Adding users and assigning roles

Edit online

You can create users in the PowerHA® SystemMirror® graphical user interface (GUI) and use the Role-Based Access Control (RBAC) system to assign elevated privileges to the users.

Defining users

In PowerHA SystemMirror GUI, you can create and manage users by clicking Actions > Users.

Note: Users that are defined in the PowerHA SystemMirror GUI map to user accounts that are defined on the host running the PowerHA SystemMirror GUI server. The login ID of a PowerHA SystemMirror GUI user must match the login ID on the PowerHA SystemMirror GUI server host. If a user is defined in the PowerHA SystemMirror GUI and if the user ID does not have a matching login ID on the PowerHA SystemMirror GUI server host, the user cannot log in to the PowerHA SystemMirror GUI.

After you define users, you can restrict their access to the clusters that are managed within the PowerHA SystemMirror GUI by using clusters zones. Cluster zones provide a method to limit the scope of a user and can be used to implement multi-tenancy. For more information about cluster zone, see Cluster zones.

By default, all users that are defined on the PowerHA SystemMirror GUI server host are allowed to log in to the PowerHA SystemMirror GUI. However, you can restrict specific users from logging into the PowerHA SystemMirror GUI, by changing the configuration file of the PowerHA SystemMirror GUI server. By default, the monitor role ha_mon is assigned automatically to a user who logs in to the PowerHA SystemMirror GUI. Elevated privileges and capabilities can be assigned to users that are explicitly defined in the PowerHA SystemMirror GUI by using the predefined roles.

Role-based access control

In PowerHA SystemMirror 7.2.2, or later, the PowerHA SystemMirror GUI has a built-in Role-Based Access Control (RBAC) system that is independent from the AIX operating system RBAC system and it is also easy to access.

Roles

The permission system of the GUI is based on roles. Permissions are allocated to a role and then the role is allocated to one or more users. A user with no role is assigned a default role with view-only monitoring capabilities. The permission system of the GUI is based on roles. Permissions are allocated to a role and then the role is allocated to one or more users.

The PowerHA GUI provides the following predefined roles:

ha_root: Users with this role can access every zone that is defined in the GUI without any restrictions. This role is equivalent to the root access. When you log in as the root user, you are granted ha_root permissions.
Note: This role can be used while setting up the GUI, which includes setting up user access and creating zones (if zones will be used).

ha_admin: In this role, you are an administrator and can perform all actions except defining users and zones.

ha_op: The ha_op, or operator, role can access only a subset of cluster management capabilities such as starting and stopping cluster services, starting and stopping resource groups, moving resource groups to another node, creating snapshots, and performing cluster verification.

ha_mon: The ha_mon, or monitor, role is the default role that is assigned automatically to a user that logs in to the GUI as a non-root user without being added to the GUI’s user list.
Note: In this role, you cannot perform any actions on a cluster and you have view-only access. If the users log in that do not have a user account created for them in the GUI, they will not be granted access to any of the zones and they are able to see unassigned clusters only (clusters that are not assigned to any zones)

All non-ha_root users might only access to zones that they have been assigned to by an ha_root user. They can also access clusters that are not assigned to any zones.

Note: Custom roles can be defined when none of the pre-defined roles are suitable for your needs.