IBM Performance Management

Managing user access

Use the Role Based Access Control feature in IBM® Performance Management to grant users the access privileges they require for their role.

Security in Performance Management is based on roles. A role is a group of permissions that control the actions you can perform in Performance Management. You can create customized roles in Performance Management. You can assign permissions to customized roles, or you can assign more permissions to existing default roles. You can assign users and user groups to existing default roles or to customized roles. You can assign users and user groups to multiple roles. Permissions are cumulative, a user or user group is assigned all the permissions for all the roles they are assigned to.

Performance Management uses the WebSphere® Application Server Liberty profile basic registry as the default method for user authentication. Alternatively, you can use an LDAP registry for user authentication.

If you are not a member of a role and you attempt to log in to Performance Management, you receive a Not Authorized message.

In Performance Management, the default user is apmadmin. The apmadmin user is by default a member of the Role Administrator role.

User authentication with WebSphere Application Server Liberty profile basic registry

Complete the following steps if you are using WebSphere Application Server Liberty profile basic registry for user authentication:
  1. Create users and user groups in the basic user registry. The basicRegistry.xml file is available in the /opt/ibm/wlp/usr/shared/config directory. The basicRegistry.xml file has an id attribute and a name attribute for each user entry. Performance Management only uses the value of the name attribute. It is recommended that you set both attributes to the same value to avoid confusion. For more information on configuring basic user registry with Liberty profile, see http://www-01.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_basic_registry.html
  2. In Performance Management, use the Role Based Access Control page to assign users and user groups to default and customized roles. For more information on working with roles, see Roles and Permissions.
    Note: If you experience issues with adding users to groups not taking effect, restart the OIDC server using the apm restart oidc command. For more information on starting services, see Starting, stopping, and checking the status of server components.
Note: By default, for Liberty profile basic registry, the default user is apmadmin. By default this user is a member of the Role Administrator role.

User authentication with LDAP registry

  1. Configure Performance Management to integrate with your LDAP repository. For more information, see Updating the LDAP registry file.
  2. Create users and user groups in your LDAP repository. For more information on configuring an LDAP registry with Liberty profile, see Configuring LDAP user registries with the Liberty profile in the Liberty Profile IBM Knowledge Center.
  3. Change the default user to an LDAP user. For more information, see Changing the default apmadmin user.
  4. In Performance Management, use the Role Based Access Control page to assign users and user groups to default and customized roles. For more information on working with roles, see Roles and Permissions.

If you are not a member of a role and you attempt to log in to Performance Management, you receive a Not Authorized message.