specific resource access permissions to view, or perform tasks with, instances of those resources. For example, users with Deploy patterns in the cloud permission can only deploy a particular pattern if they have been granted access to that pattern. Even pattern creators cannot modify a particular pattern unless they created that pattern, or have been granted access to that pattern by the creator. Resource instance access applies to the following types of resources:
  • Virtual system instances
  • Classic virtual system instances
  • Shared services instances
  • Patterns
  • Virtual Images
  • Script Packages
  • Emergency Fixes
  • Cloud groups
  • Environment profiles
Table 3 depicts the resource instance access permissions definitions in the system. The all or owner definition applies to both the creator of the resource instance and the administrator role of the corresponding responsibility area. This administrator role has full permissions and complete access to every instance of every resource belonging to that area of responsibility that is created in the product.

Workload resources access rights delegation

In general, users can grant other users and groups resource access permissions that they themselves have, such as read, write, and all (or full). However, users cannot grant permissions that they themselves do not have. Delegation of resource instance access control permissions is similar in principle to delegation of security roles. For example, users can delegate only privileges they have, but not privileges they do not have.

Console resource access rights delegation

Users who have at least one full permission role and also the delegation role can grant other users and user groups access to the security roles that they themselves have. In addition, users who have access rights to a particular resource, for example a hardware resource or a cloud group resource, can grant other users and user groups access to that resource. Users cannot grant permissions that they themselves do not have.

The System > Users and System > User Groups pages in the console are visible only to users who have one or more of the following roles and permissions:
  • Any system level administration role, including both read and write permissions
  • Any full permission role combined with the delegation role
  • Any resource level administration role
The System > Users and System > User Groups pages allow users to grant access control and permissions to other users and user groups. The following types of resources support access rights permissions:
  • Cloud groups
  • IP groups
  • Virtual machines
  • Virtual appliances
  • Virtual machine groups
  • Volumes
  • Volume groups
  • Compute nodes
  • Storage devices
  • Network devices
  • Virtual LANs
Granting or revoking resource access rights on the console requires one of the following roles or permissions:
  • A Security administration role, with either full or read-only permission.
  • Any full permission role combined with Allow delegation when Full permission is selected. Users can grant other users and user groups only the security roles that they themselves have.
  • Access permission to the resource that is being granted or revoked. Users can grant other users and user groups only the access rights that they themselves have.

Access rights definition

You can assign permissions for individual cloud group and hardware resources such as cloud groups, IP groups, storage devices, and compute nodes on the System > Users page in the console. For example, a user can be granted read access to some cloud group and hardware resources, and write access to other resources.
The following table provides details about each permission.
Table 3. Resource instance access permissions definitions
Access Permission Description
Read You can see the resource listed in the console panels and are able to view the details for this resource.
Write You can see the resource listed in the console panels and are able to view and modify the details for this resource.
All (Full) or owner You can see the resource listed in the console panels and are able to view, modify, and delete the details for this resource.
None If you are not assigned access to the resource, you cannot see the resource listed in the console panels. You cannot perform any action associated with the resource.
The following list summarizes the security roles or access rights required by different types of resources and resource instances.
DB2 fix packs, workload standards, shared services, and shared service instances
You must be assigned the full-permission Workload resources administration role to view and modify these resources.
Database instances
You must be the owner or be assigned the full-permission Workload resources administration role to view and modify these resources.
Virtual Application Instances
  • These resources can be created by any user.
  • You must have Read access or be assigned the full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Virtual Application Patterns and Database Patterns
  • You must have Create new patterns permission or be assigned the full-permission Workload resources administration role to create these resources.
  • You must have Read access or be assigned the full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration roleto have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Reusable Components and Virtual Application Templates
  • You must have Create new catalog content permission or be assigned the full-permission Workload resources administration role to create these resources.
  • You must have Read access or be assigned the full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Virtual System Instances
  • These resources can be created by any user.
  • You must have Read access or be assigned either the read-only or full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Virtual System Patterns
  • You must have Create new patterns permission or be assigned the full-permission Workload resources administration role to create these resources.
  • You must have Read access or be assigned either the read-only or full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Add-ons, Virtual Images, Emergency Fixes, and Script Packages
  • You must have Create new catalog content permission or be assigned the full-permission Workload resources administration role to create these resources.
  • You must have Read access or be assigned either the read-only or full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Environment Profiles
  • You must have Create new environment profiles permission or be assigned the full-permission Workload resources administration role to create these resources.
  • You must have Read access or be assigned either the read-only or full-permission Workload resources administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Workload resources administration role to have write permissions for these resources.
  • You must have All access or be assigned the full-permission Workload resources administration role to have all permissions for these resources.
Virtual machines, virtual appliances, cloud groups, and IP groups
  • You must have Read access or be assigned the read-only Cloud group administration role to have read or view permissions for these resources.
  • You must have Write access or be assigned the full-permission Cloud group administration role to have write permissions for these resources.
  • You must have Create access or be assigned the full-permission Cloud group administration role to have create permissions for these resources.
  • You must have Delete access or be assigned the full-permission Cloud group administration role to have delete permissions for these resources.