Manage users and groups
An initial domain administrator is created when a new domain is created. The domain administrator can create and configure users, groups, resources, and applications, and can delegate administration tasks within the domain as required.
user Authenticated ISAM identity. Typically, these authenticated identities represent network users or resource managers. group Collection of one or more users. An administrator can use group ACL entries to assign the same permissions to multiple users. New users to the domain gain access to objects by becoming members of groups. Group membership eliminates the need to create new ACL entries for each new user. Groups can represent organizational divisions or departments within a domain. Groups are also useful in defining roles or functional associations. account Users and groups collectively. A registry unique identifier (UID) specifies the location in the user registry where the new user is created. Similarly, a registry group unique identifier (GID) specifies the location in the user registry where the new group is created. For registry UIDs and GIDs, type the full path name for the new user or group. The path format depends on the type of registry the product is using. The following list shows sample formats for different user registries:
- LDAP
- cn=IBM-Support,o=ibm,c=us
- Active Directory
- cn=IBM-Support,dc=Austin,dc=US
The registry UID or registry GID provides extra security in the case where a user or group is deleted from the domain and then recreated with the same name. For example, even though a new user has the same name as the deleted user, Security Verify Access allocates a new registry UID to this user. Because the registry UID is new, any existing ACL entries that refer to the old user name do not grant any rights to the new user. Stale UIDs from deleted users and groups are silently removed by the policy server.
Parent topic: Verify Access Platform and Supporting Components administration