Table of contents

Manage users in Watson Studio Local

Watson Studio Local users can be managed from either an external LDAP server (recommended) or an internal repository database.

Want to see user management in action? Watch this short video:
Figure 1. Video that shows how to manage users in Watson Studio Local.

In the Admin Console, click the menu icon ( Menu icon) and click User Management to approve sign-up requests, add users, filter them, edit them, assign permissions to them, or delete them.

The user permissions are as follows:

Admin
Admin can sign in to both the Admin Console and the Watson Studio Local client.
Deployment Admin
Deployment Admin can create project releases in IBM Watson Machine Learning.
User
User can sign in to the Watson Studio Local client only. This is the default permission if neither Admin check box is selected.

When you add new users, Watson Studio Local automatically emails the username and temporary password to them. If new users request an account, you must approve them by editing them and selecting Approved user. Unapproved users have a status of pending.

If an SMTP server is set up in the Settings panel from the administrator's user profile icon, then Watson Studio Local automatically emails the administrators anytime a new user is created or requests access. Watson Studio Local also emails notifications to users anytime their account changes.

Set up your own LDAP server (recommended)

By default, Watson Studio Local user records are stored in its internal repository database. Alternatively, you can use your own external LDAP server instead. To set up your own LDAP server, click Connect to an LDAP server.

Assign and ping nine nodes screencap

In the LDAP host field, use the ldap:// prefix for a non-secure port and the ldaps:// prefix for a secure port. For example, ldap://ibm.com.

If you opt to authenticate LDAP with search, then specify the domain search user, password, and base. If you opt to authenticate by distinguished name without search, ensure the LDAP Prefix and LDAP Suffix fields match the distinguished name exactly, for example, uid for prefix and ou=dsxusers,dc=ibm,dc=com for suffix, for the setup to succeed.

Tip: To save time from approving LDAP users, you can select Auto-Signup to automatically approve all LDAP user sign-up requests. Make sure to approve all pending accounts first, or else you will have to disconnect and re-enable LDAP for the sign ins to work. Also, if the number of new users exceeds the configured maximum user capacity for Watson Studio Local, sign-ups will be blocked.

To verify that your LDAP connection works, type in an existing LDAP user in the Username for testing and Password for testing fields, then click the Test LDAP button.

When finished, click the Set up LDAP button. If the LDAP setup succeeds, Watson Studio Local no longer displays password fields whenever you sign up a new user in the Admin Console. Because the Watson Studio Local user records are stored in the external LDAP server, only the LDAP administrator can perform user management tasks like password resets and changes. Otherwise, a Watson Studio Local administrator can edit the user's password from the User Management page.

Note that after LDAP is enabled, both local and LDAP users can sign in, but only LDAP users can be added.

Reset the Watson Studio Local administrator password

To enable a Watson Studio Local administrator and set a new login password, enter the following command:

manage_admin_user.sh --enable-admin <ADMIN_USERNAME>

To disable a Watson Studio Local administrator, enter the following command:

manage_admin_user.sh --disable-admin <ADMIN_USERNAME>

Modify the session expiration time

To modify the session expiration time for all of the Watson Studio Local users in the cluster, complete the following steps:

  1. SSH to the Watson Studio Local cluster.
  2. Run kubectl exec to a usermgmt pod.
  3. Edit or create the following file: /user-home/_global_/config/jwt/expiry.config to specify the number of hours. Example:
    12
    If the expiry.config file does not exist, the default session expiration is 12 hours.
  4. Restart usermgmt by deleting all of the current usermgmt pods.