After receiving feedback from our Unix group revalidation process, the LC IDM team has made improvements to IDM that will make revalidation easier. If you already revalidated a Unix group in 2025, there is no need to redo that group's revalidation with the new process. For Unix groups you have not yet revalidated and for all other roles that you approve, please refer to the following instructions to revalidate by November 30.
What is revalidation?
Revalidation means a role approver will look through all members of a given role in IDM and decide whether or not each account still needs a membership in that role. Whether you are a Unix group owner, an approver for a defined role, or an approver for an Organization, you are verifying the list of folks in your role are still allowed to be there.
Step By Step Revalidation Process
Step 1: View Roles to Revalidate
Click "View" in the top menu bar.
Find the "View Revalidation" option under the "Roles" section.
This will show you a table of the roles you approve and how many accounts there are for you to revalidate.
Many roles have more than one approver. The "Approvers" column will tell you if you are the sole approver for a role. Click "Approvers" to reorder the table and show the roles with only you as the approver first. If you are not the sole approver of a role, you may contact the other approvers and decide amongst yourselves how you'd like to split up the work. If you are the approver for many roles, it is recommended to start with the roles that say "Just You" in red font. Please be courteous to your Org approvers and perform the revalidation for roles that you share with them. Some Org approvers have upwards of 100 roles to revalidate.
Step 2: Revalidate Each Role
To revalidate a role, click on the "Revalidate" link in the last column of the table. A new page will open, titled "Bulk Revalidate Role". There are three drop-down menus on the page. In most cases, it is best to leave them in their default states.
The first drop-down allows you to pick which role you are revalidating. The second drop-down allows you to show all the role members, rather than only showing the ones who need to be revalidated. Some members may have been added to a role very recently and are not due for revalidation yet. The third drop-down menu controls how far into the past you'd like to look. The default setting only shows members who were last revalidated more than 3 months ago. If a member was revalidated within the last 3 months (including the first time they were added to the role), they won't show up in your table and you don't need to revalidate them yet. They will show up in next year's annual revalidation.
Step 3: Bulk Revalidate Members
For each member in your role, you can choose to mark them as revalidated or remove them from the role. The "Nothing" option exists so that you can wait until you have more information about a member before choosing to revalidate or remove them. If there are multiple approvers for your role, you may choose to only revalidate some members and leave the rest of the members for the other approvers. Please communicate with your fellow approvers to let them know that they need to revalidate the remaining members of the role. If none of the approvers knows what to do with a given account, contact the account owner and their POC to figure out why they are in the role and if they should be removed.
Step 4: Delete Unused Roles
If the role is no longer needed, use the "Delete Role" button. This will open a new request page for you to delete the role. There is a summary link provided so you can see the details of the role before you delete it. There is also a role graph link that allows you to see how your role connects to other roles. IDM will automatically handle re-linking roles when one role in the graph is deleted. For more information about roles and how they link, please see https://hpc.llnl.gov/accounts/idm.
FAQ
Q: The last guide said to only revalidate groups. Why does this guide say to revalidate all roles for which I am an approver?
A: We previously planned to revalidate Unix group roles before revalidating defined roles, resource roles, and organizational roles (Orgs). We received feedback that the process could be improved so we found a way to revalidate all roles more easily with the Bulk Revalidate Role table.
Q: What is the deadline?
A: Please finish revalidation of all roles by November 30. The previous deadline of September 30 has been canceled.
Q: I don't recognize an account in my role. What do I do?
A: You can select the "Nothing" option in the Bulk Revalidate Role table for the time being. If there is another approver, let them know that you aren't sure about the account. If nobody can figure out why that account is in the role, contact the owner of the account and their POC.
Q: I shouldn't be an approver for this role. What do I do?
A: If you are listed as the approver and you believe you shouldn't be, please submit a request to add a different approver. If you are not sure who should be approving this role, email your computer coordinator and CC the IDM Admins (lc-idm-admin@llnl.gov) for help. Failing that, you can leave the role without an approver, which means that the Org approvers of each account in the role will have to perform the revalidation.
Then, you can remove yourself as an approver.
Now that you are no longer an approver of the group, you do not have to revalidate it. The new approver(s) should do the revalidation.
Contact
All IDM documentation can be found at hpc.llnl.gov/accounts/idm.
For questions, contact LC Support or the IDM Admins.