Using the LC Identity Management System

The Livermore Computing (LC) Identity Management (IdM) System automates the process of provisioning (creating and updating) and deprovisioning (deleting) user accounts across LC's multiple systems. IdM also allows the management of of accounts, groups, and LC identities for both the Open Computing Facility (OCF)—Collaboration Zone (CZ) and Restricted Zone (RZ)—and the Secure Computing Facility (SCF).

The user experience of the IdM System depends on user role. Consult the glossary for the definitions of unfamiliar terminology and the FAQ for answers to common questions..

For help, contact LC Support at 925-422-4533 or via e-mail: lc-support@llnl.gov.

The IdM System Interface

The interface to the IdM System is available on the OCF at https://lc-idm.llnl.gov. Although the IdM System interface is not available on the SCF, users are still able to request an account on an SCF computing resource and manage their SCF computing resource accounts.

Logging in to the IdM System

When you first access the IdM System, you will see the Log in to Livermore Computing Identity Management System window, shown below. Enter your Official User Name (OUN) and whichever password is appropriate to your current access level—your AD (Active Directory password), your LC One-Time Password (RSA OTP), or your remote access OTP.

Livermore Computing Identity Management System, login screen — Login screen

The login window for the IdM System.

If you do not already have an LC username, you will be directed to Request a Special Purpose LC Username. If your OUN is eight characters or fewer, your OUN will be automatically set as your LC username. If your OUN is nine characters or more, you must enter your preferred LC username. The IdM System will ensure that your username is unique and not more than eight characters.

Request a Special Purpose LC Username window, screenshot — The Request a Special Purpose LC Username window if your OUN is eight or fewer characters.

Request a Special Purpose LC Username, screen to fill out — The Request a Special Purpose LC Username window if your OUN is more than eight characters.

After you select your LC user name, you will see the IdM main menu (shown below). The user experience and the presence or absence of menus for the LC IdM System are usually determined by your user role. The menu choices for managing accounts, groups, and identities are described in the Role-Driven IdM Menus section. You may check the status of your IdM requests by selecting the View My Outstanding Request(s) Status entry at the top of the main menu page.

identity manager main menu, screenshot — Main menu

Help and Feedback

If you need additional help or are unable to find the answer to your question in this user document, please send an email to lc-idm@llnl.gov. If you are looking for online help with the IdM System, select the HELP button on any page in the user interface.

Feedback is always appreciated. To give feedback, select the Provide Feedback link near the top of the menu list on the IdM System main menu.

Logging Out of the IdM System

When you are finished submitting your requests or reviewing the status of your previous requests, it is strongly recommended that you log out of the IdM System immediately by selecting the LOGOUT button located in the upper-right corner of the window. Leaving idle connections open for long periods of time defeats the purpose of the protections provided by the two-factor authentication required during login. Your session will automatically time out if your connection remains inactive for more than five hours.

You may select the LOGOUT button at any time and from anywhere within IdM. Note, however, that if you log out while completing an IdM request, all item selections for the current request will be lost. It is therefore recommended that you select the Submit or Cancel button located at the bottom of each request window and return to the main menu to log out. This ensures that you have fully and intentionally submitted or canceled your requests before exiting the IdM System.

Roles in the IdM System

Your menu choices and possible subsequent actions within the IdM System are determined by your user role. The roles are defined as follows:

End User: An individual who uses LC's computational and storage resources.
Computer Coordinator(s): One or more individuals who act as organizational liaisons to review and approve end-user requests for accounts on LC's computational and storage resources on behalf of an organization.
Resource Owner(s): One or more individuals who act as gatekeepers for specific computational and storage resources within LC. For example, if a computational resource is in a limited availability (LA) state, the resource owner must review and approve end-user requests for that resource before access will be granted.
Group Owner(s): One or more individuals who manage a group's membership as well as delegate group management responsibility to other individuals. Groups are used to grant access to specific types of information located on LC resources. In addition to the group owner, there is often a primary approver and an alternate approver who can approve group membership, changes, etc.
LC Support: The team of account specialists who work in the LC Hotline (Building 453, Room 1103). They review all end-user requests for completeness and provide critical background ancillary tasks to ensure that all end-user requests are handled efficiently and promptly.

Role-Driven IdM Menus

The menus and options available to you within IdM are described in the following pages. When navigating the submenu selections, use the Cancel button to return to the main menu if you want to abort submenu actions. (Using the Back button/arrow within your browser will result in undesirable behavior.) To complete your request, select the Submit button.

You may be presented with topics and menus on which you cannot take action because your role does not allow those actions. For example, you will see the Manage Unclassified Groups menu because you are a member of a group, but you cannot take group action because you are not the owner of or an alternate authorizer for the group.

Managing in IdM in an End User Role

After logging in to the IdM System, a typical end user will see five main menu topics. Each menu topic has a submenu for actions the user may take within that menu topic. These topics and actions are described on the following pages in the order they appear to the user when logged in to the IdM System.

Approver Roles/Responsibilities in the IdM System

After LC end-users submit computing resource and group membership requests, these requests are reviewed and electronically approved (or rejected) by IdM System "approvers." Individual approvers possess special knowledge about, or have direct responsibility for, the types of requests routed through the IdM System. As each request progresses, it is placed in the "work queue" for the next approver. The contents of this work queue are displayed when an approver selects Inbox (Requests Requiring Your Approval) located at the top of the IdM main menu. The approver approves the request by selecting the Approve button; the approver denies the request by selecting the Reject button. If all approvers have approved a resource request, the corresponding resource account is automatically provisioned. All actions are electronically audited. The types of approvals encountered by each approver within the IdM System are outlined below.

Computer Coordinator: Reviews and approves (or rejects) all requests within their organization.
Resource Owner: Reviews and approves (or rejects) all LA resource account requests.
Group Owner: Reviews and approves or rejects group creation, modification, and deletion requests.
LC Support: Reviews and approves (or rejects) all aspects of the resource account.

Manage Unclassified Accounts

These menus allow management of unclassified accounts. Select a menu to view its descriptive information.

Add OCF Computing Resource Account

Add OCF Computing Resource Account. Request a computing resource account. The form fields are described below.

Request is For

Requests are typically for yourself, but you may request an account for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual for whom the account is requested.

Username

The LC username of the individual for whom the account is requested. For users with more than one LC username, input the LC username for which the request applies. If this is the very first account request for this specific username, you will be prompted for the following information:

Username Organization. The organization selected is used as the default Request Organization for all future requests and is typically the organization requiring the account for specific work. This default value may be overridden at any time by selecting a different Request Organization from the pull-down menu.
Username Point of Contact (POC) OUN. The OUN selected is used as the default LLNL POC OUN for all future resource requests and is typically your Project Leader, Line Management, or Computer Coordinator. This default value may be overridden at any time by entering a different OUN. Do not put your own OUN in this field.
Preferred Shell. The shell selected will be used as the default shell for all future resource requests. This default value may be overridden at any time by selecting a different shell from the pull-down menu. The default shell is tcsh.

Request Organization

The organization that has authorized and will be approving this request. Typically, the request organization is your project, matrix, or line organization requiring the account for specific work.

Item Type

Select a (computing) Resource.

Resource Name: Select a computing resource (i.e., an HPC or storage system) from the pull-down menu. If you are uncertain which resource name to select, please contact your Project Leader, Line Management, or Computer Coordinator for assistance.
Shell: Select from a pull-down list of supported shells on the selected computing resource. By default, your preferred shell is automatically selected. This default choice may be overridden by selecting a different shell from the list.
LLNL Point of Contact (POC) OUN: If you are an offsite collaborator, this is the OUN of your LLNL sponsor. If you are onsite, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Add Item To Request (button)

After choosing an Item Type (i.e., computing resource) above, select this button to add the item to your "shopping cart" for this request. You may repeat the above series of steps to add multiple Item Types (i.e., computing resources) to this single request. Select the Clear button to restart your Item Type selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Provide any additional information that may assist in the processing of your request. All comments entered are maintained and visible for the duration of this request and are recorded within the audit logs of the IdM System upon approval or rejection of this request.

Submit (button)

After you have completed your resource selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this entire request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Policies and Procedures

When you submit your very first resource request, you are required to review and agree to Livermore Computing’s Policies and Procedures (P&P). You will receive an email from lc-idm@llnl.gov requesting you to log in, read, and agree to the LC P&P. If you concur, select the Agree button and your request will proceed. If you disagree, select the Disagree button and your request will be discarded.

Update OCF Computing Resource Account Attributes

Change the attributes for your own existing LC account. Select the LC account name you wish to modify from the pull-down menu. Choose the Resource Name. Once selected, change your current Shell and/or change your LLNL POC OUN for that resource, then select Add Item to Request. Repeat this operation for all subsequent LC accounts and/or resources you wish to update. If an entry in the requested resources list box was erroneously added, choose the box next to the resource name(s) and select Remove Selected Item(s) From Request. Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box. Form fields are descried below.

updated OCF computing resource account attributes menu, screenshot — Attributes menu

Username

The LC username associated with the account to be updated. Select the username from the pull-down menu.

Resource Name

Select the computing resource (i.e., an HPC or storage system) from the pull-down menu.

Shell

Select the desired shell from the pull-down list of supported shells on the selected computing resource. By default, your current shell is automatically selected. This default choice may be overridden by selecting a different shell from the list.

LLNL Point of Contact (POC) OUN

By default, your current POC will be automatically entered. If you are an offsite collaborator, this is the OUN of your LLNL sponsor. If you are onsite, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Add Item To Request (button)

After completing your changes, select this button to add the changes to your shopping cart for this request. Repeat the above series of steps to add multiple computing resources to this single request. Select the Clear button to restart your selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this entire request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Remove OCF Computing Resource Account

Delete your user account (or that of another individual) on any OCF machine. (Note: Use this menu option to remove a single resource.) After specifying the username and selecting the resource account(s) to be removed (Add Item to Request, click Submit to finalize the resource account removal. You may also add comments regarding the need for this account removal in the Request Comments text box. Form fields are described below.

Remove OCF account menu, screenshot — Remove OCF account menu

Request is For

Requests are typically for yourself, but you may request an account be removed for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual whose account is to be removed.

Username

The LC username of the account to be updated. Select the username from the pull-down menu.

Resource Name

Select from the pull-down menu the computing resource (e.g., an HPC or storage system) for which access will be removed.

Add Item To Request (button)

After completing your changes, select this button to add the changes to your shopping cart for this request. You may repeat the above series of steps to add multiple computing resources to this single request. Select the Clear button to restart your selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Update OCF LC Username Attributes

Select your username from the pull-down menu. Fields with your username attributes are populated with their default values. Select a new approving organization and/or username POC OUN and/or preferred shell. Once complete, select the Launch button to submit your request. Form fields are described below.

Username

The LC username of the account to be updated. Select the username from the pull-down menu.

Username Organization

The organization selected is used as the default Request Organization for all future requests and is typically the organization requiring the account for specific work. This default value may be overridden at any time by selecting a different Request Organization from the pull-down menu.

LLNL Point of Contact (POC) OUN

By default, the OUN of your current POC will be automatically entered. If you are an offsite collaborator, this is the OUN of your LLNL sponsor. If you are onsite, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Preferred Shell

Select from the pull-down list of supported shells. By default, your current preferred shell is automatically selected. This default shell may be overridden by selecting a different shell from the list.

Launch (button)

After you have completed your selections, select the Launch button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Delete OCF (Unclassified) LC Username

Delete an LC username, either immediately or on a specific date. (Note: Use this menu option to remove a user from all OCF access. To remove all OCF and SCF access, use Delete LC Identity and Remove All Accounts.) Deleting a username will also delete all resources associated with that username. You must choose that your global home directory and storage data be destroyed or specify to whom ownership of the data should be transferred. If any of the resources associated with that username have a local (non-global) home directory, you must also choose for your local home directory to be destroyed or specify to whom ownership of the data should be transferred. Form fields are described below.

Delete unclassified LC username menu, screenshot — Delete username menu

Effective Date

Select Immediate to delete this LC username immediately, or select Other to identify a future date for deletion. Other is typically used when it is known that an that individual's LC username will no longer be required (e.g., after completion of a project or at the end of a temporary position as a summer student).

Request is For

Requests are typically for yourself, but you may request a username deletion for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual whose LC username is to be deleted.

Username

The LC username of the account to be deleted. Select the username from the pull-down menu.

Global Home Directory

Select Transfer Ownership to Another User if your home directory files are to be retained, or Destroy All if all of these files can be discarded.

Storage Ownership

Select Transfer Ownership to Another User if your storage-resource files are to be retained, Destroy All if all of these files can be discarded, or See Comments for disposition for detailed instructions on how to dispose of or retain these files.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded, and you will be returned to the IdM main menu.

Manage Unclassified Groups

These menus allow management of unclassified groups. To manage unclassified groups, you must be either the group owner or alternate group authorizer. Select a menu to view its descriptive information.

Create Unclassified Group

New group names must be unique across all LLNL networks. All OCF groups are "managed" groups, i.e., their memberships are not automatically maintained by the IdM System. The managed group name must be more than two but no more than eight characters in length, cannot contain any special characters other than "-" (hyphen) or "_" (underscore), and cannot contain any of the following strings: _nwc, nwc-, admin, _hl, _sup, hotline, _deg. Select the group owner OUN and the approving organization. Add zero or more alternate group update authorizer OUNs. You must add one or more LC user names as members of the group upon group creation. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Group Name

Enter the preferred name for the group. The name must be eight or fewer characters and composed of only alphabetic, numeric, underscore (_) and hyphen (-) characters. Group names cannot look like OUNs. The IdM System will ensure that the group name is unique. All managed groups are provisioned to LC computational resources as standard UNIX groups.

Group Owner

The OUN of the individual who will own the group. The role of the group owner is to approve changes to the list of alternate group authorizers and modify the membership of the group.

Organization

The organization with whom this group is affiliated. (Organizational approvers authorize changes to the group owner OUN.)

Alternate Authorizer OUN(s)

A list of OUNs of those having the authority to modify the membership of the group.

Group Member Username(s)

A list of LC usernames who are members of this group.

User Comments

Submit

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Update Unclassified Group, Add/Remove Group Members

You must be the group owner or alternate group authorizer to add or remove group members. Select the group name from the pull-down menu. Add and/or remove LC usernames from the list membership box. You may not remove the last member of a group. If the user you wish to remove is the last group member, either delete the group or add a new group member first. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

update add/remove group menu, screenshot — Update menu

Group Name

Select the group name you wish to modify from the pull-down list.

Group Member Username(s)

A list of LC usernames who are members of this group. Use the Remove and Add buttons to remove or add LC usernames to the group.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Add/Remove Unclassified Group Alternate Authorizers

You must be the group owner or alternate group authorizer to add or remove group alternate authorizers. Select the group name from the pull-down menu. Add and/or remove alternate authorizer OUNs from the authorizer list box. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Add/remove unclassified group alternate menu, screenshot — Add/remove unclassified menu

Group Name

Select the group name you wish to modify from the pull-down list.

Alternate Authorizer OUN(s)

A list of OUNs of those having the authority to modify the membership of the group. Use the Remove and Add buttons to remove or add the OUNs of those permitted to modify the membership list.

User Comments

Submit

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Modify/Update (Unclassified) Group Organization Affiliation

You must be the group owner or alternate group authorizer to modify group organization affiliation. Select the group name and the new organization name from the pull-down menus. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

update unclassified group organization menu, screenshot — Update unclassified group menu

Group Name

Select the group name you wish to modify from the pull-down list.

New Organization

The organization with whom this group is newly affiliated. (Organizational approvers authorize changes to the group owner OUN.)

User Comments

Submit

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Delete Unclassified Group

You must be the group owner to delete a group. Select the group name from the pull-down menu. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Group Name

Select the group name you wish to delete from the pull-down list.

User Comments

Submit

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Manage Classified Accounts

These menus allow management of classified accounts and their associated computing resources. Select a menu to view its descriptive information.

Add SCF Computing Resource Account

The request is typically for you, but you may request an account for another individual as their Project Leader, Line Management, or Computer Coordinator. After specifying the Request Organization and selecting the Item Type (i.e., computing resource or bank), the IdM System will prompt for the Resource Name and Shell (if a computing resource is requested). Form fields are described below.

Request is For

Requests are typically for yourself, but you may request an account for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual for whom the account is requested.

Username

Username Organization: The organization selected is used as the default Request Organization for all future requests and is typically the organization requiring the account for specific work. This default value may be overridden at any time by selecting a different Request Organization from the pull-down menu.
Username Point of Contact (POC) OUN: The OUN selected is used as the default LLNL POC OUN for all future resource requests and is typically your Project Leader, Line Management, or Computer Coordinator. This default value may be overridden at any time by entering a different OUN. Do not put your own OUN in this field.
Preferred Shell: The shell selected will be used as the default shell for all future resource requests. This default value may be overridden at any time by selecting a different shell from the pull-down menu. Default shell is tcsh. Because the default shell is -Select-, you must select a valid shell.
SCF Email: This field is auto-populated with your LC username and the name of the POP email server on the SCF. Although this field can be edited, it is typically left as is.

Request Organization

The organization that has authorized and will be approving this request. Typically, the Request Organization is your project, matrix, or line organization requiring the account for specific work.

Item Type

Select a (computing) Resource.

Resource Name: Select a computing resource (i.e., an HPC or storage system) from the pull-down menu. If you are uncertain which resource name to select, please contact your Project Leader, Line Management, or Computer Coordinator for assistance.
Shell: Select from a pull-down list of supported shells on the selected computing resource. By default, your preferred shell is automatically selected. This default choice may be overridden by selecting a different shell from the list.
LLNL Point of Contact (POC) OUN: If you are an off-site collaborator, this is the OUN of your LLNL sponsor. If you are on-site, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Add Item To Request (button)

After choosing an Item Type (i.e., computing resource or bank) above, select this button to add the item to your "shopping cart" for this request. You may repeat the above series of steps to add multiple Item Types (i.e., computing resources and/or banks) to this single request. Select the Clear button to restart your Item Type selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Submit (button)

After you have completed your resource selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this entire request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Policies and Procedures

Update SCF Computing Resource Account Attributes

Change the attributes for your own existing LC account. Select which LC account name you wish to modify using the pull-down menu. Choose the Resource Name. Once selected, change your current Shell and/or change your LLNL POC OUN for that resource, then select Add Item to Request. Repeat this operation for all subsequent LC accounts and/or resources you wish to modify. If an entry in the requested resources list box was erroneously added, choose the box next to the Resource Name(s) and select Remove Selected Item(s) From Request. Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box. Form fields are described below.

Username

The LC username associated with the account to be updated. Select the username from the pull-down menu.

Resource Name

Select the computing resource (i.e., an HPC or storage system) from the pull-down menu.

Shell

LLNL Point of Contact (POC) OUN

By default, your current POC will be automatically entered. If you are an off-site collaborator, this is the OUN of your LLNL sponsor. If you are on-site, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Add Item To Request (button)

After completing your changes, select this button to add the changes to your "shopping cart" for this request. Repeat the above series of steps to add multiple computing resources to this single request. Select the Clear button to restart your selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this entire request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Remove SCF Computing Resource Account

Delete your user account (or that of another individual) on any SCF machine. (Note: Use this menu option to remove a single resource.) After specifying the username and selecting the resource account(s) to be removed (Add Item to Request), click Submit to finalize the resource account removal. You may also add comments in the Request Comments text box detailing the need for this account removal. Form fields are described below.

Request is For

Requests are typically for yourself, but you may request that an account be removed for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual whose account is to be removed.

Username

The LC username of the account to be updated. Select the username from the pull-down menu.

Resource Name

On the pull-down menu, select the computing resource (i.e., an HPC or storage system) to which access will be removed.

Add Item To Request (button)

After completing your changes, select this button to add the changes to your "shopping cart" for this request. You may repeat the above series of steps to add multiple computing resources to this single request. Select the Clear button to restart your selections. Select the checkbox(es) to the left of the item(s) in your shopping cart and select the Remove Selected Item(s) From Request button to remove these items from your shopping cart.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Update SCF LC Username Attributes

Select your username from the pull-down menu. Fields with your username attributes are populated with their current values. Select a new approving organization and/or username POC OUN and/or preferred shell. Once complete, select the Launch button to submit your request. Form fields are described below.

Username

The LC username of the account to be updated. Select the username from the pull-down menu.

Username Organization

LLNL Point of Contact (POC) OUN

By default, the OUN of your current POC will be automatically entered. If you are an off-site collaborator, this is the OUN of your LLNL sponsor. If you are on-site, this is typically the OUN of your Project Leader, Line Management, or Computer Coordinator. Do not put your own OUN in this field.

Preferred Shell

Launch (button)

After you have completed your selections, select the Launch button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Delete SCF (Classified) LC Username

Delete an LC username, either immediately or on a specific date. Deleting a username will also delete all resources associated with that username. You must either choose for your global home directory and storage data to be destroyed or specify to whom ownership of the data should be transferred. If any of the resources associated with that username have a local (non-global) home directory, you must also choose for your local home directory to be destroyed or specify to whom ownership of the data should be transferred. Form fields are described below.

delete classified LC username menu, screenshot — Delete classified username

Effective Date

Select Immediate to delete this LC username immediately, or select Other to identify a future date for deletion. Other is typically used when it is known that an individual's LC username will no longer be required (e.g., after completion of a project or at the end of a temporary position as a summer student).

Request is For

Requests are typically for yourself, but you may request a username deletion for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual whose LC username is to be deleted.

Username

The LC username of the account to be deleted. Select the username from the pull-down menu.

Global Home Directory

Select Transfer Ownership to Another User if your home directory files are to be retained, or Destroy All if all of these files can be discarded.

Storage Ownership

User Comments

Submit (button)

After you have completed your selections above, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Manage Classified Groups

These menus allow management of classified accounts and their associated computing resources. To manage classified groups, you must be either the group owner or a primary or alternate group authorizer. Select a menu to view its descriptive information.

Create Classified Group

New group names must be unique across all LLNL networks. All SCF groups are "managed" groups (i.e., their memberships are not automatically maintained by the IdM System) or "NWC" groups (i.e., Web-based only). The managed group name must be more than 2 but no more than 8 characters in length, cannot contain any special characters other than "-" (hyphen) or "_" (underscore), and cannot contain any of the following strings: _nwc, nwc-, admin, _hl, _sup, hotline, _deg. The NWC group name must begin with "nwc-", must be at least 5 but no more than 14 characters in length, must not contain any special characters other than "-" or "_", and must not contain any of the following strings: _nwc, admin, _hl, _sup, hotline, _deg. Select the group owner OUN and the approving organization. Add zero or more alternate group update authorizer OUNs. You must add one or more LC user names as members of the group upon group creation. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Group Type

All Managed groups are provisioned to LC computational resources as standard UNIX groups. NWC Groups are provisioned on the LC Web server to grant or deny access to information available via that service.

Group Name

Group Owner

The OUN of the individual who will own the group. The role of the group owner is to approve changes to the list of alternate group authorizers and modify the membership of the group.

Organization

The organization with whom this group is affiliated. Organizational approvers authorize changes to the group owner OUN.

Alternate Authorizer OUN(s)

A list of OUNs of those having the authority to modify the membership of the group.

Group Member Username(s)

A list of LC user names who are members of this group.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an e-mail confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Update Classified Group, Add/Remove Group Members

You must be the group owner or alternate group authorizer to add or remove group members. Select the group name from the pull-down menu. Add and/or remove LC usernames from the list membership box. You may not not remove the last member of a group. If the user you wish to remove is the last group member, either delete the group or add a new group member first. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

update classified group organization menu, screenshot — Update classified group organization menu

Group Name

Select the group name you wish to modify from the pull-down list.

Group Member Username(s)

A list of LC usernames who are members of this group. Use the Remove and Add buttons to remove or add LC usernames to the group.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Add/Remove Classified Group Alternate Authorizers

add/remove classified group alternate menu, screenshot — Add/remove classified menu

Group Name

Select the group name you wish to modify from the pull-down list.

Alternate Authorizer OUN(s)

A list of OUNs of those having the authority to modify the membership of the group. Use the Remove and Add buttons to remove or add the OUNs of those permitted to modify the membership list.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Modify/Update Classified Group Organization Affiliation

You must be the group owner or alternate group authorizer to modify group organization affiliation. Select the group name and the new organization name from the pull-down menus. Additional information may optionally be provided in the Request Comments text box. Form fields are described below.

Group Name

Select the group name you wish to modify from the pull-down list.

New Organization

The organization with whom this group is newly affiliated. Organizational approvers authorize changes to the group owner OUN.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Delete Classified Group

Group Name

Select the group name you wish to delete from the pull-down list.

User Comments

Submit (button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded, and you will be returned to the IdM main menu.

Manage Tri-Lab Groups

Changes to LC Unix groups must be performed by a Computer Coordinator or a designated Group Approver. Coordinators and Group Approvers use the Identity Management tool, IdM, to add or remove groups, and to change group membership.

End Users

To request changes, contact your coordinator or the approver for the group you want to be added to or removed from. LLNL users can find their coordinator information in My Confluence.

Coordinators and Group Approvers

Group management is done using the Identity Management tool, IdM. IdM requires one to login with an LLNL OUN (official username, e.g., smith1234) and an LLNL RSA one-time password (pin + token).

After logging into IdM application, under Manage Unclassified or Classified Groups section, choose “Create Group” to add a new group. When the group is no longer needed return to the relevant group section in IdM and choose “Delete Group” to remove the group.

Choose “Add/Remove Group Members” in the same section in order to manage membership of a group. The list of groups for which you have access will be shown in the groups drop-down menu. See the "manage unclassified groups" page for details about using IdM to manage groups.

Tri-Lab Group Approvers

A designated set of Sandia and Los Alamos users can manage the membership of LC groups related to tri-lab projects. If you’re one of these designated tri-lab users, you will have received an LLNL RSA token.

The IDM application is the only LC resource where tri-lab users are expected to use an LLNL RSA token. Tri-lab users should continue to use their local site credentials for ssh access to LC systems or web access to the lc.llnl.gov and rzlc.llnl.gov sites -- as described on the “Logging In” page.

Manage LC Identity

These menus allow management of a user's LC identity. Select a menu to view its descriptive information.

Menu Options

View My Profile

Shows user information such as name, home directory, resource accounts, shell, groups, etc. Useful for answering the question: "Do I have an account on that machine?"

Profile menu

View Groups

Shows groups and their members based on the selection of network (unclassified or classified) and group name. Also identifies the group owner, affiliated organization, and authorizers. You do not have to be a member of a group to view the group information.

Delete LC Identity and Remove All Accounts

Delete your LC identity and remove all your accounts on both OCF and SCF. You also must specify the disposition of files in your home directory and storage directory (where file disposition can be to transfer ownership or to destroy). Form fields are described below.

delete accounts menu, screenshot — Delete LC identity and remove all accounts menu

Effective Date

Request Is For

Requests are typically for yourself, but you may request a username deletion for another individual as their Project Leader, Line Management, or Computer Coordinator.

OUN

The OUN of the individual whose LC username is to be deleted.

Username

The LC username of the account to be deleted. Select the username from the pull-down menu.

Unclassified Instance and Classified Instance

Identify file disposition for each network instance.

Global Home Directory: Select Transfer Ownership to Another User if your home directory files are to be retained, or Destroy All if all of these files can be discarded.
Storage Ownership: Select Transfer Ownership to Another User if your storage-resource files are to be retained, Destroy All if all of these files can be discarded, or See Comments for disposition for detailed instructions on how to dispose of or retain these files.

User Comments

Submit (Button)

After you have completed your selections, select the Submit button to enter your request into the IdM System. You will immediately receive an email confirmation containing the details of your request. To abandon this request, simply select the Cancel button. Your request will be discarded and you will be returned to the IdM main menu.

Request a Special Purpose LC Username

You must choose this menu option if you do not have an LC username or if you need a second identity for testing or other needs. Note: If your OUN is 8 characters or fewer, your OUN will be your primary LC username. If your OUN is 9 characters or more, you can select an 8-character (or fewer) primary LC username. Form fields are described below.

request a special purpose menu, screenshot — Requesting an account for another

Request Is For

Requests are typically for yourself, but you may request a username for another individual as their Project Leader, Line Management, or Computer Coordinator.

Request For OUN

If this request is for someone else, you must provide that person's OUN.

Account Type

LC users are permitted to have up to ten user names. These are registered as Account Types user1 through user10. The IdM System automatically selects the next available Account Type for the given OUN.

New LC Username

Enter the new username for the indicated Account Type. The IdM System will ensure that the username is unique and not more than 8 characters.

Glossary, Tips, and FAQ

The glossary provides definitions for the terminology used in the IdM interface. The tips are provided to enhance your use of the IdM System.

Glossary

Host: A computing resource (e.g., a production computing or visualization system, a testbed system, or a server).

Item (type): Selection offers two choices, either a resource (i.e., a computing resource) or a bank.

LC: Livermore Computing

OTP: Your one-time password, which consists of your personal identification number (PIN) plus the random 6-digit number generated by your LLNL RSA token or RZ RSA token.

OUN: Your official user name at LLNL, which is usually your last name and a number (e.g., jones15).

AD: Your active directory password. This is the password that you use to log in to LLNL applications like LTRAIN or LITE.

Resource: A computing system (Atlas, Muir, etc.) or a storage system (HPSS).

Tips

The Add Item to Request button is often overlooked. Click this button when selections or additional information need to be passed to the IdM System.

Do not use the Back button/arrow on your Web browser. Instead, use the Submit, Cancel, or Finish buttons located at the bottom of each IdM System menu screen. (Using the Back button/arrow will result in undesirable behavior.)

Frequently Asked Questions

1. Who can access and make requests via the IdM System?

2. I am a new LC user and I want to get added to LC systems using IdM, but when I enter my OUN it returns the phrase "OUN is not an OUN of an LC User." How do I request accounts?

3. How do I find out the status of my request?

4. What does the term "suspended" mean when I check the status of a request?

5. Once I have submitted an IdM request, when can I expect the request to be completed by LC Support?

6. How do I know what resources and groups I am approved and active for?

7. How do I access IdM from off-site?

8. I am a matrixed employee. Which organization should I select for my IdM request?

9. What OUN should I use for the POC?

10. I want to add a resource for myself and my colleague, but the system I need is not there as a selection for either of us. Why?

11. I attempted to add myself to a group in IdM, but the request failed again and again.

12. How do I change my shell for an LC system?

13. How do I change my username POC on an LC system?

14. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my OCF systems but retain my SCF systems. How do I make this request in IdM?

15. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my SCF systems but retain my OCF systems. How do I make this request in IdM?

16. How do I delete all my LC resources in IdM?

Q1. Who can access and make requests via the IdM System?

A1. Anyone who has an OUN and AD or an LC unclassified account or remote access account with an OTP (PIN + RSA SecurID token code). Requests can be for oneself or on behalf of someone else.

Q2. I am a new LC user and I want to get added to LC systems using IdM, but when I enter my OUN it returns the phrase "OUN is not an OUN of an LC User." How do I request accounts?

A2. You must first select a username for your OUN by returning to the IdM main menu. Once there, scroll down to Manage LC Identity, select Request a Special Purpose LC Username, and complete the required fields. After you have an LC username, you may request resources.

Q3. How do I find out the status of my request?

A3. After submitting an IdM request, check the status by accessing the IdM main menu and selecting View My Outstanding Request(s) Status. You will see who has approved the request and who has yet to approve for final provisioning.

Q4. What does the term "suspended" mean when I check the status of a request?

A4. In the check status section of IdM, "suspended" means the request is awaiting an approval and IdM will show which approval is still outstanding.

Q5. Once I have submitted an IdM request, when can I expect the request to be completed by LC Support?

A5. The standard turnaround time for all IdM requests is 3-5 business days. During high volume times, the turnaround time is 7-10 business days.

Q6. How do I know what resources and groups I am approved and active for?

A6. From IdM's main menu, scroll down to the Manage LC Identity section and click on View my Profile. You will see all your approved resources and groups.

Q7. How do I access IdM from off-site?

A7. LC IdM is directly accessible from on-site locations and is available off-site over the Internet. You must have a valid OUN and AD or OTP (PIN + RSA SecurID token code) to login.

Q8. I am a matrixed employee. Which organization should I select for my IdM request?

A8. You should select the organization that is requiring you to access LC systems in support of the work requirements.

Q9. What OUN should I use for the POC?

A9. Typically the OUN should be that of your Project Leader, Line Management, or Computer Coordinator. It should never be populated with the OUN of the person making the request.

Q10. I want to add a resource for myself and my colleague, but the system I need is not there as a selection for either of us. Why?

A10. When a desired resource is not listed as an option in IdM, it is typically because it has either already been provisioned to the user(s) of interest or it is not ready for general use. You can verify whether you have been provisioned on the system by returning to the IdM main menu and selecting View My Profile from under Manage LC Identity.

Q11. I attempted to add myself to a group in IdM, but the request failed again and again.

A11. Only group owners or authorizers can make group membership requests in IdM. If you need assistance determining who the group owner/authorizer is, please contact LC Support.

Q12. How do I change my shell for an LC system?

A12. To change your shell for an OCF/SCF (CZ/RZ/SCF) LC system is a two part process

PART ONE:

From the IdM Main Menu go to Manage Unclassified Accounts OR Manage Classified Accounts
To change your shell on the OCF: select Update OCF Computing Resource Account Attributes
OR
To change your shell on the SCF: select Update SCF Computing Resource Account Attributes
Select your username from the pull-down menu (screenshot below)
Fields with your username attributes are populated with their default values.
Select a new Preferred Shell from the pulldown
Once complete, select the Launch button to submit your request.
You will be brought back to the Main Menu.

OCF Screenshot used as example:

PART TWO:

From the IDM Main Menu go to: Update OCF Computing Resource Account Attributes OR Update SCF Computing Resource Account Attributes
Change the attributes for your own existing LC account
1. Select the Username you wish to modify from the Username pull-down menu if you have more than one username.
2. Choose the Resource Name from the pulldown.
3. Once selected change the Shell pulldown to the new desired shell
4. Select the Add Item to Request button.
5. Repeat this operation for all subsequent LC accounts and/or resources you wish to update.
Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box (screenshot below).
Click the Submit button when you are done.

OCF Screenshots used as example:

request comments screenshot, example — Example

NOTE: You will be able to change the shell only on a per-system basis. Changes on both the OCF and SCF cannot be made through a single action; you must perform each action separately.

Q13. How do I change my username POC on an LC system?

A13. To change your POC for an OCF/SCF (CZ/RZ/SCF) LC system is a two part process

PART ONE:

From the IdM Main Menu go to Manage Unclassified Accounts OR Manage Classified Accounts
To change your POC on the OCF: select Update OCF Computing Resource Account Attributes
OR
To change your POC on the SCF: select Update SCF Computing Resource Account Attributes
Select your username from the pull-down menu (screenshot below)
Fields with your username attributes are populated with their default values.
Select a new Username Point of Contact (POC) OUN
Once complete, select the Launch button to submit your request.
You will be brought back to the Main Menu.

OCF Screenshot used as example:

PART TWO:

From the IDM Main Menu go to: Update OCF Computing Resource Account Attributes OR Update SCF Computing Resource Account Attributes
Change the attributes for your own existing LC account
1. Select the Username you wish to modify from the Username pull-down menu if you have more than one username.
2. Choose the Resource Name from the pulldown.
3. Once selected change the LLNL Point of Contact (POC) OUN
4. Select the Add Item to Request button.
5. Repeat this operation for all subsequent LC accounts and/or resources you wish to update.
Specifics regarding the requested account attribute updates can be optionally added in the Request Comments text box (screenshot below).
Click the Submit button when you are done.

OCF Screenshots used as example:

NOTE: You will be able to change the POC only on a per-system basis. Changes on both the OCF and SCF cannot be made through a single action; you must perform each action separately.

Q14. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my OCF systems but retain my SCF systems. How do I make this request in IdM?

A14. To remove only your OCF systems and retain your SCF systems, access the IdM main menu. From under Manage Unclassified Accounts, select Delete OCF LC Username.

Q15. I have accounts on LC's OCF (CZ/RZ) and SCF systems. I want to delete my SCF systems but retain my OCF systems. How do I make this request in IdM?

A15. To remove only your SCF systems and retain your OCF systems, access the IdM main menu. From under Manage Classified Accounts select Delete SCF LC Username.

Q16. How do I delete all my LC resources in IdM?

A16. To remove all your LC resources, access the IdM main menu and from under Manage LC Identity select Delete LC Identity and Remove All Accounts. You can remove all your access and specify file disposition(s).