Managing users and groups with Management Central
System i® Navigator can help you as a system administrator to keep track of the users, groups, and their level of privileges on one or more endpoint systems.
For more information about these and other Management Central tasks and topics, refer to the detailed task help that is available from the System i Navigator window. Click Help from the menu bar and select .
The following list gives you an idea of the many ways in which System i Navigator can make your job easier.
- Creating a user definition
- You can create a user definition and then create multiple users
across multiple systems based on the definition. First, create user
definitions for the types of users on your systems. Then, when a request
comes in for a new user, all special authorities, attributes, and
other information common to that type of user are already stored in
the user definition. You can even specify a command to be run after
a user is created from a user definition! If you need assistance in
entering or selecting an i5/OS command,
you can click Prompt to select appropriate
parameters and values.
When you create a new user from the user definition, you specify the name for the user, a brief description to help you identify this user in a list of users, and a new password for the user. All other properties of the new user are based on the properties stored in the user definition, unless you choose to change them. You may also select the groups the user should belong to and provide personal information about the user at the time the user is created.
- Creating, editing, and deleting users and groups
- You can create, edit, and delete users and groups across multiple
endpoint systems or system groups--and even schedule these actions.
For example, use the Edit Users function to change the properties
for one or more users on the selected endpoint systems or system groups.
If you need to change the authority level for several users on multiple
systems, or if a user who has access to multiple systems changes his
or her name, you can easily edit that information and apply the change
to all systems.
When you use System i Navigator to delete users, you can select an action to be taken if any of the selected users owns objects on any system from which that user is being deleted. You can click Scan for Owned Objects to see what objects the selected users own on the selected endpoint systems or across the selected system groups.
- Collecting an inventory
- You can collect an inventory of the users and groups on one or
more endpoint systems, and then view, search, or export that inventory
to a PC file. Extensive advanced search capabilities are provided
for easy searching. For example, you can search the inventory to see
who has Security Officer privileges, as well as query other profile
properties. Also, you can sort these inventory lists by clicking on
any column heading. For example, you can group together all users
in the inventory who have Security Officer privileges by clicking
the Privilege Class heading.
You can perform various actions from the User Inventory list by right-clicking one or more users and selecting an action from the menu. For example, you can delete a user, edit a user, view its properties, or scan for objects owned by a user. You can do similar actions with groups by selecting Group Inventory for an endpoint system.
It is recommended that you schedule collection of users and groups inventory on a recurring basis to keep your central system's inventory current. Changes that you make to the user or group inventory on an endpoint system or system group under Management Central are automatically updated in the current central system's inventory.
- Sending users and groups
- You can send users and groups from one system to multiple endpoint
systems or system groups. All the user properties you need are sent
to the target systems, including the user name and passwords (LAN
server password as well as the i5/OS password),
security settings, private authorities, Enterprise Identity Mapping
(EIM) associations, and mail options. If the user has an entry in
the system distribution directory on the source system, an entry is
created (or updated) for that user on the target system.
You can also specify the action to be taken if any user in the list that you are sending already exists on the target system. When you are sending users, you can select not to change the user that already exists, or you can select to update the existing user with the settings from the user you are sending. When you are sending users, you can click Advanced to specify advanced send options. The advanced send options include specifying the mail system for the user and synchronizing the unique identifier of the user on the target system based on the user identifier of the user being sent.
To send users or groups from one system to another, you must also have save/restore (*SAVSYS) authority.
When you send a user from a system running IBM® i 6.1 or a subsequent release to a system running a previous release, the number of device sessions that user can have might not be copied. You must reset the number of device sessions to an appropriate value after copying the profile.
- Scanning for owned objects
- You can scan for owned objects to find out what objects a user or group owns across multiple endpoint systems or system groups, and you can even scan for objects owned by multiple users simultaneously.
- Synchronizing unique identifiers
- You can synchronize the unique identifiers of users and groups
across multiple endpoint systems to ensure that each of these numbers
points to the same user on every system. This is especially important
when you are working with systems in a clustering environment or a
system with logical partitions. The user identification and group
identification numbers are another way of identifying a user or group
to a program. For example, the user identification and group identification
numbers are used by programming interfaces in the integrated file
systems environment.
You can choose to synchronize unique identifiers when you create new users or groups, when you edit users or groups, or when you send users or groups from one system to another. Be sure to keep your user and group inventories current if you are synchronizing unique identifiers when you create or edit users or groups.