External users and user groups

User groups facilitate the administration of users and roles. With external user groups, when you want to assign the same role to multiple external users, you can create a user group and assign the role to the user group rather than to individual users.

IBM Spectrum Conductor supports the following operations with external users and user groups:
  • Assign a role or multiple roles to external users and user groups, and unassign roles from external users and user groups.
  • View assigned permissions for specified external users and user groups.
  • View assigned roles for external users and user groups.
  • View users (both IBM Spectrum Conductor users and external users) who are assigned a specified role.
Note the following conditions for IBM Spectrum Conductor and external users and user groups:
  • The administration of external user groups, such as adding and deleting group members, and adding, modifying, and deleting an external user or user group is not supported by IBM Spectrum Conductor; these operations must be performed outside of IBM Spectrum Conductor.
  • When a user name is duplicated in the users.xml file and the PAM database, the user in the users.xml file is considered imported from PAM to IBM Spectrum Conductor. Therefore, the user control operations affect both of these users, since all users in the users.xml file are owned by IBM Spectrum Conductor.
  • The User Roles and Access Control page within the cluster management console (System & Services > Users > Roles) shows external user groups that are defined within the operating system. When you assign a role to one of these user groups that use this cluster management console page, be aware that IBM Spectrum Conductor does not support nested user groups or inheritance. You must explicitly assign the user group the appropriate role.

Excluding user groups

You can hide specified external user groups, such as built-in system user groups so that they are not displayed in the cluster management console. To exclude one or more external user groups, you must configure EXCLUDED_USERGROUP in the plug-in configuration file (pamauth.conf for PAM).

To specify multiple user groups, separate them with a comma. After you make this configuration change, restart the cluster for the change to take effect.