What is Unix group revalidation? 

Unix group revalidation means a Unix group owner will look through all members of a given Unix group and decide whether or not each account still needs a membership in that group. This means, as a Unix group owner, you are verifying the list of folks in this group are allowed to read, write, and execute any files owned by this Unix group. With the new IDM tool launched in January 2024, we can be more granular than just revalidating account usage in a zone/network. For the first time, LC IDM can now support Unix group revalidations.

Do I need to revalidate any groups? Which ones?

Log into LC IDM at lc-idm.llnl.gov and navigate to your user profile by clicking your OUN in the top menu banner.

The blue menu bar at the top of IDM, with a red circle around the OUN.

 

Your user profile will have a section called “Approver Roles”.

A filterable list of the roles for a given approver

 

 

You are an approver for all the roles listed in the section. To find out which Unix group roles you need to revalidate, you can use the filter bar above the table to show roles that include the string “-group”. Click on a Unix group role and follow the instructions below to revalidate each group in your “Approver Roles” list. Please help out the IDM team by completing all Unix group revalidations by September 1, 2025. Thank you!  

I am listed as the group approver but I know nothing about this Unix group. What do I do?

If you are listed as the approver of a group and you believe you shouldn't be the approver of that group, please submit a request to add a different approver. If you are not sure who should be approving this group, email your computer coordinator and CC the IDM Admins (lc-idm-admin@llnl.gov) for help. 

The menu to manage roles in IDM, with the Add Role Approver and Remove Role Approver requests circled in red

 

 

 

 

 

 

Once a new approver has been added, you can remove yourself as an approver. Now that you are no longer an approver of the group, you do not have to revalidate it. The new approver should do the revalidation. 

How to revalidate in IDM

Step 1: Expand the Members tab to see a list of group members. Two tabs will show up, one labeled Explicit Members and one labeled All Members. Some accounts inherit membership in a group role because they have membership in a higher-level defined role. See more about defined roles in this document: https://hpc.llnl.gov/accounts/idm/request-and-manage-roles. For 2025’s group revalidation, we will focus only on the Explicit Members of each group role.

A summary in IDM showing a group called "testgroup" with 3 members to be revalidated

Step 2: Hopefully, you recognize many/all of the account names and owner names in this list. Use your own knowledge of this Unix group and the justification column to help you determine if each account still needs this group. If you are not sure about an account, please reach out to the account owner and the point of contact (PoC). Next, you will remove or revalidate each member of the group.

Step 3: Removals

Step 3a: When you identify accounts that shouldn’t be in the group role anymore, please press Remove under the Last Revalidated column.     

The last revalidated column of a table in IDM, with links to revalidate and remove a member

 

 

 

 

 

 

 

Step 3b: A new page will open to submit the request for removing role members from your group. If you have multiple role members you’d like to remove, click the Members box and select the other accounts. When done, press Submit. This will take the account(s) out of the Unix group on all LC clusters in the group role’s network.

A request to remove a member from a role with a green submit button

 

 

 

 

 

 

 

 

 

 

 

In the above example, removing 1account from testgroup-ocf-group will remove 1account from testgroup on all OCF clusters, such as oslic, dane, rzslic, etc. This action will not remove 1account from testgroup on any SCF clusters, such as elcap. If testgroup exists on the SCF, its revalidation will be handled in a separate group called testgroup-scf-group. This action will not remove SSH access for 1account to any LC clusters. It will only remove 1account from the testgroup Unix Group.

Step 4: Revalidations

For all accounts that still need to be in the group role, you have two options to revalidate them.

Option 1: You can press “Revalidate” under the “Last Revalidated” column for every account. This will take you to a new page with the heading “Revalidate Role Members”. This may be tedious for large groups.

A request page to revalidate a role member one at a time

 

 

 

 

 

 

 

 

Option 2: First, remove all the accounts that should not be in the group. When you are done with the removals, press the green button called “Revalidate All Role Members” to revalidate all remaining accounts in the group.

A green button with the option to revalidate all role members at once

 

 

A new page will appear asking you to confirm that you have reviewed all accounts and are ready to revalidate them.

A page in IDM asking an approver to confirm that they want to revalidate all members

 

 

 

 

 

 

 

 

 

 

Press Submit. You have now completed a revalidation for your Unix Group. Please repeat for all your groups listed in the Approval Roles table of your profile. Thank you!

Contact

All IDM documentation can be found at hpc.llnl.gov/accounts/idm.

For questions, contact LC Support or the IDM Admins.

Lc-support@llnl.gov

Lc-idm-admin@llnl.gov