Versions Compared

Version Old Version 24 New Version 25
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note
titleNote!
  • By default, members of the predefined group Administrator have full permissions for the Access Controller. You can enable these permissions for other groups as well.
  • When no members belong in the Administrator group, all users with full permissions for the Access Controller will have Administrative access.
  • It is not possible to disable or delete the last active user with full permissions for the Access Controller. This is to prevent system lockout.
  • Members that are not part of the Administrator group will not be able to remove or modify the Administrator group and any of its group members.
  • Only one user may use the Access Controller with write permissions at any given time.
  • It is not possible to delete the last group with members that have full permissions for the Access Controller. This is to prevent system lockout.

  • By setting the Platform property mz.security.user.restricted.login to true, access is restricted to one login for each interface type:

    • Desktop

    • Web Interface

    • Command Line Tool mzsh

  • It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT, and PATCH user and group configurations.

To open the Access Controller, click the Tools button in the upper left part of the Desktop, and then select Access Controller from the menu.

Users Tab

InIn , the default user, mzadmin, will always have full permissions permission for any activity.

It is recommended that the password for mzadmin is changed and kept in a safe place. Instead, personal accounts should be created and used for handling the system in order to track changes.

...

SettingDescription

Enable User

Check to enable the user's predefined access rights

Username

Enter the name of the user. Valid characters are: A-Z, a-z, 0-9, '-' and '_'.

Note
titleNote!

A username must be unique. This also applies if you use an external authentication method, e g LDAP.


Full Name

Enter a the descriptive name of the user.

Email

Enter the user's e-mail address. This address will be automatically applied to applications from which e-mails may be sent.

Password

Enter a password for the user account.

Verify Password

Re-enter the password.

SuccessorA successor must be defined in the case you want to remove a user that has ownership of configuration objects.
Validity Period

A defined period of time when a particular user has access rights to Image Added.

When the validity period expires, the user will be unable to login log in or access Image Added until the validity period is renewed by an administrator.

Note
titleNote!

If a user has the Enable User option disabled and the validity period is still valid, the user will not have access rights.


Note
titleNote!

When defining the dates for the validity period, you will not be able to choose dates that are earlier than the current day. This applies to editing existing users and creating new users.


Group

Enter a comma-delimited list of all the access groups that the user is a member of.

Member

If enabled, the user is registered as a member of the specific group.

Default

If enabled, this group is set as the default group for the user. By default, this group will have read, write and execute permissions for new configurations created by the user.

...

SettingDescription

Name

Enter the name of the group. Valid characters are : A-Z, a-z, 0-9, '-' and '_'

Description

Descriptive information about the group.

Allow Access Through SCIM

Allows the group to be accessed using SCIM. 

Note
titleNote!

Available only when you have SCIM as part of the license.


Application

This column is a list of the all applications in the system.

Execute

Check to enable the members of the access group to start an instance of the relevant application. Clear to prohibit the access group members from using it.

Write

Check to enable the members of the access group to edit and save a configuration within the relevant application. Clear to prohibit the user from doing so.

Note
titleNote!

The main Desktop menu is divided into Configuration, Inspection, and Tools. Configuration enables you to create configurations. Inspection enables you to view data that is produced by workflows. Tools enables you to view data that is generated by the system. When you define an Access Group in the Access Controller, you can only check Write for Inspection- and Tools applications, so that users are able to manipulate data that is either generated by a workflow , or by the system. Configuration Write access is set per configuration from the Set Permissions view. For further information see Properties in 6.2 Configuration Browser.


Application Category

A drop-down menu that allows the user to filter on application type. Options are All, Configuration, Inspection, Tools, or Web interface.

Select All

Enables Write (if applicable) and Execute for all permissions in the chosen category.

Deselect All

Disables Write and Execute for all permissions in the chosen category.

...

Advanced Tab 

You use the Advanced tab to specify the number of consecutive erroneous login attempts permitted by a user, enable logging in the System Log when a user fails to login to, and configure user authentication by selecting the relevant authentication method.

Access Controller - Advanced tab

Number of Consecutive Erroneous Login Attempts

In order to configure the maximum number consecutive number of consecutive failed login attempts, open the Advanced tab, and set a value in Number Of Consecutive Erroneous Login Attempts. The default is 3. 
When the maximum number of failed login attempts is reached, the user must restart the Desktop. If enhanced user security is enabled, the user account is also locked. For more information, see the section below, Enhanced User Security.

Enable Logging for User Login

In order to configure the system to log failed attempts in the System Log, open the Advanced tab, and select the check box Enable Logging For User Login. Successful logins and locked accounts are always logged regardless of this setting.

Reauthenticate Users after Inactivity

In order to configure the system to reauthenticate users after a period of inactivity  in the Desktop or mzsh shell (interactive mode), open the Advanced tab and select the check box Reauthenticate Users After Inactivity. Then  set the maximum inactive time in Time of Inactivity Before Reauthentication (Minutes).

In the Desktop, the duration of time that the user does not perform any actions is counted as inactive time, regardless of ongoing processes. 
However, users are not logged out due to inactivity , but must authenticate again in order to continue the session.

In the mzsh shell, the duration of time that the user does not press any key is counted as inactive time, provided that there is no ongoing command execution. Users are logged out as a result of inactivity and are prompted to enter the password again.

Enhanced User Security

The security user control can be enhanced by changing the Platform property mz.security.user.control.enabled in the platform.conf. By default, this property is set to false. If set to true a number of rules regarding the passwords apply as soon as the platform is restarted.

...

  • Be at least eight characters long

  • Include at least one special character and one that is either a number or a capital letter

The password must not:

...

The default maximum password age is 30 days for administrators that which means the users that are members of the Administrator group, and 90 days for other users.

You can modify the password rules with the following Platform properties:

...

PropertyDescription
mz.security.max.password.age.enabled

Default value: false

Enables or disables the password expiration check.  This property is only applicable when mz.security.user.control.enabled is also set to true.

If both properties above are set to true, the user is required to change the password every N days set in mz.security.max.password.age.admin and mz.security.max.password.age.user.

mz.security.max.password.age.admin

Default value: 30

This property specifies the maximum password age for administrator users in days.

Please refer mz.security.max.password.age.enabled column.

mz.security.max.password.age.user

Default value: 90

This property specifies the maximum password age for users in days.

Please refer mz.security.max.password.age.enabled column.

mz.security.max.password.history

Default value: 12

This property specifies how many passwords back that are required to be unique before reusing an old password.

mz.security.user.control.enabled

Default value: false

This property enables or disables enhanced user security. If set to true, a number of rules regarding the passwords apply as soon as the platform is restarted. For information about enhanced user security, see   6.1 Access Controller in the Desktop User's Guide.

Note
titleNote!

At installation of , this property will be set to the same value as the installation property install.security.


mz.security.user.control.password.length.count

Default value: 8

This property specifies the minimum total number of characters in a password.

Note
titleNote!

This is only applicable when the value of mz.security.user.control.enabled is true.


mz.security.user.control.password.numcaps.count

Default value: 1

The minimum number of upper case characters  characters or number of numerical characters, in a password.

mz.security.user.control.password.numcaps.message

Default value: The password needs at least one capital letter or a number in it.

The message to be displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password.

mz.security.user.control.password.numcaps.pattern

Default value: [A-Z0-9]

The pattern of the permitted values in the regular expression. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.length.count

Default value: 8

The minimum total number of characters in a password.

mz.security.user.control.password.length.message

Default value: The password needs to be at least 8 characters.

The message to be displayed for the user when they have not met the condition for the minimum length of the password.

mz.security.user.control.password.lowercase.count

Default value: ""

The minimum total number of lowercase characters in a password.
mz.security.user.control.password.uppercase.count

Default value: ""

The minimum total number of uppercase characters in a password.

mz.security.user.control.password.number.count

Default value: ""

The minimum total number of numeric characters in a password.

mz.security.user.control.password.special.count

Default value: 1

The minimum number of special characters, in a password.

mz.security.user.control.password.special.message

Default value: The password needs to contain at least 1 special character(s).

The message to be displayed for the user when they have not met the condition for the minimum number of special characters in the password.

mz.security.user.control.password.special.pattern

Default value: [\\W_]

The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.repetition.message

Default value: The password contains too many consecutive identical characters.

The message to be displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence.

mz.security.user.control.password.username.message

Default value: The username may not be a part of the password.

The message to be displayed for the user when they have the username contained withing within the password.

mz.security.user.control.password.history.message

Default value: The password may not be a recently used password.

The message to be displayed for the user when they are reusing a password that they have used before.

mz.security.user.control.password.extra.count

Default value: ""

The minimum number of characters for the extra user policy.

mz.security.user.control.password.extra.message

Default value: ""

The message to be displayed for the user when they did not meet the requirements of the extra user policy.

mz.security.user.control.password.extra.pattern

Default value: ""

The pattern of the permitted values. The password will be matched to the pattern to determine if the condition is met.

mz.security.user.control.password.extra.type

Default value: ""

The type that determines what the extra pattern will be. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions.

...