LLNL

Livermore Computing Identity Management System

Introduction

The Livermore Computing (LC) Identity Management (IdM) System automates the process of creating, updating, and deleting user accounts across LC's multiple systems. Collectively, this process is known as provisioning (e.g., creating, updating) and deprovisioning (e.g., deleting). IdM also allows the management of of accounts, banks, groups, and LC identities for both the Open Computing Facility (OCF)—Collaboration Zone (CZ) and Restricted Zone (RZ)—and Secure Computing Facility (SCF).

The user experience with the IdM System depends on your "role." (See role definitions below.) Consult the glossary for the definitions of unfamiliar terminology and the FAQ for answers to common questions..

For help, contact LC Support at 925-422-4533 or via e-mail (OCF: lc-support@llnl.gov, SCF: lc-support@pop.llnl.gov).


The IdM System Interface

The interface to the IdM System is available on the OCF at https://lc-idm.llnl.gov. Although the IdM System interface is not available on the SCF, users are still able to request an account on an SCF computing resource and manage their SCF computing resource accounts.

Logging In to the IdM System

Upon initial access to the IdM System, the user will see the Log In to Livermore Computing Identity Management System window, as shown below. Enter your Official User Name (OUN) and whichever password is appropriate to your current access level—your Personal Access Code (PAC), your LC One-Time Password (RSA OTP), or your remote access OTP.

Login window for access to the LC IDM System

The login window for the IdM System.

 

If you do not already have an LC user name, on your very first login to the IdM System you will be directed to Request A Special Purpose LC Username. If your OUN is eight characters or fewer, your OUN will be automatically set as your LC user name. If your OUN is nine characters or more, you must enter your preferred LC user name. The IdM System will ensure that your user name is unique and not more than eight characters.

Form to choose a special purpose LC username

The "Request A Special Purpose LC Username" window if OUN is eight or fewer characters.

 

Form to choose a special purpose LC username

The "Request A Special Purpose LC Username" window if OUN is more than eight characters.

 

After successfully selecting your LC user name, the IdM main menu (shown below) is presented. The user experience and the presence or absence of menus for the LC IdM System are usually determined by the role of the user. The menu choices for managing accounts, groups, and identities are described in the Role-Driven IdM Menus section. You may check the status of your IdM requests by selecting the View My Outstanding Request(s) Status entry at the top of the main menu page.

The main menu options for the LC IdM System

The IdM System main menu.

Roles

Interaction with the IdM System is defined by a user's role. The roles are:

End User: An individual who uses LC's computational and storage resources.

Computer Coordinator: One or more individuals who act as an organizational liaison to review and approve end-user requests for accounts on LC's computational and storage resources on behalf of an organization.

Resource Owner: One or more individuals who act as "gatekeepers" for specific computational and storage resources within LC. For example, if a computational resource is in a limited availability (LA) state, the resource owner must review and approve end-user requests for that resource before access will be granted.

Group Owner: One or more individuals who manage a group's membership as well as delegate group management responsibility to other individuals. Groups are used to grant access to specific types of information located on LC resources. (Note: In addition to the group owner, there is often a primary approver and an alternate approver who can approve group membership, changes, etc.)

Bank Owner: One or more individuals who manage resource banks within LC and review and approve end-user bank requests via the LC IdM System. Banks are used to manage the amount of computational resources used over time.

LC Support: The team of account specialists who work in the LC Hotline (Building 453, Room 1103). They review all end-user requests for completeness and provide critical background ancillary tasks to ensure all end-user requests are handled efficiently and promptly.


Help and Feedback

If you need additional help or are unable to find the answer to your question in this user document, please send e-mail to lc-idm@llnl.gov. Online help with the IdM System is available by selecting the HELP button on any page in the user interface.

Feedback is always appreciated. The Provide Feedback link is near the top of the menu list on the IdM System main menu.

Logging Out of the IdM System

When you have completed submitting your requests or reviewing the status of your previous requests, it is strongly recommended that you log out of the IdM System immediately by selecting the LOGOUT button located in the upper-right corner of the window. Leaving idle connections open for long periods of time defeats the protections provided by the two-factor authentication required during login. Your session will automatically time out if your connection remains inactive for more than five hours.

You may select the LOGOUT button at any time and from anywhere within IdM. Note, however, that if you logout while in the middle of completing an IdM request, all item selections for the current request will be lost. It is therefore recommended that you select the Submit or Cancel button located at the bottom of each request window and return to the main menu to logout. This ensures that you have fully and intentionally submitted, or canceled, your requests before exiting the IdM System.

Role-Driven IdM Menus

Menu choices and subsequent actions are determined by the role of the individual accessing the system. The menus and options available are described below within that context. Important: When navigating the submenu selections, use the Cancel button to return to the main menu if you want to abort submenu actions. (Using the Back button/arrow within your browser will result in undesirable behavior.) To complete your request, select the Submit button.

Note: You may be presented with topics and menus on which you cannot take action because your role does not allow those actions. For example, you will see the Manage Unclassified Groups menu because you are a member of groups, but you cannot take group action because you are not the owner of or an alternate authorizer for the group.


End User

After logging in to the IdM System, a typical end user will see five main menu topics. Each menu topic has a submenu for actions the user may take within that menu topic. These topics and actions are described below in the order they appear to the user when logged in to the IdM System.


Manage Unclassified Accounts

These menus allow management of unclassified accounts and their associated computing resources or banks. Select a menu to view its descriptive information.

Add OCF Computing Resource Account. Request a computing resource account or bank. The form fields are described below.

Form fields for requesting an OCF computing resource account


Update OCF Computing Resource Account Attributes. Change the attributes for your own existing LC account. Select the LC account name you wish to modify from the pull-down menu. Choose the Resource Name. Once selected, change your current Shell and/or change your LLNL POC OUN for that resource, then select Add Item to Request. Repeat this operation for all subsequent LC accounts and/or resources you wish to update. If an entry in the requested resources list box was erroneously added, choose the box next to the resource name(s) and select Remove Selected Item(s) From Request. Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box. Form fields are descried below.


Remove OCF Computing Resource Account. Delete your user account (or that of another individual) on any OCF machine. (Note: Use this menu option to remove a single resource.) After specifying the user name and selecting the resource account(s) to be removed (Add Item to Request), click Submit to finalize the resource account removal.You may also add comments regarding the need for this account removal in the Request Comments text box. Form fields are described below.


Update OCF LC Username Attributes. Select your user name from the pull-down menu. Fields with your user name attributes are populated with their default values. Select a new approving organization and/or user name POC OUN and/or preferred shell. Once complete, select the Launch button to submit your request. Form fields are described below.


Delete OCF (Unclassified) LC Username. Delete an LC user name, either immediately or on a specific date. (Note: Use this menu option to remove a user from all OCF access. To remove all OCF and SCF access, use Delete LC Identity and Remove All Accounts.) Deleting a user name will also delete all resources associated with that user name. You must either choose that your global home directory and storage data be destroyed or specify to whom ownership of the data should be transferred. If any of the resources associated with that user name have a local (non-global) home directory, you must also choose your local home directory either be destroyed or specify to whom ownership of the data should be transferred. Form fields are described below.

Manage Unclassified Groups

These menus allow management of unclassified groups. To manage unclassified groups, you must be either the group owner or alternate group authorizer. Select a menu to view its descriptive information.

Create (Unclassified) Group. New group names must be unique across all LLNL networks. All OCF groups are "managed" groups, i.e., their memberships are not automatically maintained by the IdM System. The managed group name must be more than 2 but no more than 8 characters in length, cannot contain any special characters other than "-" (hyphen) or "_" (underscore), and cannot contain any of the following strings: _nwc, nwc-, admin, _hl, _sup, hotline, _deg. Select the group owner OUN and the approving organization.  Add zero or more alternate group update authorizer OUNs. You must add one or more LC user names as members of the group upon group creation. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Update Unclassified Group, Add/Remove Group Members. You must be the group owner or alternate group authorizer to add or remove group members. Select the group name from the pull-down menu. Add and/or remove LC user names from the list membership box. You may not not remove the last member of a group. If the user you wish to remove is the last group member, either delete the group or add a new group member first. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Add/Remove (Unclassified) Group Alternate Authorizers. You must be the group owner or alternate group authorizer to add or remove group alternate authorizers. Select the group name from the pull-down menu. Add and/or remove alternate authorizer OUNs from the authorizer list box. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Modify/Update (Unclassified) Group Organization Affiliation. You must be the group owner or alternate group authorizer to modify group organization affiliation. Select the group name and the new organization name from the pull-down menus. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Delete (Unclassified) Group. You must be the group owner to delete a group. Select the group name from the pull-down menu. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Manage Classified Accounts

These menus allow management of classified accounts and their associated computing resources or banks. Select a menu to view its descriptive information.

Add SCF Computing Resource Account. The request is typically for you, but you may request an account for another individual as their Project Leader, Line Management, or Computer Coordinator. After specifying the Request Organization and selecting the Item Type (i.e., computing resource or bank), the IdM System will prompt for the Resource Name and Shell (if a computing resource is requested) or Bank. Bank requests will need to be associated with a host (i.e., computing resource). Form fields are described below.


Update SCF Computing Resource Account Attributes. Change the attributes for your own existing LC account. Select which LC account name you wish to modify using the pull-down menu. Choose the Resource Name. Once selected, change your current Shell and/or change your LLNL POC OUN for that resource, then select Add Item to Request. Repeat this operation for all subsequent LC accounts and/or resources you wish to modify. If an entry in the requested resources list box was erroneously added, choose the box next to the Resource Name(s) and select Remove Selected Item(s) From Request. Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box. Form fields are described below.


Remove SCF Computing Resource Account. Delete your user account (or that of another individual) on any SCF machine. (Note: Use this menu option to remove a single resource.) After specifying the user name and selecting the resource account(s) to be removed (Add Item to Request), click Submit to finalize the resource account removal. You may also add comments in the Request Comments text box detailing the need for this account removal. Form fields are described below.


Update SCF LC Username Attributes. Select your user name from the pull-down menu. Fields with your user name attributes are populated with their current values. Select a new approving organization and/or user name POC OUN and/or preferred shell. Once complete, select the Launch button to submit your request. Form fields are described below.


Delete SCF (Classified) LC Username. Delete an LC user name, either immediately or on a specific date. Deleting a user name will also delete all resources associated with that user name. You must either choose that your global home directory and storage data be destroyed or specify to whom ownership of the data should be transferred. If any of the resources associated with that user name have a local (non-global) home directory, you must also choose your local home directory either be destroyed or specify to whom ownership of the data should be transferred. Form fields are described below.

Manage Classified Groups

These menus allow management of classified accounts and their associated computing resources or banks. To manage classified groups, you must be either the group owner or a primary or alternate group authorizer. Select a menu to view its descriptive information.

Create (Classified) Group. New group names must be unique across all LLNL networks. All SCF groups are "managed" groups (i.e., their memberships are not automatically maintained by the IdM System) or "NWC" groups (i.e., Web-based only). The managed group name must be more than 2 but no more than 8 characters in length, cannot contain any special characters other than "-" (hyphen) or "_" (underscore), and cannot contain any of the following strings: _nwc, nwc-, admin, _hl, _sup, hotline, _deg. The NWC group name must begin with "nwc-", must be at least 5 but no more than 14 characters in length, must not contain any special characters other than "-" or "_", and must not contain any of the following strings: _nwc, admin, _hl, _sup, hotline, _deg. Select the group owner OUN and the approving organization. Add zero or more alternate group update authorizer OUNs. You must add one or more LC user names as members of the group upon group creation. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Update Classified Group, Add/Remove Group Members. You must be the group owner or alternate group authorizer to add or remove group members. Select the group name from the pull-down menu. Add and/or remove LC user names from the list membership box. You may not not remove the last member of a group. If the user you wish to remove is the last group member, either delete the group or add a new group member first. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Add/Remove (Classified) Group Alternate Authorizers. You must be the group owner or alternate group authorizer to add or remove group alternate authorizers. Select the group name from the pull-down menu. Add and/or remove alternate authorizer OUNs from the authorizer list box. Additional information may optionally be provided in the Request Comments field. Form fields are described below.


Modify/Update Group Organization Affiliation. You must be the group owner or alternate group authorizer to modify group organization affiliation. Select the group name and the new organization name from the pull-down menus. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.


Delete (Classified) Group. You must be the group owner to delete a group. Select the group name from the pull-down menu. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Manage LC Identity

These menus allow management of a user's LC identity. Select a menu to view its descriptive information.

View My Profile. Shows user information such as name, home directory, resource accounts, shell, groups, etc. Useful for answering the question: "Do I have an account on that machine?"

View Groups. Shows groups and their members based on the selection of network (unclassified or classified) and group name. Also identifies the group owner, affiliated organization, and authorizers. You do not have to be a member of a group to view the group information.


Delete LC Identity and Remove All Accounts. Delete your LC identity and remove all your accounts on both OCF and SCF. You also must specify the disposition of files in your home directory and storage directory (where file disposition can be to transfer ownership or to destroy). Form fields are described below.



Request A Special Purpose LC Username. You must choose this menu option if you do not have an LC user name or if you need a second identity for testing or other needs. Note: If your OUN is 8 characters or fewer, your OUN will be your primary LC user name. If your OUN is 9 characters or more, you can select an 8-character (or fewer) primary LC user name. Form fields are described below.

Approver Roles/Responsibilities

After LC end-users submit computing resource, group membership and bank allocation requests, these requests are reviewed and electronically approved (or rejected) by IdM System "approvers." Individual approvers possess special knowledge about, or have direct responsibility for, the types of requests routed through the IdM System. As each request progresses, it is placed in the "work queue" for the next approver. The contents of this work queue is displayed when an approver selects Inbox (Requests Requiring Your Approval) located at the top of the IdM main menu. The approver approves the request by selecting the Approve button; the approver denies the request by selecting the Reject button. If all approvers have approved a resource request, the corresponding resource account is automatically provisioned. All actions are electronically audited. The types of approvals encountered by each approver within the IdM System are outlined below.


Computer Coordinator

Reviews and approves (or rejects) all requests within their organization.

Resource Owner

Reviews and approves (or rejects) all LA resource account requests.

Group Owner

Reviews and approves, or rejects, group creation, modification, and deletion requests.

Bank Owner

Reviews and approves (or rejects) bank assignment requests.

LC Support

Reviews and approves (or rejects) all aspects of resource account and bank management requests.

Glossary and Tips

The glossary provides definitions for the terminology used in the IdM interface. The tips are provided to enhance your use of the IdM System.

Glossary

Bank - An allocation of computing time.

CRYPTOCard - A small token that generates a one-time passcode.

Host - A computing resource (e.g., a production computing or visualization system, a testbed system, or a server).

Item (type) - Selection offers two choices, either a resource (i.e., a computing resource) or a bank.

LC - Livermore Computing

OTP - Your one-time password, which consists of your personal identification number (PIN) plus the random six-digit number generated by your RSA SecurID token.

OUN - Your official user name at LLNL, which is usually your last name and a number, e.g., jones15.

PAC - Your personal access code. This is the password that you use to log in to LLNL applications like LTRAIN or LITE.

Resource - A computing system (Atlas, Muir, etc.) or a storage system (HPSS).

Tips

The Add Item to Request button is often overlooked. Click this button when selections or additional information need to be passed to the IdM System.

Do not use the Back button/arrow on your Web browser. Instead, use the Submit, Cancel, or Finish buttons located at the bottom of each IdM System menu screen. (Using the Back button/arrow will result in undesirable behavior.)

Frequently Asked Questions

1. Who can access and make requests via the IdM System?
2. I am a new LC user and I want to get added to LC systems using IdM, but when I enter my OUN it returns the phrase  "OUN is not an OUN of an LC User." How do I request accounts?
3. How do I find out the status of my request?
4. What does the term "suspended" mean when I check the status of a request?
5. Once I have submitted an IdM request, when can I expect the request to be completed by LC Support?
6. How do I know what resources and groups I am approved and active for?
7. How do I access IdM from off-site?
8. I am a matrixed employee. Which Organization should I select for my IdM request?
9. What OUN should I use for the POC?
10. I want to add a resource for myself and my colleague, but the system I need is not there as a selection for either of us. Why?
11. I attempted to add myself to a group in IdM, but the request failed again and again?
12. How do I know which bank to select in IdM?
13. How do I change my shell and or POC for an LC system?
14. How do I change my user name POC on LC systems?
15. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my OCF systems but retain my SCF systems. How do I make this request in IdM?
16. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my SCF systems but retain my OCF systems. How do I make this request in IdM?
17. How do I delete all my LC resources in IdM?

Q1. Who can access and make requests via the IdM System?
A1. Anyone who has an OUN and a PAC or an LC unclassified account or remote access account with an OTP (PIN + RSA SecurID token code). Requests can be for oneself or on behalf of someone else.

Q2. I am a new LC user and I want to get added to LC systems using IdM, but when I enter my OUN it returns the phrase  "OUN is not an OUN of an LC User." How do I request accounts?
A2. You must first select a user name for your OUN by returning to the IdM main menu. Once there, scroll down to Manage LC Identity, select Request a Special Purpose LC Username, and complete the required fields. After you have an LC user name, you may request resources and banks.

Q3. How do I find out the status of my request?
A3. After submitting an IdM request, check the status by accessing the IdM main menu and selecting View My Outstanding Request(s) Status. You will see who has approved the request and who has yet to approve for final provisioning.

Q4. What does the term "suspended" mean when I check the status of a request?
A4. In the check status section of IdM, "suspended" means the request is awaiting an approval and IdM will show which approval is still outstanding.

Q5. Once I have submitted an IdM request, when can I expect the request to be completed by LC Support?
A5. The standard turnaround time for all IdM requests is 3-5 business days. During high volume times, the turnaround time is 7-10 business days.

Q6. How do I know for what resources and groups I am approved?
A6. From IdM's main menu, scroll down to the Manage LC Identity section, click on View my Profile. You will see all your approved resources and groups.

Q7. How do I access IdM from off-site?
A7. LC IdM is directly accessible from on-site and is available off-site over the Internet. You must have a valid OUN and PAC or OTP (PIN + RSA SecurID token code) to login.

Q8. I am a matrixed employee. Which Organization should I select for my IdM request?
A8. You should select the organization that is requiring you to access LC systems in support of the work requirements.

Q9. What OUN should I use for the POC?
A9. Typically the OUN should be of your Project Leader, Line Management, or Computer Coordinator. It should never be populated with the OUN of the person making the request.

Q10. I want to add a resource for myself and my colleague, but the system I need is not there as a selection for either of us. Why?
A10. When a desired resource is not listed as an option in IdM, it is typically because it has either already been provisioned to the user(s) of interest or it is not ready for general use. You can verify whether you have been provisioned on the system by returning to the IdM main menu and selecting View My Profile from under Manage LC Identity.

Q11. I attempted to add myself to a group in IdM, but the request failed again and again?
A11. Only group owners or authorizers can make group membership requests in IdM. If you need assistance determining who the group owner/authorizer is, please contact LC-Support.

Q12. How do I know which bank to select in IdM?
A12. You should always consult your Computer Coordinator, Grand Challenge Sponsor, or LDRD PI for the correct bank selection. IdM has all valid banks populated, but it is not equipped to detect on exactly which system(s) the bank is valid.

Q13. How do I change my shell and or POC for an LC system?
A13. To change your shell or POC for an OCF (CZ/RZ) LC system, go to the IdM main menu under Manage Unclassified Accounts and select Update OCF Computing Resource Account Attributes. To change your shell or POC on the SCF, go to Manage Classified Accounts and select Update SCF Computing Resource Account Attributes. You will be able to change the shell and/or POC on a per-system basis. Changes on both the OCF and SCF cannot be made through a single action; you must perform each action separately.

Q14. How do I change my user name POC on LC systems?
A14. To change your OCF user name POC on LC systems, go to the IdM main menu and select Update OCF LC Username Attributes under Manage Unclassified Accounts. To change your SCF user name POC, go to Manage Classified Accounts and select Update SCF LC Username Attributes. Changes on both the OCF and SCF cannot be made through a single action; you must perform each action separately.

Q15. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my OCF systems but retain my SCF systems. How do I make this request in IdM?
A15. To remove only your OCF systems and retain your SCF systems, access to the IdM main menu. From under Manage Unclassified Accounts select Delete OCF LC Username.

Q16. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my SCF systems but retain my OCF systems. How do I make this request in IdM?
A16. To remove only your SCF systems and retain your OCF systems, access the IdM main menu. From under Manage Classified Accounts select Delete SCF LC Username.

Q17. How do I delete all my LC resources in IdM?
A17. To remove all your LC resources, access the IdM main menu and from under Manage LC Identity select Delete LC Identity and Remove All Accounts. You can remove all your access and specify file disposition(s).