Managing roles of users and groups
Assign roles to users and groups to control which sections of the local management interface (LMI) and web services they can access. By default, role-based authorization is disabled on the appliance. To use enable, this function from the LMI to make use of it. With Management Authorization, we can perform the following tasks:
- Add or remove a role.
- Assign a role to groups or users in local or remote LDAP user registry. We can search for remote LDAP users or groups by entering a search pattern and clicking Search. Then, select the user or group from the search results and click Add.
- Edit permissions for a role.
The roles for a user session are determined when a user first logs in. If the authorization configuration is modified and deployed when a user is logged in, the changes take effect immediately. We can customize the default roles to better suit your environment. We can also remove all default roles and create new ones from scratch. If we plan to use the default roles, we must carefully review these roles to ensure they are appropriate for your environment.
The default roles are not updated after an appliance firmware upgrade. If the appliance firmware upgrade introduces new features, existing roles are not updated to include permission for any new features. The default roles can be manually updated in the Management Authorization page. See Step 3 "Editing permissions for a role.
The authorization settings do not affect the main system account admin, which always has read and write permission to all features. The admin account can be used for recovery.
Permissions can be set for all features in the appliance except for the Home: Appliance Dashboard. Any user who can authenticate can view Home: Appliance Dashboard, even if they are not assigned to any roles. To ensure complete flexibility with the role configuration, the permissions for each feature are controlled separately. Some pages in the LMI, such as the Management Authorization page, use multiple features. As a result, users might need permissions for more than one feature to use all of the features on a particular page of the LMI. For example, to access all of the functions on the Management Authorization page, the user needs permissions for the following features:
If a user clicks a link or attempts to complete an action for which they do not have the appropriate permission, an error message is returned. The error message includes the details about which permission is required for the selected action.
- Account Management
- Management Authorization
When we search for remote LDAP users or groups, consider the following points:
- Users are assumed to be contained in the Base DN and are identified based on the User Attribute that is set on the Management Authentication page.
- Groups are also assumed to be contained in the Base DN that is defined on the Management Authentication page.
- Groups are identified based on cn.
- Groups must be among the following types: group, groupofUniqueName, or groupOfNames.
Authorization enforcement
Authorization enforcement applies to the LMI, web services, and client certificate authentication.
LMI When a user logs in the LMI, the menu displays only the pages the user has access to. When users attempt to go to a page to which they do not have access, a page is displayed explaining that the user does not have authorization to view the page. When a user views a page with read-only permission, users cannot modify the configuration or change the state of any services on the page. If a user attempts to do so, a message is displayed stating the user does not have permission to perform the requested action. Web services Users with read-permission for a feature can perform GET requests against the associated Web services. If a user has write-permissions on a feature, they can issue any of the associated GET, POST, PUT, and DELETE web services. When a user attempts to issue a web service request they are not authorized to perform, they receive a response with the HTTP status code 403 Forbidden and a message that states they are not authorized to complete the transaction. Client certificate authentication Ensure the authorization framework can map the DN of the presented client certificate to a user in the registry used for authentication. For example, a certificate is presented with DN cn=testUser,ou=qa,o=ibm,c=au When using a remote LDAP user registry for authentication, the authorization decision is made for a user matching the entire DN in the user registry. For example, a user matching cn=testUser,ou=qa,o=ibm,c=au is searched for in the remote LDAP user registry, and the policy associated with that user is enforced. When using the local user database, the authorization decision is made for a user matching the CN of the presented DN. For example, the user called testUser is searched for in the local user database, and the policy associated with that user is enforced. A user can be assigned multiple roles. In this case, the user receives the highest cumulative permission from these roles for each feature. For example, if they are assigned two roles and one role has read-permission for a feature but the second role has write-permission for the feature, the user is granted write-permission. The appliance caches authentication details to reduce load on the user registry. The authentication details might be used for up to 10 minutes after they are changed. To disable this caching set the advanced tuning parameter...
lmi.authCache.baenabled = false
A performance penalty is incurred when we use lmi.authCache.baenabled = false because the user registry is queried when:
- A user logs in the LMI through the browser.
- A request to the web services API by using Basic Authentication is received.
There is some degradation of performance in environments that make heavy use of the web services API by using Basic Authentication.
- Select...
System > System Settings > Management Authorization > Roles > Enable Authorization Roles (check box)
- Follow the prompts to complete the action we want to take. Use the quick filter to retrieve group names, user names, and features.
- Add a role
- In the Roles panel on the left, click New.
- In the Create New Role window, enter a name for the new role.
- Click OK.
- Remove a role
- In the Roles panel on the left, select the role to delete.
- Click Delete.
- In the Removing Role window, verify the role name to delete is correct and then click Yes.
- Assign a role to local groups or users
- In the Roles panel on the left, select the role to edit membership for.
- In the Role Membership panel on the right, select the Local User Database tab if it is not already selected.
- Click Edit above the group name table or the user name table.
- In the Edit Local Members window, select or clear the check box on the Groups and Users tabs as needed.
- Click OK.
- Assign a role to LDAP groups or users
- In the Roles panel on the left, select the role to edit membership for.
- In the Role Membership panel on the right, select the Remote LDAP User Registry tab if it is not already selected.
- In the Edit Remote LDAP Members window, modify LDAP groups and users on the Groups and Users tabs as needed.
- To add an LDAP group or user, enter the details in the text field and then click Add.
- To remove an LDAP group or user, select the entry and then click Delete.
- Click OK.
- Editing permissions for a role
- In the Roles panel on the left, select the role to edit permissions for.
- In the Features panel on the right, select the permission that we want from the drop-down list in each row.
If we upgrade from a previous version of the appliance, new role membership features are set to None by default. Configure the permissions, if necessary. The displayed features reflect the features that are available in the activated offerings. If we deactivate a product, the features that are specific to that product are removed from any existing roles. If we reactivate the product in the future, these features and the associated permissions are added to the roles again. Any permissions from a prior activation are re-instantiated. If it is the first time the product is activated, the product-specific features are added to each role with no assigned permissions.
- Click Save to save the permission settings.
Parent topic: System settings