Managing users

As an administrator, you are responsible for determining and implementing the best approach for authenticating and managing IBM® Cloud Pak for Data users.

Best practices

By default, Cloud Pak for Data user records are stored in an internal repository database. However, IBM advises that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management.

You can use SAML SSO and LDAP together or individually.

SAML SSO
If you plan to use SAML for single sign-on (SSO), it is strongly recommended that you complete Configuring single sign-on before you add users.

If you add users before you configure SSO, you will need to re-add the users with their SAML ID to enable them to use SSO.

LDAP
You can use an enterprise-grade LDAP provider for password management.

For details, see Connecting to your LDAP server.

Ensure that you grant Cloud Pak for Data administrator privileges to a user in your LDAP server.

After you grant an LDAP user administrator privileges, you can further secure your Cloud Pak for Data system by disabling the default admin user. For details, see Disabling the default admin user.

SAML SSO and LDAP
If you want to use both SAML and SSO, you must ensure that both configurations use the same attribute to identify users:
  • SAML SSO configuration: fieldToAuthenticate
  • LDAP: User search field

User management

A Cloud Pak for Data administrator can manage the permissions that users and groups have on the platform. However, users might have additional permissions in services, catalogs, and projects. For example, a user could be a project administrator and be an editor on the Connections catalog.

A user can have multiple roles. The roles can be assigned directly to a user or can be assigned to the user through a user group. If a user has multiple roles, the user has all of the permissions from all of the roles that are assigned to them.

Tip: You can see all of the roles (and permissions) that a user has from the user's profile page, which you can access from the User management > Users page.

If you update a user's role or their group membership and the user is logged in, the user must log out and log back in for the changes to take effect. If the user does not log out, their session will be refreshed after the TOKEN_EXPIRY_TIME is reached. For details, see Setting the idle session timeout.

Before you add users to the platform, consider the following questions:
  • Do you want to use an LDAP server to manage users' passwords or to manage users' passwords and access to the platform?
  • Do you want to use user groups to manage users with similar access requirements?
  • Do you want to be able to add all of the users in an LDAP group to a user group?
  • Do the default roles meet my business requirements?

Jump to the appropriate topic for more information: