Users and user groups in IBM Flex System Manager

In IBM® Flex System Manager, users and user groups are based on users and groups that are defined in the configured registry. IBM Flex System Manager uses the user and group information for authentication and authorization.

IBM Flex System Manager provides the capability to create, update, or delete users or groups in only the local user registry. You can create new users, user groups, and chassis roles from the management software web interface or command-line interface.

To open the Users and Groups page from the Home page of the web interface, click the Additional Setup tab; then, click Manage Users and Groups. For more information about how to use the Users and Groups page to create, edit, or delete users and user groups, see Users and groups page in the web interface.

When you create a new user on the Users page, the Create User wizard requires that you select a role that defines the permissions for that user. The available roles and permissions are:

Supervisor: A user with the Supervisor role has full access to all resources
Operator: A user with the Operator role has read-only access to all resources
Set Custom permissions: This selection enables you to set permissions based on specific resources

Note: Every new user account has sufficient authority to log in to the management software web interface and change the account password.

Access to particular resources or tasks is governed by restrictions based on the user ID or user group membership and the roles that are defined for each user. If you select the Supervisor or Operator role when you create a new user, you must select a group for the new user. All users have the group smdefault assigned automatically.

In a default IBM Flex System Manager installation scenario that uses the local registry, the following IBM Flex System Manager user groups are automatically created at the system level on the management node.

Note:

Members of the Administrators group are authorized for all operations on all resources.
Every new user is assigned to a role, which determines the permissions for the user. An administrator can assign additional roles to give additional authority to the user.
IBM Flex System Manager does not support Network Information Services (NIS).

smadmin (Administrator group): Members of the smadmin group are authorized for all operations. They have administrative access to IBM Flex System Manager and can perform all administrative tasks. These members can define the privileges available to the smmgr, smmon, smuser, and groupread groups. The privileges available to members of the smadmin group cannot be restricted.
Note: At the operating system level, the smadmin group maps to SMAdministrator role. A best practice is to add or remove users from the user groups but to not delete the system-defined user groups because IBM Flex System Manager uses them in the IBM Flex System Manager Web interface to authorize users to IBM Flex System Manager.

Important: If you add a user to this group, the user can modify or delete all system-level resources and resources for all other users, including operating-system and user files and processes. Before assigning a user to this group, be sure that the user requires SMAdministrator authority.
smdefault (Default group): All users of the management software are members of the smdefault group.
smmgr (Manager group): Members of the smmgr group can perform management operations, which are a subset of the functions that a member of the smadmin group can perform.
smmon (Monitor group): Members of the smmon group can access those administrative functions that provide read-only access, such as monitoring.
smuser (User group): Members of the smuser group can perform only a basic set of operations.