Livermore Computing's Identity Management system (IDM) lives at lc-idm.llnl.gov. (This is an internal LLNL site, so it will not show up from the public internet)

Logging In to IDM

Existing users from LLNL: Sign in with your OUN and your CZ/EN pin + token. If you already have one or more LC accounts that were managed on the old IDM system, your accounts and their accesses will be synced into the new IDM. 

Existing users from Sandia or LANL: Sign in via OneID, as shown below. If you already have one or more LC accounts that were managed on the old IDM system, your accounts and their accesses will be synced into the new IDM.

OneID login page

New users from LLNL: You will be prompted to sign in with your OUN and your EN pin + token code. If you are an LLNL employee who does not have a token yet but you would still like to start using IDM to make an LC account, please ask your computer coordinator to request a new account on your behalf. See the Accepting Policies and Procedures section below for next steps. 

New users from Sandia or LANL: You will be prompted to sign in with OneID. OneID requires that you have an LLNL OUN. If you do not have an LLNL OUN yet, make sure to visit the HPC Tri-Lab Users page for more information. See the Accepting Policies and Procedures section below for next steps. 

Accepting Policies and Procedures

Brand new users must sign a document called Policies and Procedures before getting your accounts and using IDM. When you first go to lc-idm.llnl.gov, the Policies and Procedures document will automatically show up. Please read it completely and click the checkbox at the bottom to verify that you have read and understand it. Once you have signed this, you will be able to access IDM. 

Livermore Policies and Procedures page
 

The IDM Home Page

When you first log into IDM, you should see this home page. 

No pending requests
 

Across the top, there is a horizontal menu with your account page, a Request page, and Roles. 

Your account page, which is labeled with your OUN, is where you can see information about your user profile and your LC account(s). For each account, you have an expandable menu that shows the roles your account is a member of. There is a section for Explicit roles as well as a section for all roles. You can also see the home directory and shell settings for each host that you have an account on.

User profile example
 

Making Requests

The Request menu is accessible by clicking the "Start New Request" button or by clicking "Request" in the banner at the top of the page, and has all the main workflows that you can submit in IDM. The requests displayed here are dependent on the IDM user's permissions. An end user can see all the requests in the screenshot below. Computer coordinators, LC support, and IDM admins have additional requests in their menus.

Requests menu
 

The requests are sorted into categories. The Account Requests category is for all requests that have to do with provisioning, de-provisioning, and editing the role memberships of your LC account. For more information on creating an account, please visit the IDM - How to Create a New Account document. The Group Requests category is for creating and managing groups. When you want to be a member of a group role, you will go to the Add Account Roles request. More information about this can be found in the IDM - How To Be Added To A Group Or Resource document. 

The Roles page shows all the existing roles in IDM across all 3 LC networks (OCF, SCF, and SNSI). This will be helpful if you need to request membership to a role but can't remember the exact name. Use the filter bar to narrow down your results with keywords like "group", "resource", "ocf", or the name of your project or organization. You can also filter based on the type of role. Defined roles are of the type "User Pool" because they are a collection of users who all want the same resources and groups. All resource roles end with the suffix "-[network]-resource" and all group roles end with the suffix "-[network]-group". 

Once you've submitted a request, it will take approximately 20 minutes for changes to propagate from IDM to OCF clusters and about 2 hours to get to SCF clusters. 

Q&A 

Q: How do I make an account?

A: See this document: How to make a new account in IDM


Q: How can I join a group? How can I get an account on a certain resource? 

A: See this document: How to be added to a group or resource


Q: Which role should I join?

A: Reach out to your group leader and/or computer coordinator. They will know what role is right for you. If there isn't a role that fits your needs, you may have to find multiple explicit roles to join until a defined role can be created for your project. If you want to see an exhaustive list of LC's roles, the Roles page found in the horizontal menu at the top of IDM has a list of all the roles across all 3 LC networks.


Q: Can I have multiple roles? 

A: Yes! However, the goal is to choose a role that encapsulates as many of your needs as possible. If you need three explicit roles that are all encapsulated in one defined role, choose the defined role instead of individually requesting the three explicit roles. 


Q: What is a role trait and what do I do if I don't have all the required traits for a role?

A: Role Traits are characteristics that a user is required to have before becoming a member of the role. A common example is the Q Clearance trait. This trait is present on all SCF and SNSI resource roles as users without a Q clearance are not permitted to have accounts on SCF and SNSI resources. If you do not have a trait but still believe you need a role, you may be able to find a similar role without the required trait. For instance, you may find an OCF role for your team that you can join while you wait to be Q cleared. You can always reach out to your computer coordinator for help in finding the right role to join. 


Q: Can I have multiple accounts? What about shared accounts?

A: You may have multiple LC accounts. Some people have secondary accounts for testing purposes. Shared accounts that multiple users log into with the same credentials are not allowed in LC. Some software projects have an LC shared user account that is owned by one person, but that other members of the team can change identity to using xsu. These accounts are not yet managed in IDM, but we plan to integrate them into our system in future IDM releases. 


Q: Can my coordinator put in requests for me?

A: Coordinators may submit requests on your behalf. If you are an LC employee, your group leader is also your computer coordinator. If you are not an LC employee, refer to this Computer Coordinators List to find out who your computer coordinator is.


Q: How do I change my shell/home directory settings? 

A: Contact the IDM Admins to make this change for you. They can be reached at lc-idm-admin@llnl.gov.

Help and Feedback 

Contact LC Support at lc-support@llnl.gov or IDM admins at lc-idm-admin@llnl.gov for help.