LC IDM

IDM (Identity Management) is the service one uses for managing Livermore Computing HPC users—creating and managing user accounts, groups, and host accesses. The service is available at https://lc-idm.llnl.gov/. You may hear it referred to as "IDM", "PyIdM", or "the new IDM".

Common IDM Operations

For users:

For coordinators / approvers:

Key IDM Terminology

  • Account—The name by which a user is known on LC systems. Also known as "LC username".
  • Group—A collection of users who can share files and other system resources within LC. Also known as "LC unix group".
  • Resource—An LC cluster or other LC system which supports user access. Also known as "host", "system", "compute platform" or "cluster".
  • Role—The fundamental mechanism in IDM for managing access. Every group and every resource has an associated role which is used for managing membership. These are called explicit roles. In addition, there are defined roles which incorporate sets of hosts and groups, and will be defined by the different organizations and projects which utilize LC. Defined roles will make ensuring users have the right access much quicker than requesting each item separately.

Types of IDM Users (Privileges)

  • End Users—An individual who uses LC's computational and storage resources.
  • Coordinators—Also known as LC Coordinators, are individuals who act as organizational liaisons to review and approve end-user requests for accounts on LC's computational and storage resources on behalf of an organization. Key things a coordinator does include confirming that a user needs the access (account, host, or group) being requested, and managing membership in explicit (group and resource) or defined roles. Coordinators can work with the IDM team to create defined roles, which are sets of group and host accesses needed by work teams in their area. Once a year coordinators are asked to verify that a user still requires their account and associated access – this process is called revalidation. To see a list of LC coordinators at LLNL (internal site): https://myconfluence.llnl.gov/display/HPCINT/Computer+Coordinators
  • Role Approvers—One or more individuals who have the ability to approve the addition or removal of members from a role. This can be a group role, a resource role, or a defined role. Specific instances of role approvers are Resource Owners and Group Owners.
    • Resource Owners act as gatekeepers for specific computational and storage resources within LC. For example, if a computational resource is in a limited availability (LA) state, the resource owner must review and approve end-user requests for that resource before access will be granted.
    • Group Owners manage a group's membership as well as delegate group management responsibility to other individuals. Groups are used to grant access to specific types of information located on LC resources. In addition to the group owner, there is often a primary approver and an alternate approver who can approve group membership, changes, etc.
  • LC Support—The team of account specialists who work in the LC Hotline (Building 453, Room 1103). They review all end-user requests for completeness and provide critical background ancillary tasks to ensure that all end-user requests are handled efficiently and promptly.

Overview of Roles

There are two types of roles in IDM: explicit roles and defined roles. Explicit roles are roles that are tied to exactly one resource (such as dane) or one unix group (such as the compweb group). These roles already exist in IDM. As new LC machines are deployed and new unix groups are created, LC Support or IDM admins will add explicit roles for them. An IDM user never has to make an explicit role. Defined roles, on the other hand, are defined by an IDM user. IDM Admins will help computer coordinators make a defined role based on what their team members' need. For example, if a web team leader knows all their team members need access to machines called czwebserver, rzwebserver, and enwebserver, then the team can create a role called lc-web that includes the following explicit roles: czwebserver-ocf-resource, rzwebserver-ocf-resource, and enwebserver-ocf-resource. Instead of a new web team employee individually requesting the necessary accesses, they can simply make one request to be a member of the lc-web role.  

Defined roles might end up being quite specific. For instance, the web team might decide that some folks need SCF resources as well, but not every team member does. So, the web team can make a new lc-web-scf. If a team has multiple roles, they can make one umbrella defined role that includes all the smaller defined roles.

Defined roles can also inherit from other defined roles. Consider this example: Two teams called team A and team B exist in a division and both have separate needs for their projects. Team A uses Dane, Sierra, an OCF unix group, and an SCF unix group. However, not all team A users are Q cleared, so some of them just use Dane and the OCF group. Team B uses Oslic, RZSlic, and one unix group. Some employees in the division are on team A's project and team B's project. We can arrange defined roles in IDM to reflect these needs. The higher level defined roles inherit resources and groups from the lower level defined roles so that there is no need for duplication. 

A flowchart showing a defined role that contains multiple other defined roles

Accounts are allowed to have memberships in as many roles as needed, but the IDM admins will try to manage the role tree in such a way that encapsulates users' needs into helpful sets of commonly needed roles to limit the number of roles an account will need.

You can see all the existing roles by clicking on Roles in the horizontal menu at the top of the IDM webpage. The naming pattern for group roles is [name]-[network]-group and the pattern for resources is [name]-[network]-resource, which can help you find the role you are looking for. Use keywords like "group", "resource", "ocf", or the name of your project or organization to filter roles. You can also filter based on the type of role. Defined roles are of the type "User Pool" because they are a collection of users who all want the same resources and groups. 

Approver Roles/Responsibilities in the IdM System

After LC end-users submit computing resource and group membership requests, these requests are reviewed and electronically approved (or rejected) by IDM System "approvers." Individual approvers possess special knowledge about, or have direct responsibility for, the types of requests routed through the IDM System. As each request progresses, it is placed in the "work queue" for the next approver. The contents of this work queue are displayed when an approver logs into IDM or clicks the Home button in the IDM web interface. The approver approves the request by selecting the Approve button; the approver denies the request by selecting the Reject button. If all approvers have approved a resource request, the corresponding resource account is automatically provisioned. All actions are electronically audited. The types of approvals encountered by each approver within the IdM System are outlined below.

  • Computer Coordinator: Reviews and approves (or rejects) all requests within their organization.
  • Resource Owner: Reviews and approves (or rejects) all LA resource account requests.
  • Group Owner: Reviews and approves or rejects group creation, modification, and deletion requests.
  • LC Support: Reviews and approves (or rejects) all aspects of the resource account.

Help and Feedback 

Contact LC Support at lc-support@llnl.gov or IDM admins at lc-idm-admin@llnl.gov for help.