Users
Before the user interface or tasks can be accessed, either remotely or locally, the HMC must first authenticate a user. Authentication is accomplished by logging on the HMC with a user ID and password. Multiple users can access the HMC at the same time. Also, a single user can have multiple logon sessions active at the same time. Each user has unique saved sessions on disconnect.
A user object defines the user name (user ID), the user's authentication, and roles that determine access permission. Beginning with IBM z16TM the HMC includes only 2 default users. (ENSADMIN and ENSOPERATOR are added in HMC version 2.11.0). These two-system defined users align with a set of traditional user classifications for the HMC. The default user IDs and their classifications are as follows:
| User ID | Classification |
|---|---|
| ACSADMIN | Access administrator |
| ADVANCED | Advanced operator (2.15.0 and earlier) |
| OPERATOR | Basic operator (2.15.0 and earlier) |
| SERVICE | Service representative |
| STORAGEADMIN | Storage administrator (2.15.0 and earlier) |
| SYSPROG | System programmer (2.15.0 and earlier) |
| ENSOPERATOR | Ensemble operator (2.14.1 and earlier) |
| ENSADMIN | Ensemble administrator (2.14.1 and earlier) |
These default users are provided to illustrate how different users allow for the operational control of the system resources by operations, administrative, and service representatives with various levels of expertise and needs. You cannot modify which roles are assigned to the system defined default users, nor can you modify the system default roles. You can make your own copies based on the system defaults.
For the HMC to be secure, you must remove these default user IDs from the HMC, disable the user IDs, or at a minimum, change their passwords. Before you remove the default users, copy the user definition and modify it according to your company requirements.
In addition, for auditing purposes, it is important that all HMC users have their own user IDs. In other words, to provide a more secure HMC, user IDs for the HMC must not be shared among multiple people.
- The authentication method for the user: Local or Lightweight Directory Access Protocol (LDAP)
- The password rule for a local authentication user
- The password for a local authentication user
- The LDAP server for an LDAP authentication user
- The roles that are associated with the user; define permission to tasks, type of objects or specific objects, groups, and task lists
- The ability to temporarily disable a user
- The ability to force a password to be changed at the next login
- A user's ability to remotely access the HMC
- A user's ability to access the Web Services management interfaces
- A user's multi-factor authentication requirements
- The number of incorrect login attempts allowed before temporarily disabling the user ID and the amount of time the user ID is disabled
- Whether a user is disabled due to lack of activity (for example, not used for login) and the amount of time that triggers this consequence
- Various timeouts for the user, such as:
- The minimal time between password changes
- The time period before the user is automatically disconnected due to inactivity
- The time period before the user is forced to verify the login session by specifying the correct password
- The time period before the user is automatically disconnected due to the correct password not being used for verification.
Many settings can be adjusted for users, but this granularity is important because user authentication is one of the most important aspects of security for the HMC. Beginning with version 2.15.0, the HMC users can be used to log on to the Support Element (SE) managed by that HMC.