Adding users that are based on an LDAP group¶
You can create a group of users that are loaded from an LDAP group.
To register an LDAP group, follow the instructions in Adding an LDAP server. To create an individual user, follow the instructions in Adding an individual user.
Method and URI¶
To add a user, use a POST method with a URI:
POST https://{hostname|IPv4}/api/security/user
Parameters¶
None.
Data¶
Data 1: name
The CN of the LDAP group.
Example value:
Sarah
Type: String. Required. Available in the web user interface.
Data 2: type
The type of user to add.
Value:
LDAP_GROUP
Type: System string. Required. Available in the web user interface.
Data 3: sourceProvider
The {ldapHref}
value of the LDAP server.
Tip
To get an {ldapHref}
value based on the hostname or the IPv4 address of the LDAP server, follow the instructions in Getting an {ldapHref}.
Example value: https://10.0.0.111/api/ldap/1012
Type: System string. Required. Available in the web user interface.
Data 4: sourceUser
The {ldapUserHref}
value of the LDAP server.
Tip
To get an {identityUserHref}
value based on the identity name, follow the instructions in Getting an {identityUserHref}.
Example value: https://10.0.0.111/api/ldap/1011/group/Sales_Americas
Type: System string. Required. Available in the web user interface.
Data 5: sourceUserDn
The DN of the LDAP user. Use the syntax:
CN={CN},{groupRDN},{groupDN}
Example value:
CN=Sales_Americas,OU=BM,OU=Security Groups,DC=BLUEMACHINES,DC=com.invalid
Type: String. Required. Available in the web user interface.
Data 6: permissions
Define permissions for the new user. Roles define what actions users can take and resource groups define what resources they can access.
Example value: Use the following syntax to specify the roles and the resource groups for the user. You must specify the same roles for all resource groups.
[
{
"resourcePoolId": {resourcePoolId 1},
"roleIds": [
{roleId 1},
{roleId 2},
...
]
}
{
"resourcePoolId": {resourcePoolId 2},
"roleIds": [
{roleId 1},
{roleId 2},
...
]
},
...
]
Tip
To get a {roleId}
value based on its name, follow the instructions in Getting a {roleId}. To get the {resourcepoolId}
value based on its name, follow the instructions in Getting a {resourcepoolId}.
Type: Array. Required. Available in the web user interface.
Example: Add users based on an LDAP group¶
Assume that you want to create users based on the following LDAP group in IBM Spectrum Protect Plus:
CN: Sales_Americas
Type: An LDAP group
{ldapHref}: https://10.0.0.111/api/ldap/1011
{ldapUserHref} https://10.0.0.111/api/ldap/1011/group/Sales_Americas
LDAP group search criteria:
CN=Sales_Americas,OU=BM,OU=Security Groups
CN: Sales_Americas
Group RDN:
OU=BM, OU=Security Groups
Base DN:
DC=BLUEMACHINES,DC=com.invalid
Roles to assign: Backup Only (
{roleId}
992)Resource groups to access: Virtualized System All Resource Group (
{resourcepoolId}
: 1000)
ldap_href = "https://10.0.0.111/api/ldap/1011"
ldap_user_href = "https://10.0.0.111/api/ldap/1011/group/Sales_Americas"
_data = f'''{{
"name": "Sales-Americas",
"type": "LDAP_GROUP",
"sourceProvider": "{ldap_href}}",
"sourceUser": "{ldap_user_href}",
"sourceUserDN": "CN=Sales_Americas,OU=BM,OU=Security Groups,"
+ "DC=BLUEMACHINES,DC=com.invalid",
"permissions": [
{{
"resourcePoolId": "1000",
"roleIds": ["992"]
}}
]
}}'''
requests.post('https://' + spp_ipv4 + '/api/security/user',
headers={...}, data=_data, verify=...)

Figure 79 The same action can be taken in the IBM Spectrum Protect Plus web user interface: In the navigation pane, click Accounts > User and click Add User. Select LDAP Group from the drop-down list. To see a list of all LDAP groups that are registered in IBM Spectrum Protect Plus, click View All. To search the LDAP groups, enter search criteria in the Group RDN (optional) field or the Group Name field, and click the search icon. From the LDAP groups list, select an LDAP group to add. In the ASSIGN ROLE section, assign roles to the user, and click Continue. In the Add User - Assign Resources section, assign resource groups to the user, and click Create user.¶
The request prompts a response with the HTTP status of 201 (Created). Review the response to ensure that the LDAP group, Sales_Americas, was added to the list of the users. The response body is similar to the JSON object for Sales_Americas, as shown in Getting user information.