Versions Compared

Old Version 5

changes.mady.by.user Chooi San Chong

Saved on

compared with

New Version 6

changes.mady.by.user Chooi San Chong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Open the Users tab.

  2. Click New.


    Access Controller - Users tab

  3. Fill in the details according to the description below. 

Note!

Available only when you have SCIM as part of the license

Setting

Description

Enable User

When selected, this option enables the user.

Username

Enter the name of the user. Accepted characters are A-Z, a-z, 0-9, '-', and '_'.

Note

Note!

The entered usernames must be uniquely named. This also applies if you use an external authentication method , e.g. such as LDAP.

Full Name

Enter the full name of the user.

Email

Enter the user's associated e-mail address. This address is automatically applied to applications from which e-mails are sent.

Password

Enter the associated password for the given user account.

Verify Password

Re-enter the password to confirm it.

Successor

A successor must be defined in case you want to remove a user that has ownership of configuration objects.

Validity Period

A defined period of time to which a particular user has access rights to the system.

When the validity period expires, the user will be unable to log in or access Image Removed until the validity period is renewed by an administrator.

Note

Note!

If a user has the Enable User option disabled and the validity period is still valid, the user will not have access rights.

Note!

When defining the dates for the validity period, you are not able to choose dates that are earlier than the current date. This applies to editing existing users and creating new users
Note
Note

Note!

The password is required when executing certain mzcli commands, so you should take into consideration the special characters used by bash and we do not recommend the use of these characters as part of your password. These characters are $, \, /, |, *, &, space and any other special characters used by bash. For a better understanding of the characters not recommended to be included in your password, refer to https://mywiki.wooledge.org/BashGuide/SpecialCharacters .

Verify Password

Re-enter the password to confirm it.

Successor

A successor must be defined for when you want to remove the user that has ownership of configuration objects. The ownership of the configuration will be moved to whichever user is set as this user's successor.

Validity Period

Check to enable the user's validity period for access to the system. Once the validity period for the user is over, the user will be disabled but not removed from the users list. This is so the user can be enabled again if needed.

From

From Date.  User is allowed to login from this Date.

To

To Date.  User is allowed to login until this Date.

Allow Access Through SCIM

Allows the group to be accessed using SCIM. 

Note

Check to enable access through SCIM API.  Refer to SCIM for more information.

Group

Enter a comma-delimited A list of all the access groups that the user is a member ofare available to assign to user.

Member

If enabled, the user is registered as a member of the specific group.

Default

If enabled, this group is the access group set in Group will be set as the default group for the user. By default, this group has will have read, write , and execute permissions for new configurations created by the user.

...

Setting

Description

Name

Enter the name of the group. Valid characters are: A-Z, a-z, 0-9, '-' and '_'.

Description

Descriptive information about the group.

Allow Access Through SCIM

Allows the group to be accessed using SCIM. 

Note

Note!

Available only when you have SCIM as part of the license.


Application

This column is a list of all applications in the system.

Execute

Select to enable the members of the access group to start an instance of the relevant application. Clear to prohibit the access group members from using it.

Write

Select to enable the members of the access group to edit and save a configuration within the relevant application. Clear to prohibit the user from doing so.

Note

Note!

The main Desktop menu is divided into the Configuration, Inspection, and Tools sections. The Configuration section enables you to create configurations. The Inspection section enables you to view data that is produced by workflows. The Tools section enables you to view data that is generated by the system.

When you define an Access Group in the Access Controller, you can only select Write for Inspection- and Tools-applications, so that users are able to manipulate data that is either generated by a workflow or by the system. Configuration Write access is set per configuration from the Set Permissions view. For further information see Properties in Configuration Browser.


Application Category

A drop-down menu that allows the user to filter on application type. Options are All, Configuration, Inspection, Tools, or the Web interface.

Select All

Enables Write (if applicable) and Execute for all permissions in the chosen category.

Deselect All

Disables Write and Execute for all permissions in the chosen category.

...

The security user control can be enhanced by changing the Platform property mz.security.user.control.enabled in the platform.conf. By default, this property is set to false. If set to true a number of rules regarding the passwords apply as soon as the platform is restarted.

Note

Note!

When you are using LDAP authentication, the information in this section is only applicable to the user mzadmin.

...

The default maximum password age is 30 days for administrator group users, and 90 days for all other users.

You can modify the password rules with the following Platform properties:

Note

Note!

All properties listed below are only applicable when the value of mz.security.user.control.enabled is set to true.

...

Property

Description

mz.security.max.password.age.enabled

Default value: false

Enables or disables the password expiration check. This property is only applicable when mz.security.user.control.enabled is also set to true.

If both properties above are set to true, the user is required to change the password every N days set in mz.security.max.password.age.admin and mz.security.max.password.age.user.

mz.security.max.password.age.admin

Default value: 30

This property specifies the maximum password age for administrator users in days.

Please refer mz.security.max.password.age.enabled column.

mz.security.max.password.age.user

Default value: 90

This property specifies the maximum password age for users in days.

Please refer mz.security.max.password.age.enabled column.

mz.security.max.password.history

Default value: 12

This property specifies how many passwords back that are required to be unique before reusing an old password.

mz.security.user.control.enabled

Default value: false

This property enables or disables enhanced user security. If set to true, a number of rules regarding passwords apply as soon as the platform is restarted. For information about enhanced user security, see  Access Controller in the Desktop User's Guide.

Note

Note!

At installation, this property is set to the same value as the installation property install.security.


mz.security.user.control.password.length.count

Default value: 8

This property specifies the minimum total number of characters in a password.

Note

Note!

This is only applicable when the value of mz.security.user.control.enabled is true.


mz.security.user.control.password.numcaps.count

Default value: 1

The minimum number of upper case characters or a number of numerical characters, in a password.

mz.security.user.control.password.numcaps.message

Default value: The password needs at least one capital letter or a number in it.

The message is displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password.

mz.security.user.control.password.numcaps.pattern

Default value: [A-Z0-9]

The pattern of the permitted values in the regular expression. The password is matched to the pattern to determine if the condition is met.

mz.security.user.control.password.length.count

Default value: 8

The minimum total number of characters in a password.

mz.security.user.control.password.length.message

Default value: The password needs to be at least 8 characters.

The message is displayed to the user when they have not met the condition for the minimum length of the password.

mz.security.user.control.password.lowercase.count

Default value: ""

The minimum total number of lowercase characters in a password.

mz.security.user.control.password.uppercase.count

Default value: ""

The minimum total number of uppercase characters in a password.

mz.security.user.control.password.number.count

Default value: ""

The minimum total number of numeric characters in a password.

mz.security.user.control.password.special.count

Default value: 1

The minimum number of special characters in a password.

mz.security.user.control.password.special.message

Default value: The password needs to contain at least 1 special character(s).

The message is displayed for the user when they have not met the condition for the minimum number of special characters in the password.

mz.security.user.control.password.special.pattern

Default value: [\\W_]

The pattern of the permitted values in the regular expression. The password is matched to the pattern to determine if the condition is met.

mz.security.user.control.password.repetition.message

Default value: The password contains too many consecutive identical characters.

The message is displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence.

mz.security.user.control.password.username.message

Default value: The username may not be a part of the password.

The message is displayed to the user when they have the username contained within the password.

mz.security.user.control.password.history.message

Default value: The password may not be a recently used password.

The message is displayed to the user when they reuse a password that they have used before.

mz.security.user.control.password.extra.count

Default value: ""

The minimum number of characters of the extra user policy.

mz.security.user.control.password.extra.message

Default value: ""

The message is displayed to the user when they do not meet the requirements of the extra user policy.

mz.security.user.control.password.extra.pattern

Default value: ""

The pattern of the permitted values. The password is matched to the pattern to determine if the condition is met.

mz.security.user.control.password.extra.type

Default value: ""

The type determines what the extra pattern is. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions.


Note

Note!

The user account is locked after a configurable number of failed login attempts. If this happens, the password settings for the user account must be updated in the Users tab, unless automatic unlocking is selected. For more information about how to update password settings for a user account and how to configure automatic unlocking, see the section above, Users Tab, and the section below, Enhanced User Security Configuration.

...

The Authentication Methods drop-down list is only available if LDAP Authentication is installed.

Note

Note!

Configuration performed from the Users Tab has no impact on external authentication servers. 

...

This section does not apply if authentication is to be performed by .

Note

Note!

For Active Directory, specific settings check Active Directory Important Information.

...

  1. The cn attribute of group entries must match an access group defined in .
     

    Note
    titleNote!

    The system performs case-sensitive comparisons of the cn attributes and access groups. 


  2.  For each user in a group entry, the memberUid the attribute must be set.

  3.  All group entries must belong to the object class posixGroup.

  4.  All user entries must belong to the object class posixAccount

  5. The username must be unique. It cannot duplicate a username that already exists in the system.

Note

Note!

If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory.

...

  1. All user entries must belong to the objectclass user.

  2. User groups have to be provided via memberOf attribute.

  3. The user's login has to be provided via samaccountname attribute.

  4. The username must be unique. It cannot duplicate a username that already exists in the system.

Note

Note!

If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory.

...

Setting

Description

Authentication Methods

The Authentication Methods setting is only available if LDAP Authentication is installed.

Select the authentication method to be used. The following settings are available:

  • Default

  • LDAP

The default setting is authentication performed by .

The selected authentication method becomes effective when the configuration is saved.

Note

Note!

Authentication for the user mzadmin is always performed by regardless of the selected authentication method. 


URL

Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL.

When using LDAP, you may connect via LDAPS by entering ldaps:// in the URL.

Info

Example of LDAP URL

ldap://ldap.example.com:389


Info

Example of LDAPS URL

ldaps://ldap.example.com:636


Test Connection

Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection.

User Base DN

Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server.

Info

Example of User Base DN

uid=%s,ou=users,dc=digitalroute,dc=com


Group Base DN

Enter the LDAP attributes for group lookups in the external authentication server.

Info

Example of Group Base DN

ou=groups,dc=digitalroute,dc=com

The name of the groups must be identical to the names configured in Access Groups.

TLS

Select this checkbox to enable Transport Layer Security.

Note

Note!

The following must be considered when using TLS:

  • LDAPS and TLS is not a valid combination.

  • The URL must contain a fully qualified DNS name or the authentication will fail.

  • The default LDAP port, 389, should be used.


AD Naming

Select this checkbox to use Active directory specific naming.

Enable

Select this checkbox to enable group search bind credentials. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this checkbox empty.

Bind DN

If you want to use a specific Bind DN to search for the group, enter the Bind DN.

Password

If you want to use a specific Bind DN to search for the group, enter the password for the Bind DN.

...

For information regarding the API endpoints, please see RFC: https://tools.ietf.org/html/rfc7644#section-3.2

Note

Note!

When importing the user configurations into the system or when upgrading, the users are disabled after the import operation or the upgrade. To enable the users, you can use PATCH or PUT, a user with attribute active : true. You can also enable the user by selecting the checkbox for the users you want to enable from the User tab in Access Controller on the Desktop.

When creating a new user from SCIM, the user is enabled by default.

...