Managing user access

Edit online

Use the Role Based Access Control feature in IBM® Cloud Application Performance Management to grant users the access privileges they require for their role.

Security in Cloud APM is based on roles. A role is a group of permissions that control the actions you can perform in Cloud APM. You can create customized roles in Cloud APM. You can assign permissions to customized roles, or you can assign more permissions to existing default roles. You can assign users and user groups to existing default roles or to customized roles. You can assign users and user groups to multiple roles. Permissions are cumulative, a user or user group is assigned all the permissions for all the roles they are assigned to.

If you are not a member of a role and you attempt to log in to Cloud APM, you receive a Not Authorized message.

Cloud APM uses the WebSphere® Application Server Liberty profile basic registry as the default method for user authentication. Alternatively, you can use an LDAP registry for user authentication.

The default user is apmadmin. The apmadmin user is by default a member of the Role Administrator role. The apmadmin user is added to the basic registry during installation, and you can add more users. For more information, see Managing user access.

Note: Because the basic registry does not perform user account lockout or enable you to control user password expiration, it is good for test and demonstration environments only. An LDAP server provides additional security controls. For production environments, you should configure Cloud APM to use an LDAP server for authentication instead of the basic registry. For more information, see Integrating with LDAP.

User authentication with WebSphere Application Server Liberty profile basic registry

Complete the following steps if you are using WebSphere Application Server Liberty profile basic registry for user authentication:
  1. Create users and user groups in the basic user registry. The basicRegistry.xml file is available in the /opt/ibm/wlp/usr/shared/config directory. The basicRegistry.xml file has an id attribute and a name attribute for each user entry. Cloud APM only uses the value of the name attribute. It is recommended that you set both attributes to the same value to avoid confusion. For more information on configuring basic user registry with Liberty profile, see the Using BasicRegistry and role mapping on Liberty example in the WebSphere Application Server Knowledge Center
  2. In Cloud APM, use the Role Based Access Control page to assign users and user groups to default and customized roles. For more information on working with roles, see Roles and permissions.

User authentication with LDAP registry

  1. Configure Cloud APM to integrate with your LDAP repository. For more information, see Integrating with LDAP.
  2. Create users and user groups in your LDAP repository if they do not already exist.
  3. Change the default user to an LDAP user. For more information, see Updating the primary role administrator.
  4. In Cloud APM, use the Role Based Access Control page to assign users and user groups to default and customized roles. For more information on working with roles, see Roles and permissions.

If you are not a member of a role and you attempt to log in to Cloud APM, you receive a Not Authorized message.