Set Up Federated Security Wizard: Create users

Use this page to create one or more users for the cluster.

start of changeA user can be a member of up to 64 groups. To assign a user to a group, both the user and the group must have the same registry type.end of change

Fields

User name
Specify a unique name for the user that you are creating. To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a hyphen (-), plus sign (+), at sign (@), or tilde (~). Additionally, you cannot use any of the following characters in the name: colon (:), single quotation mark (’), double quotation mark ("), number sign (#), comma (,), equal sign (=), forward slash (/), backslash (\), or a space ( ).
User ID
Specify a unique decimal integer string to associate with this user account on the system. If you do not specify a user ID, one is specified for you.

For a local registry configuration, PowerHA® SystemMirror creates this user ID on all cluster nodes. For a Lightweight Directory Access Protocol (LDAP) registry configuration, PowerHA SystemMirror creates this user ID on the LDAP server.

start of changeHome directoryend of change
start of changeSpecify the full path of the home directory for the user. end of change
Primary group
Select a group as the primary group to which the user is to belong. The primary group is the group under which the user accesses PowerHA SystemMirror for the first time. If you do not specify a primary group, one is specified for you.
start of changeAdministrative userend of change
start of changeSelect whether to designate this user as an administrator.end of change
Registry
Indicates the type of registry that you selected on the Configure registry page of this wizard. The registry is the storage location for all information and credentials for the user.
Role
Select a predefined role for the user. Roles define the tasks and information in PowerHA SystemMirror that a user can access. You must select a role for the user only if the value is LDAP for the Registry property. Select one of the following roles for the user:
ha_admin
This PowerHA SystemMirror administrator role gives operator, configuration, and other privileges to the user that the administrator role provides. Examples of administrator privileges include being able to change the server user ID and password, configuring authentication and authorization mechanisms, and enabling or disabling administrative security.
Note: Only an LDAP administrative user can assign users to administrator roles.
ha_mon
This PowerHA SystemMirror monitor role gives the user monitor privileges and the capability to change the runtime state of PowerHA SystemMirror.

Examples of monitor privileges include tasks such as stopping the server, starting the server, and monitoring server status.

ha_op
This PowerHA SystemMirror operator role gives the user the capability to view reports. Examples of reports that this user can view include the WebSphere® application controller configuration and the current state of the application controller.
ha_view
This PowerHA SystemMirror viewer role gives the user the capability to view PowerHA SystemMirror log files in the /var/hacmp* /var/log/clcomd directory.
Login authentication grammar
Indicates the method for the user to authenticate successfully before gaining access to the system. If LDAP is defined for the cluster, LDAP is the default value.
EFS keystore access
start of changeTo configure this property, you first must configure EFS in this wizard. Select whether to create a keystore file for this user that provides access to Encrypted File Systems (EFS). If you select Yes, you can provide information for the following EFS properties:
Keystore password mode
Select one of the following modes to define how the keystore password for the root user or other privileged users can be reset:
Admin
Allows privileged system users (for example, the root user) to reset the user keystore password. This option does not allow these users to access the user EFS file system.
Guard
Prevents administrative users from resetting the user keystore password.
Keystore encryption algorithm
Select the algorithm to use for generating the private key for the user within the keystore. This key protects the encrypted key for files that the user creates within EFS. The default value is RSA_1024.
Administrative access
start of changeIndicates the location for storing the EFS administrator keystore file in the keystore of the user. This property is set to either the LDAP or the Local value, based on the value of the Registry property.end of change
File encryption algorithm
Select the encryption algorithm for encrypting files that the user creates in an EFS. The default value is AES_128_CBC.
end of change

For more information about adding users to security groups for clusters, see the Adding users to security groups topic in the AIX® Information Center.

Actions

Add Another
Click Add Another to add another set of property fields so that you can configure another user.
Remove
Click Remove to remove a configured user and to remove all content from the property fields for that user.