PowerHA SystemMirror federated security

Edit online

To successfully implement PowerHA® SystemMirror® federated security, you must use role-based access control (RBAC) and Encrypted File System (EFS) with PowerHA SystemMirror using Lightweight Directory Access Protocol (LDAP), as a centralized information base for clusters.

Note: The PowerHA SystemMirror federated security features are available in PowerHA SystemMirror Version 7.2.4, and later.
With federated security, you can complete the following tasks.
  • Configure and manage an IBM® or non-IBM LDAP server as a centralized information base.
  • Configure and manage a peer-to-peer IBM LDAP server.
  • Configure and manage the LDAP client for all the nodes of the cluster.
  • Create and manage a highly available EFS file system.
  • Create and manage Role Based Access Control (RBAC) roles for users and groups. You can use the following roles to control which commands can be run by different sets of users of PowerHA SystemMirror.
    • ha_admin (for administrator): A user with this role is a PowerHA SystemMirror administrator, who can perform all PowerHA SystemMirror operations, such as configuring clusters, verifying and synchronizing clusters, and starting and stopping cluster services.
    • ha_op (for operations): A user with the ha_op role can perform all PowerHA SystemMirror operations except the configuration changes. The PowerHA SystemMirror operations include starting and stopping cluster services, resource group movements and verification.
    • ha_mon (for viewer): A user with the ha_mon role can perform only querying and listing related operations.
    • ha_view (for monitor): A user with the ha_view role cannot perform any PowerHA SystemMirror related operations. The user can only view the PowerHA SystemMirror log files.
    Notes:
    • In PowerHA SystemMirror Version 7.2.4 or later, a user must belong to the ldapha group to use PowerHA SystemMirror commands.
    • If RBAC is enabled for the PowerHA SystemMirror cluster, you must remove the LDAP server and client configuration from PowerHA SystemMirror before you migrate PowerHA SystemMirror to a later version. You must configure the LDAP server and client after completing the migration operation.