Manage users and groups with Management Central
- Create a user definition
- You can create multiple users across multiple systems based on user definitions.
First, create user definitions for the types of users on your systems.
Then, when a request comes in for a new user, all special authorities, attributes, and other information common to that type of user are already stored in the user definition.
You can specify a command to be run after a user is created from a user definition!
If you need assistance in entering or selecting an i5/OS® command, you can click Prompt to select appropriate parameters and values.
When you create a new user from the user definition, you specify the name for the user, a brief description to help you identify this user in a list of users, and a new password for the user. All other properties of the new user are based on the properties stored in the user definition, unless you choose to change them. You may also select the groups the user should belong to and provide personal information about the user at the time the user is created.
- Create, edit, and delete users and groups
- You can create, edit, and delete users and groups across multiple endpoint systems or system groups--and even schedule these actions. For example, use the Edit Users function to change the properties for one or more users on the selected endpoint systems or system groups. If change the authority level for several users on multiple systems, or if a user who has access to multiple systems changes his or her name, you can easily edit that information and apply the change to all systems.
When you use iSeries Navigator to delete users, you can select an action to be taken if any of the selected users owns objects on any system from which that user is being deleted. You can click Scan for Owned Objects to see what objects the selected users own on the selected endpoint systems or across the selected system groups.
- Collect an inventory
- You can collect an inventory of the users and groups on one or more endpoint systems, and then view, search, or export that inventory to a PC file. Extensive advanced search capabilities are provided for easy searching. For example, you can search the inventory to see who has Security Officer privileges, as well as query other profile properties. Also, you can sort these inventory lists by clicking on any column heading. For example, you can group together all users in the inventory who have Security Officer privileges by clicking the Privilege Class heading.
You can perform various actions from the User Inventory list by right-clicking one or more users and selecting an action from the menu. For example, you can delete a user, edit a user, view its properties, or scan for objects owned by a user. You can do similar actions with groups by selecting Group Inventory for an endpoint system.
IBM recommends that you schedule collection of users and groups inventory on a recurring basis to keep your central system's inventory current. Changes that you make to the user or group inventory on an endpoint system or system group under Management Central are automatically updated in the current central system's inventory.
- Send users and groups
- You can send users and groups from one system to multiple endpoint systems or system groups. All the user properties you need are sent to the target systems, including the user name and passwords (LAN server password as well as the i5/OS password), security settings, private authorities, Enterprise Identity Mapping (EIM) associations, and mail options. If the user has an entry in the system distribution directory on the source system, an entry is created (or updated) for that user on the target system.
You can also specify the action to be taken if any user in the list that you are sending already exists on the target system. When you are sending users, you can select not to change the user that already exists, or you can select to update the existing user with the settings from the user you are sending. When you are sending users, you can click Advanced to specify advanced send options. The advanced send options include specifying the mail system for the user and synchronizing the unique identifier of the user on the target system based on the user identifier of the user being sent.
To send users or groups from one system to another, also have save/restore (*SAVSYS) authority.
- Scan for owned objects
- You can scan for owned objects to find out what objects a user or group owns across multiple endpoint systems or system groups, and you can even scan for objects owned by multiple users simultaneously.
- Synchronize unique identifiers
- You can synchronize the unique identifiers of users and groups across multiple endpoint systems to ensure that each of these numbers points to the same user on every system. This is especially important when you are working with systems in a clustering environment or a system with logical partitions.
The user identification and group identification numbers are another way of identifying a user or group to a program. For example, the user identification and group identification numbers are used by programming interfaces in the integrated file systems environment.
You can choose to synchronize unique identifiers when you create new users or groups, when you edit users or groups, or when you send users or groups from one system to another. Be sure to keep your user and group inventories current if you are synchronizing unique identifiers when you create or edit users or groups.
All i5/OS special authorities and other authorities that are needed when working with users and groups in the character-based interface are honored when managing users and groups with iSeries Navigator.
This includes security administration (*SECADM) privileges, all object (*ALLOBJ) privileges, and authority to the profiles with which you are working. However, even a user with the most restricted set of system privileges (*USER) can view, search, or export a user or group inventory that has been collected by another user with the correct authorities. The user with *USER authority cannot create or delete users, edit existing users, or send users to another system.
Parent topic:
Using other features of Management Central
Related concepts
Synchronizing functions
Related information
Scenario: Configuring the Management Central servers for single sign-on
Propagating system settings from the model system (System A) to System B and System C