...
Open the Users tab.
Click New.
Access Controller - Users tabFill in the details according to the description below.
...
Options | Description |
---|---|
Login | |
Number of Consecutive Erroneous Login Attempts | In order to configure the maximum number consecutive failed login attempts, open the Advanced tab, and set a value in Number Of Consecutive Erroneous Login Attempts. The default is 3. When the maximum number of failed login attempts is reached, the user must restart the Desktop. If enhanced user security is enabled, the user account is also locked. Refer Enhanced User Security When user account is locked, the password settings for the user account must be updated in the Users tab, unless Enable Automatic Unlocking Of Users is selected. |
Enable Logging for User Login | In order to configure the system to log failed attempts in the System Log, open the Advanced tab, and select the check box Enable Logging For User Login. Successful logins and locked accounts are always logged regardless of this setting. |
Enable Automatic Unlocking Of Users | This checkbox is available when enhanced user security is enabled. Refer Enhanced User Security Select this check box to automatically unlock accounts that have been disabled due to failed login attempts. Accounts that have been manually disabled from the Users tab are not affected by this setting. |
Time Before Automatic Unlocking (Minutes) | This field is enabled when checkbox for Enable Automatic Unlocking Of Users is checked. Enter the time that should pass before a locked account is automatically unlocked by the system. The minimum value is 1 minute. |
Authenthication | |
Reauthenticate Users after Inactivity | In order to configure the system to reauthenticate users after a period of inactivity in the Desktop or mzcli shell (interactive mode), open the Advanced tab, and select the check box Reauthenticate Users After Inactivity. |
Time Before Reauthentication (Minutes) | This field is enabled when checkbox for Reauthenticate Users After Inactivity is checked. Set the maximum inactive time here. In the Desktop, the duration of time that the user does not perform any actions is counted as inactive time, regardless of ongoing processes. However, users are not logged out due to inactivity, but must authenticate again in order to continue the session. In the mzcli shell, the duration of time that the user does not press any key is counted as inactive time, provided that there is no ongoing command execution. Users are logged out as a result of inactivity and are prompted to enter the password again. |
Authentication Method | There are two selections available in this dropdown list: Default, LDAP. User authentication is by default performed in . As an alternative, you can connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups as mentioned in LDAP Authentication(3.2) By selecting LDAP, more fields for LDAP settings will be displayed. |
LDAP Authentication
...
. |
...
If the external authentication server returns an error or cannot be accessed, the authentication is performed internally as a fallback method.
The Authentication Methods drop-down list is only available if LDAP Authentication is installed.
Note |
---|
Note!Configuration performed from the Users Tab has no impact on external authentication servers. |
LDAP Authentication Preparations
This section does not apply if authentication is to be performed by .
Note |
---|
Note!For Active Directory, specific settings check Active Directory Important Information. |
Directory Structure
The LDAP directory that is used for authentication must conform to the following requirements:
The cn
attribute of group entries must match an access group defined in .
Note | ||
---|---|---|
| ||
The system performs case-sensitive comparisons of the cn attributes and access groups. |
...
For each user in a group entry, the memberUid
the attribute must be set.
...
All group entries must belong to the object class posixGroup
.
...
All user entries must belong to the object class posixAccount
.
...
The username must be unique. It cannot duplicate a username that already exists in the system.
Note |
---|
Note!If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory. |
Secure Access
The following steps are required before the configuration of authentication with LDAPS or LDAP over TLS:
...
Obtain the server certificate for the authentication server from your LDAP administrator.
...
Start a command shell and copy the server certificate to the platform host.
...
Change the directory to $JAVA_HOME/jre/lib/security
where $JAVA_HOME
points to your JDK directory.
Install the server certificate using the Java keytool command:
Code Block | ||
---|---|---|
| ||
keytool -import -file <certificate> -keystore cacerts |
Active Directory Important Information
Directory Structure
The LDAP directory that is used for authentication must conform to the following requirements:
All user entries must belong to the
objectclass
user.User groups have to be provided via
memberOf
attribute.The user's login has to be provided via
samaccountname
attribute.The username must be unique. It cannot duplicate a username that already exists in the system.
Note |
---|
Note!If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory. |
LDAP Configuration
...
Access Controller - Advanced tab with LDAP Authentication
...
Setting
...
Description
...
Authentication Methods
...
Default
LDAP
...
Note |
---|
Note!Authentication for the user mzadmin is always performed by regardless of the selected authentication method. |
...
URL
Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL.
When using LDAP, you may connect via LDAPS by entering ldaps://
in the URL.
Info |
---|
Example of LDAP URL
|
Info |
---|
Example of LDAPS URL
|
...
Test Connection
...
Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection.
...
User Base DN
Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server.
Info |
---|
Example of User Base DN
|
...
Group Base DN
...
Enter the LDAP attributes for group lookups in the external authentication server.
Info |
---|
Example of Group Base DN
|
The name of the groups must be identical to the names configured in Access Groups.
...
TLS
Select this checkbox to enable Transport Layer Security.
Note |
---|
Note!The following must be considered when using TLS:
|
...
AD Naming
...
Select this checkbox to use Active directory specific naming.
...
Enable
...
Select this checkbox to enable group search bind credentials. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this checkbox empty.
...
Bind DN
...
If you want to use a specific Bind DN to search for the group, enter the Bind DN.
...
Password
...
If you want to use a specific Bind DN to search for the group, enter the password for the Bind DN.
Configuration using Cross-domain Identity Management (SCIM)
It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT, and PATCH user and group configurations. This section covers the schemas used to create, update, and remove users and groups, as well as the limitations when using SCIM for .
For more information regarding the specifications for SCIM, please see RFC: https://tools.ietf.org/html/rfc7643
...
Note |
---|
Note!When importing the user configurations into the system or when upgrading, the users are disabled after the import operation or the upgrade. To enable the users, you can use PATCH or PUT, a user with attribute active : true. You can also enable the user by selecting the checkbox for the users you want to enable from the User tab in Access Controller on the Desktop. When creating a new user from SCIM, the user is enabled by default. |
These are the limitations for using SCIM instead of the Desktop.
A user can only be created once using the HTTP method POST.
The password attribute is not mandatory when you create a user with POST. However, the user will not be able to login to
without a password.
All user details can be modified except the username.
The users assigned group can only be updated using the HTTP method PUT.
When using PUT to assign a user's group, no default group will be selected.
You can only POST an access group with the same name one time, the group name can not be changed.
It is not possible to set or change the applications connected to the access group using the HTTP methods available via SCIM. This is only possible using the desktop.
Custom Schema
There is an additional schema for the "User" resource. The Schema URI for it is:
Code Block |
---|
urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser |
...
successor
: The successor user takes over all configurations when the current user is removed.
value:
The identifier of the successor user.
Info | ||
---|---|---|
| ||
71a36bb7-816f-460d-b580-3bd9352b0953 |
...
validityPeriod
: The validity period of a user. Format: yyyy-mm-ddThh:mm:ss
from
: The "DateTime" the user should be valid from.
Info | ||
---|---|---|
| ||
2021-03-18T23:00:00Z |
to:
The "DateTime" the user should be valid to.
Info | ||
---|---|---|
| ||
2021-03-23T22:59:59Z |
Note | ||
---|---|---|
| ||
The |
User related APIs
This section covers all the REST HTTP APIs that are used for user related operations.
Retrieving Users
You can use this to retrieve all users:
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users
Method: GET
Header:
Accept: application/scim+json
Content-Type: application/scim+json |
You can use this to retrieve a specific user:
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users/14c257bd-e486-4ec6-b73e-47bb1e9b491b
Method: GET
Header:
Accept: application/scim+json
Content-Type: application/scim+json |
Creating Users
You can use this to create a user:
Info |
---|
Info!The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional. |
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users
Method: POST
Header:
Accept: application/scim+json
Content-Type: application/scim+json
Request Body:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName":"bjensen",
"displayName": "mz80u3",
"password": "mz80u3",
"active": "true",
"emails": [
{
"value": "b@b.com",
"display": "bbb",
"primary": true
}
],
"externalId":"bjensen",
"name":
{
"formatted":"Ms. Barbara J Jensen III",
"familyName":"Jensen",
"givenName":"Barbara"
},
"groups": [
{
"value": "ed309a27-3f34-45d3-ade5-b2f8f798deb5"
},
{
"value": "86138dad-9742-44a2-a9cb-70347fb884a8"
}
],
"urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser": {
"successor": {
"value": "71a36bb7-816f-460d-b580-3bd9352b0953"
},
"validityPeriod": {
"from": "2021-03-19T23:00:00Z",
"to": "2021-03-23T22:59:59Z"
}
}
} |
Updating Users
You can use this to update all the values for a user:
Info |
---|
Info!The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional. |
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: PUT
Header:
Accept: application/scim+json
Content-Type: application/scim+json
Request Body:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "bjensen",
"displayName": "mz80u3",
"emails": [
{
"value": "b@b.com",
"display": "mz80u3",
"primary": true
}
],
"groups": [
{
"value": "119fe1b7-4b8b-4970-8ea6-b62bdaa11f05"
},
{
"value": "53aabe0b-715d-4d96-a220-56c6efc11ae9"
}
],
"urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser": {
"successor": {
"value": "71a36bb7-816f-460d-b580-3bd9352b0953"
},
"validityPeriod": {
"from": "2021-03-20T23:00:00Z",
"to": "2021-03-25T22:59:59Z"
}
}
} |
You can use this to update specific values for a user:
Info |
---|
Info!The schemas, Operations, op, and value fields as shown below are mandatory. They must be filled in. The rest of the fields are optional. |
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: PATCH
Header:
Accept: application/scim+json
Content-Type: application/scim+json
Request Body:
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{
"op":"add",
"value":
{
"emails":[
{
"value":"babs@jensen.org",
"type":"home"
}
]
}
},
{
"op": "add",
"path": "urn:sap:cloud:scim:schemas:extension:custom:2.0:mzuser:validityPeriod",
"value": {
"from": "2021-03-19T23:00:00Z",
"to": "2021-03-23T22:59:59Z"
}
}
]
} |
Removing Users
You can use this to remove a user:
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Users/c9706a50-6fd3-44cf-8f8d-7ea00fb05f1c
Method: DELETE
Header:
Accept: application/scim+json
Content-Type: application/scim+json |
Group related APIs
This section will cover all the REST HTTP APIs that are used for group related operations.
Retrieving Groups
You can use this to retrieve all groups:
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Groups
Method: GET
Accept: */*
Content-Type: */* |
You can use this to retrieve a specific group:
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Groups/119fe1b7-4b8b-4970-8ea6-b62bdaa11f05
Method: GET
Accept: */*
Content-Type: */* |
Creating groups
You can use this to create a group:
Info |
---|
Info!The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional |
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Groups
Method: POST
Accept: */*
Content-Type: */*
Request body:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"group2",
"members":[
{
"value":"a12822ad-a5c0-4f83-9a4e-96733a0d2e1b"
},
{
"value":"8792b456-860a-499d-aa38-5caf4fe487c3"
}
]
} |
Updating Groups
You can use this to update a group:
Info |
---|
Info!The schemas and userName fields as shown below are mandatory. They must be filled in. The rest of the fields are optional |
Code Block |
---|
URL: http://<host>:9000/scim/api/v1/Groups/a85d8e8c-0b6d-4653-b7c6-33c1fd6c1921
Method: PUT
Accept: */*
Content-Type: */*
Request body:
{
"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName":"group2",
"members":[
{
"value":"a12822ad-a5c0-4f83-9a4e-96733a0d2e1b"
},
{
"value":"8792b456-860a-499d-aa38-5caf4fe487c3"
}
]
} |
Deleting Groups
You can use this to delete a group:
...