provides provides different Tools to, for example, view logs, statistics, and pico instance information, and to import and export configurations.
...
To open the Access Controller, click the
button in the upper left part of the Desktop window, and then select from the menu.Users Tab
In
, the default user, mzadmin, will always have full permissions for any activity....
Setting | Description | ||||||||||
Check to enable the user's predefined access rights | |||||||||||
Username | Enter the name of the user. Valid characters are: A-Z, a-z, 0-9, '-' and '_'.
| ||||||||||
Full Name | Enter a descriptive name of the user. | ||||||||||
Enter the user's e-mail address. This address will be automatically applied to applications from which e-mails may be sent. | |||||||||||
Enter a password for the user account. | |||||||||||
Re-enter the password. | |||||||||||
Successor | A successor must be defined in the case you want to remove a user that has ownership of configuration objects. | ||||||||||
Validity Period | A defined period of time when a particular user has access rights to .When the validity period expires, the user will be unable to login or access the system until the validity period is renewed by an administrator.
| ||||||||||
Group | Enter a comma delimited list of all the access groups that the user is a member of. | ||||||||||
Member | If enabled, the user is registered as a member of the specific group. | ||||||||||
Default | If enabled, this group is set as default group for the user. By default, this group will have read, write and execute permissions for new configurations created by the user. |
...
Advanced Tab
You use the Advanced tab tab to specify the number of consecutive erroneous login attempts permitted by permitted by a user, enable logging in the System Log when a user fails to login to , and configure user authentication by selecting the relevant authentication method.
...
Property | Description | |||||
---|---|---|---|---|---|---|
mz.security.max.password.age.enabled | Default value: false Enables or disables the password expiration check. This property is only applicable when mz.security.user.control.enabled is also set to true. If both properties above are set to true, user is required to change password every N days set in mz.security.max.password.age.admin and mz.security.max.password.age.user. | |||||
mz.security.max.password.age.admin | Default value: This property specifies the maximum password age for administrator users in days. Please refer mz.security.max.password.age.enabled column. | |||||
mz.security.max.password.age.user | Default value: This property specifies the maximum password age for users in days. Please refer mz.security.max.password.age.enabled column. | |||||
mz.security.max.password.history | Default value: This property specifies how many passwords back that are required to be unique before reusing an old password. | |||||
mz.security.user.control.enabled | Default value: This property enables or disables enhanced user security. If set to
| |||||
mz.security.user.control.password.length.count | Default value: This property specifies the minimum total number of characters in a password.
| |||||
mz.security.user.control.password.numcaps.count | Default value: The minimum number of upper case characters or number of numerical characters, in a password. | |||||
mz.security.user.control.password.numcaps.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum number of upper case or numerical characters in the password. | |||||
mz.security.user.control.password.numcaps.pattern | Default value: The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met. | |||||
mz.security.user.control.password.length.count | Default value: The minimum total number of characters in a password. | |||||
mz.security.user.control.password.length.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum length of the password. | |||||
mz.security.user.control.password.lowercase.count | Default value: | |||||
mz.security.user.control.password.uppercase.count | Default value: The minimum total number of uppercase characters in a password. | |||||
mz.security.user.control.password.number.count | Default value: The minimum total number of numeric characters in a password. | |||||
mz.security.user.control.password.special.count | Default value: The minimum number of special characters, in a password. | |||||
mz.security.user.control.password.special.message | Default value: The message to be displayed for the user when they have not met the condition for the minimum number of special characters in the password. | |||||
mz.security.user.control.password.special.pattern | Default value: The pattern of the permitted values in regular expression. The password will be matched to the pattern to determine if the condition is met. | |||||
mz.security.user.control.password.repetition.message | Default value: The message to be displayed for the user when they have not met the condition for the password having the least amount of multiple repeated characters in a sequence. | |||||
mz.security.user.control.password.username.message | Default value: The message to be displayed for the user when they have the username contained withing the password. | |||||
mz.security.user.control.password.history.message | Default value: The message to be displayed for the user when they are reusing a password that they have used before. | |||||
mz.security.user.control.password.extra.count | Default value: The minimum number of characters for the extra user policy. | |||||
mz.security.user.control.password.extra.message | Default value: The message to be displayed for the user when they did not meet the requirements of the extra user policy. | |||||
mz.security.user.control.password.extra.pattern | Default value: The pattern of the permitted values. The password will be matched to the pattern to determine if the condition is met. | |||||
mz.security.user.control.password.extra.type | Default value: The type that determines what the extra pattern will be. The value of this property can be set to regexp or none. Setting it to regexp ensures that the pattern has to conform to regular expressions. |
...
User authentication is by default performed in connect to connect to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups.
. As an alternative, you canIf the external authentication server returns an error or cannot be accessed, will will perform the authentication internally as a fallback method.
...
LDAP Authentication Preparations
This This section does not apply if apply if authentication is to be performed by .
NOTE: For Active directory specific settings check Active Directory Important Information
...
The LDAP directory that is used for authentication must conform to the following requirements:
The
cn
attribute attribute of group entries must match an access group defined in .
Note title Note! performs case sensitive comparisons of the cn attributes and access groups.
- For each user in a group entry, the
memberUid
attribute must be set. - All group entries must belong to the object class
posixGroup
. All user entries must belong to the objectclass
posixAccount
.The username must be unique. It cannot duplicate a username that already exists in.
Note | ||
---|---|---|
| ||
If a user requires administration rights, they must be added to the Administrator access group, which is a default access group in , and you must create a group named Administrator in the LDAP directory. |
...
All user entries must belong to the
objectclass
user .User's groups have to be provided via
memberOf
attribute.User's login has to be provided via
samaccountname
attribute.The username must be unique. It cannot duplicate a username that already exists in.
Note | ||
---|---|---|
| ||
If a user requires administration rights, they must be added to the Administrator access group, which is a default access group in, and you must create a group named Administrator in the LDAP directory. |
...
Setting | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Authentication Methods | The Authentication Methods setting is only available if LDAP Authentication is installed.
The default setting is authentication performed by .
| ||||||||||
URL | Enter the URL for the external authentication server. The default ports, 389 for LDAP and 686 for LDAPS, are used unless other ports are specified in the URL. When using LDAP, you may connect via LDAPS by entering
| ||||||||||
Test Connection | Click this button to test the connection to the authentication server. LDAP attributes and other settings than the URL are not used when testing the connection. | ||||||||||
User Base DN | Enter the LDAP attributes for user lookups in the external authentication server. The substring %s in this value will be replaced with the username entered at login to produce an identifier that is passed to the LDAP server.
| ||||||||||
Group Base DN | Enter the LDAP attributes for group lookups in the external authentication server.
The name of the groups must be identical to the names configured in Access Groups. | ||||||||||
TLS | Select this check box to enable Transport Layer Security.
| ||||||||||
AD Naming | Select this check box if you want to use Active directory specific naming. | ||||||||||
Enable | Select this check box if you want to enable group search bind credentials. You must also populate the Bind DN and Password fields. If you want to run an anonymous lookup, leave this check box empty. | ||||||||||
Bind DN | If you want to use a specific Bind DN to search for the group, enter the Bind DN. | ||||||||||
Password | If you want to use a specific Bind DN to search for the group, enter the password for the Bind DN. |
...
It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT and PATCH user and group configurations. This section will cover the schemas used to create, update and remove users and groups, as well as the limitations when using SCIM for
.
For more information regarding the specifications for SCIM, please see RFC: https://tools.ietf.org/html/rfc7643
...
Note | ||
---|---|---|
| ||
When importing the user configurations into or when upgrading, the users will be disabled after the import operation or the upgrade. In order to enable the users, you can use PATCH or PUT, a user with attribute active : true. You can also enable the user by ticking the checkbox for the users you want to enable from the User tab in Access Controller on the desktop. When creating a new user from SCIM, the user will be enabled by default. |
These are the limitations for using SCIM instead of the desktopthe desktop.
- A user can only be created once using the HTTP method POST
- The password attribute is not mandatory when you create a user with POST , however the user will not be able to login to without login without a password.
- All user details can be modified except the username.
- The users assigned group can only be updated using the HTTP method PUT
- When using PUT to assign a user's group, no default group will be selected.
- You can only POST an access group with same name one time, the group name can not be changed.
It is not possible to set or change the applications connected to the access group using the HTTP methods available via SCIM, this is only possible using the desktop.
Custom Schema
has has an additional schema for the "User" resource. The Schema URI for it is:
...