Managing users
As an administrator, you are responsible for determining and implementing the best approach for authenticating and managing IBM® Cloud Pak for Data users.
Best practices
By default, Cloud Pak for Data user records are stored in an internal repository database. However, IBM advises that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management.
You can use SAML SSO and LDAP together or individually.
- SAML SSO
- If you plan to use SAML for single sign-on (SSO), it is strongly recommended that you complete
Configuring single sign-on before you add
users.
If you add users before you configure SSO, you will need to re-add the users with their SAML ID to enable them to use SSO.
- LDAP
- You can use an enterprise-grade LDAP provider for password management.
For details, see Connecting to your LDAP server.
Ensure that you grant Cloud Pak for Data administrator privileges to a user in your LDAP server.
After you grant an LDAP user administrator privileges, you can further secure your Cloud Pak for Data system by disabling the default admin user. For details, see Disabling the default admin user.
- SAML SSO and LDAP
- If you want to use both SAML and SSO, you must ensure that both configurations use the same
attribute to identify users:
- SAML SSO configuration: fieldToAuthenticate
- LDAP: User search field
User management
A Cloud Pak for Data administrator can manage the permissions that users and groups have on the platform. However, users might have additional permissions in services, catalogs, and projects. For example, a user could be a project administrator and be an editor on the Connections catalog.
A user can have multiple roles. The roles can be assigned directly to a user or can be assigned to the user through a user group. If a user has multiple roles, the user has all of the permissions from all of the roles that are assigned to them.
If you update a user's role
or their group membership and the user is logged in, the user must log out and log back in for the
changes to take effect. If the user does not log out, their session will be refreshed after the
TOKEN_EXPIRY_TIME
is reached. For details, see Setting the idle session timeout.
- Do you want to use an LDAP server to manage users' passwords or to manage users' passwords and access to the platform?
- Do you want to use user groups to manage users with similar access requirements?
- Do you want to be able to add all of the users in an LDAP group to a user group?
- Do the default roles meet my business requirements?
Jump to the appropriate topic for more information: