...
Open the Users tab.
Click New.
Access Controller - Users tabFill in the details according to the description below.
...
Setting | Description | ||
---|---|---|---|
Name | Enter the name of the group. Valid characters are: A-Z, a-z, 0-9, '-' and '_'. | ||
Description | Descriptive information about the group. | ||
Allow Access Through SCIM | Check to enable access through SCIM API. Refer SCIM | ||
Application | This column is a list of all applications in the system. | ||
Execute | Select to enable the members of the access group to start an instance of the relevant application. Clear to prohibit the access group members from using it. | ||
Write | Select Check to enable the members of the access group to edit and save a configuration within the relevant application. Clear to prohibit the user from doing so.
Checking Write for Data Management and Tools & Monitoring features will allow members of the access group to manipulate the data contained within. Clear to prohibit the user from doing so. | ||
Application Category | A drop - down menu that allows the user to filter on application type. Options are All, Configuration, Inspection, Tools, Web Interface or the Web interfaceAPI. | ||
Select All | Enables Write (if applicable) and Execute for all permissions in the chosen category. | ||
Deselect All | Disables Write and Execute for all permissions in the chosen category. |
For information about how to modify configuration permissions, see Configuration Browser.
Advanced Tab
You use the Advanced tab the Advanced tab to specify the number of consecutive erroneous login attempts permitted by permitted by a user, enable logging in the System Log when a user fails to login to log in , and configure user authentication by selecting the relevant authentication method.
...
Options |
---|
...
Description | |
---|---|
Login | |
Number of Consecutive Erroneous Login Attempts | In order to configure the maximum |
...
number consecutive failed login attempts, open |
...
the Advanced tab, and set a value in Number Of Consecutive Erroneous Login Attempts. The default is 3. When the maximum number of failed login attempts is reached, the user must restart the Desktop. If enhanced user security is enabled, the user account is also locked. |
...
Refer Enhanced User Security (3.2) When user account is locked, the password settings for the user account must be updated in the Users tab, unless Enable Automatic Unlocking Of Users is selected. | |
Enable Logging for User Login | In order to configure the system to log failed attempts in the System Log, open the Advanced tab, and select the |
...
check box Enable Logging For User Login. Successful logins and locked accounts are always logged regardless of this setting. |
Reauthenticate Users after Inactivity
To configure the system to reauthenticate users after a period of inactivity in the Desktop or mzsh shell (interactive mode), open the Advanced tab, and select the checkbox Reauthenticate Users After Inactivity. Then set the maximum inactive time in Time of Inactivity Before Reauthentication (Minutes).
On the Desktop, the duration of time that the user does not perform any actions is counted as inactive time, regardless of ongoing processes.
However, users are not logged out due to inactivity but must authenticate again in order to continue the session.
...
Enable Automatic Unlocking Of Users | This checkbox is available when enhanced user security is enabled. Refer Enhanced User Security (3.2) Select this check box to automatically unlock accounts that have been disabled due to failed login attempts. Accounts that have been manually disabled from the Users tab are not affected by this setting. |
Time Before Automatic Unlocking (Minutes) | This field is enabled when checkbox for Enable Automatic Unlocking Of Users is checked. Enter the time that should pass before a locked account is automatically unlocked by the system. The minimum value is 1 minute. |
Authenthication | |
---|---|
Reauthenticate Users after Inactivity | In order to configure the system to reauthenticate users after a period of inactivity in the Desktop or mzcli shell (interactive mode), open the Advanced tab, and select the check box Reauthenticate Users After Inactivity. |
Time Before Reauthentication (Minutes) | This field is enabled when checkbox for Reauthenticate Users After Inactivity is checked. Set the maximum inactive time here. In the Desktop, the duration of time that the user does not |
...
perform any |
...
actions is counted as inactive time, |
...
mz.security.user.control.password.number.count
...
Default value: ""
The minimum total number of numeric characters in a password.
...
mz.security.user.control.password.special.count
...
Default value: 1
The minimum number of special characters in a password.
...
mz.security.user.control.password.special.message
...
Default value: The password needs to contain at least 1 special character(s).
The message is displayed for the user when they have not met the condition for the minimum number of special characters in the password.
...
mz.security.user.control.password.special.pattern
...
Default value: [\\W_]
The pattern of the permitted values in the regular expression. The password is matched to the pattern to determine if the condition is met.
...
mz.security.user.control.password.repetition.message
...
Default value: The password contains too many consecutive identical characters.
The message is displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence.
...
mz.security.user.control.password.username.message
...
Default value: The username may not be a part of the password.
The message is displayed to the user when they have the username contained within the password.
...
mz.security.user.control.password.history.message
...
Default value: The password may not be a recently used password.
The message is displayed to the user when they reuse a password that they have used before.
...
mz.security.user.control.password.extra.count
...
Default value: ""
The minimum number of characters of the extra user policy.
...
mz.security.user.control.password.extra.message
...
Default value: ""
The message is displayed to the user when they do not meet the requirements of the extra user policy.
...
mz.security.user.control.password.extra.pattern
...
Default value: ""
The pattern of the permitted values. The password is matched to the pattern to determine if the condition is met.
...
mz.security.user.control.password.extra.type
...
Default value: ""
The type determines what the extra pattern is. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions.
Note |
---|
Note!The user account is locked after a configurable number of failed login attempts. If this happens, the password settings for the user account must be updated in the Users tab, unless automatic unlocking is selected. For more information about how to update password settings for a user account and how to configure automatic unlocking, see the section above, Users Tab, and the section below, Enhanced User Security Configuration. |
Enhanced User Security Configuration
The settings that are described in this section are available when enhanced user security is enabled.
...
Access Controller - Advanced tab
Setting
Description
Enable Automatic Unlocking Of Users
Select this checkbox to automatically unlock accounts that have been disabled due to failed login attempts. Accounts that have been manually disabled from the Users tab are not affected by this setting.
Time Before Automatic Unlocking (Minutes)
regardless of ongoing processes. However, users are not logged out due to inactivity, but must authenticate again in order to continue the session. In the mzcli shell, the duration of time that the user does not press any key is counted as inactive time, provided that there is no ongoing command execution. Users are logged out as a result of inactivity and are prompted to enter the password again. | |
Authentication Method | There are two selections available in this dropdown list: Default, LDAP. |
Enhanced User Security
The security user control can be enhanced by changing the Platform property mz.security.user.control.enabled
in the platform.conf
. By default, this property is set to false
. If set to true
a number of rules regarding the passwords apply as soon as the platform is restarted.
Note |
---|
Note!When you are using LDAP authentication, the information in this section is only applicable to the user mzadmin. |
Enhanced User Security Password Rules
If enhanced user security is enabled, the default password rules are:
The password must:
Be at least eight characters long
Include at least one special character and one that is either a number or a capital letter
The password cannot:
Contain more than two identical characters in an uninterrupted sequence. Such as "aaa".
Note | ||
---|---|---|
| ||
Repetitive characters that are not consecutively sequenced are still valid. Such as "adadad". |
...
Include the username.
...
Be in alphabetical sequences, such as Abcd.
...
Be in numerical sequences, such as 1234.
...
Be in any US keyboard pattern, such as Qwerty.
...
Contain any whitespace.
...
Be identical to any of the recent twelve (minimum) passwords used for the user ID
...
Note |
---|
Note!All properties listed below are only applicable when the value of |
...
Property
...
Description
...
mz.security.max.password.age.enabled
...
Default value: false
Enables or disables the password expiration check. This property is only applicable when mz.security.user.control.enabled is also set to true.
If both properties above are set to true, the user is required to change the password every N days set in mz.security.max.password.age.admin and mz.security.max.password.age.user.
...
mz.security.max.password.age.admin
...
Default value: 30
This property specifies the maximum password age for administrator users in days.
Please refer mz.security.max.password.age.enabled column.
...
mz.security.max.password.age.user
...
Default value: 90
This property specifies the maximum password age for users in days.
Please refer mz.security.max.password.age.enabled column.
...
mz.security.max.password.history
...
Default value: 12
This property specifies how many passwords back that are required to be unique before reusing an old password.
...
mz.security.user.control.enabled
Default value: false
This property enables or disables enhanced user security. If set to true
, a number of rules regarding passwords apply as soon as the platform is restarted. For information about enhanced user security, see Access Controller in the Desktop User's Guide.
Note |
---|
Note!At installation, this property is set to the same value as the installation property |
...
mz.security.user.control.password.length.count
Default value: 8
This property specifies the minimum total number of characters in a password.
Note |
---|
Note!This is only applicable when the value of |
...
mz.security.user.control.password.numcaps.count
...
Default value: 1
The minimum number of upper case characters or a number of numerical characters, in a password.
...
mz.security.user.control.password.numcaps.message
...
Default value: The password needs at least one capital letter or a number in it.
The message is displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password.
...
mz.security.user.control.password.numcaps.pattern
...
Default value: [A-Z0-9]
The pattern of the permitted values in the regular expression. The password is matched to the pattern to determine if the condition is met.
...
mz.security.user.control.password.length.count
...
Default value: 8
The minimum total number of characters in a password.
...
mz.security.user.control.password.length.message
...
Default value: The password needs to be at least 8 characters.
The message is displayed to the user when they have not met the condition for the minimum length of the password.
...
mz.security.user.control.password.lowercase.count
...
Default value: ""
The minimum total number of lowercase characters in a password.
...
mz.security.user.control.password.uppercase.count
...
Default value: ""
The minimum total number of uppercase characters in a password.
User authentication is by default performed in . As an alternative, you can connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups as mentioned in LDAP Authentication(3.2) By selecting LDAP, more fields for LDAP settings will be displayed. |
LDAP Authentication
User authentication is by default performed in the system. As an alternative, you can connect to an external LDAP directory for delegated authentication. This facilitates the automation of administrative tasks such as the creation of users and assigning access groups.
...
The Authentication Methods drop-down list is only available if LDAP Authentication is installed.
Note |
---|
Note!Configuration performed from the Users Tab has no impact on external authentication servers. |
...
This section does not apply if authentication is to be performed by .
Note |
---|
Note!For Active Directory, specific settings check Active Directory Important Information. |
...
The
cn
attribute of group entries must match an access group defined in .
Note title Note! The system performs case-sensitive comparisons of the cn attributes and access groups.
For each user in a group entry, the
memberUid
the attribute must be set.All group entries must belong to the object class
posixGroup
.All user entries must belong to the object class
posixAccount
.The username must be unique. It cannot duplicate a username that already exists in the system.
Note |
---|
Note!If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory. |
...
All user entries must belong to the
objectclass
user.User groups have to be provided via
memberOf
attribute.The user's login has to be provided via
samaccountname
attribute.The username must be unique. It cannot duplicate a username that already exists in the system.
Note |
---|
Note!If a user requires administration rights, they must be added to the Administrator access group, which is a default access group, and you must create a group named Administrator in the LDAP directory. |
...
Setting | Description | ||||
---|---|---|---|---|---|
Authentication Methods | The Authentication Methods setting is only available if LDAP Authentication is installed.
The default setting is authentication performed by .
| ||||
URL | Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL. When using LDAP, you may connect via LDAPS by entering
| ||||
Test Connection | Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection. | ||||
User Base DN | Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server.
| ||||
Group Base DN | Enter the LDAP attributes for group lookups in the external authentication server.
The name of the groups must be identical to the names configured in Access Groups. | ||||
TLS | Select this checkbox to enable Transport Layer Security.
| ||||
AD Naming | Select this checkbox to use Active directory specific naming. | ||||
Enable | Select this checkbox to enable group search bind credentials. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this checkbox empty. | ||||
Bind DN | If you want to use a specific Bind DN to search for the group, enter the Bind DN. | ||||
Password | If you want to use a specific Bind DN to search for the group, enter the password for the Bind DN. |
...
For information regarding the API endpoints, please see RFC: https://tools.ietf.org/html/rfc7644#section-3.2
Note |
---|
Note!When importing the user configurations into the system or when upgrading, the users are disabled after the import operation or the upgrade. To enable the users, you can use PATCH or PUT, a user with attribute active : true. You can also enable the user by selecting the checkbox for the users you want to enable from the User tab in Access Controller on the Desktop. When creating a new user from SCIM, the user is enabled by default. |
...