Managing locally defined user IDs

The user IDs and roles for accessing restricted functions of the software container-based services in the IBM Z® Resource Discovery Data Service (ZRDDS) are maintained in the Keycloak authentication server instance that is configured as part of these services. The user IDs and roles are defined in the Keycloak realm that is named IzoaKeycloak.

Before you begin

Communication between the Discovery Agent and the ZRDDS software container and between the ZRDDS software containers and the ServiceNow app requires authentication with a user ID and password. This user ID must be associated with a non-administrative user role defined in the IzoaKeycloak security realm.

A single non-administrative user ID named piuser is generated in the IzoaKeycloak during the installation process. If you wish to create a different non-administrative user ID instead, perform the following steps.

About this task

The IzoaKeycloak realm contains the following predefined user roles and user IDs for use with the IBM Z Resource Discovery functions:
roles
  • admin for the administrative user (not required for ZRDDS-specific flows)
  • user for the non-administrative user
user IDs
  • piadmin (associated with the admin role)
  • piuser (associated with the user role)

The default password for each predefined user ID is changeme. Use the Keycloak administrative UI to change the default passwords and to establish password change policies that are compliant with the security requirements for your organization.

By default, every newly created user ID in the IzoaKeycloak realm is assigned to the user role.

For more information about how to manage users in the Keycloak Admin Console, see User management in the Keycloak documentation.

Procedure

To manage the user IDs, complete the following steps.

  1. Log in to the administrative console for the IzoaKeycloak security realm at https://hostname:gateway_port/secadmin.
    Provide the administrative username and password that is created during the initial setup. The default username is zoakcadmin, with the password changeme.
  2. In the Manage section, click Users to view the users in the realm.
  3. To add a user, edit a user, or unlock a user that is locked out due to failed login attempts, complete the following instructions, based on the action that you want to take.
    Action Instructions
    Add a user ID
    1. Click Add user. Enter the user name, and provide other information as appropriate.

      From the Required user actions field, you can take the following actions, for example: verify the email address, update the user profile, or update the password.

    2. In the Required user actions field, specify a number of actions that must be taken when the user ID logs in for the first time. Examples include: verify the email address, update the user profile, or update the password.
    3. To assign the user to a group (such as admin or basic_user), click Join Groups, select the checkbox for the relevant groups, and click Join.
    4. Click Create to create the user.
    5. Click Save to save the information about the user.
    Edit a user ID In the user list, click the user name that you want to edit, and update the resulting fields as appropriate.
    Unlock a user ID
    1. In the user list, click the user name that is locked out, and toggle the value of the Temporarily locked field to Off.
    2. To unlock users that are temporarily suspended, click Unlock users.
    Tip: Based on the initial lockout settings, a user is locked out in either of the following situations:
    • After three failed login attempts
    • After any two failed login attempts that occur faster than 1 second apart

    To change these lockout settings, the Keycloak administrator can go to Realm Settings > Brute Force Detection, and update the settings in the resulting window.