Legacy Desktop Access Controller

Owned by Kevin Wu
Last updated: Aug 28, 2023
6 min read

provides different Tools to view logs, statistics, and Pico instance information, and to import and export configurations.

To be able to operate the system, you need to be defined as a user in the system. Your access to various  applications is defined by the access group that you are assigned to. Execute permissions to prescribe how members of an access group can use a certain application. For applications that include configurable parameters, you need to delegate Write permission.

Note!

  • By default, members of the predefined group Administrator have full permissions for the Access Controller. You can enable these permissions for other groups as well.

  • When no members belong in the Administrator group, all users with full permissions for the Access Controller will have Administration access.

  • It is not possible to disable or delete the last active user with full permissions for the Access Controller. This is to prevent system lockout.

  • Members that are not part of the Administrator group will not be able to remove or modify the Administrator group and any of its group members.

  • Only one user may use the Access Controller with write permissions at any given time.

  • It is not possible to delete the last group with members that have full permissions for the Access Controller. This is to prevent system lockout.

  • It is possible to use SCIM via the REST HTTP interface to POST, GET, DELETE, PUT and PATCH user and group configurations.

To open the Access Controller, click the Tools button in the upper left part of the Desktop window, and select Access Controller from the menu.

Users Tab

The default user, mzadmin, always has full permissions to all activities.

It is recommended that the mzadmin password is changed and kept in a safe place. Instead, personal accounts should be created and used to handle the system in order to track changes.

To add a user:

  1. Open the Users tab.

  2. Click New.


    Access Controller - Users tab

  3. Fill in the details according to the description below. 

Setting

Description

Enable User

When selected, this option enables the user.

Username

Enter the name of the user. Accepted characters are A-Z, a-z, 0-9, '-', and '_'.

Note!

The entered usernames must be uniquely named. This also applies if you use an external authentication method such as LDAP.

Full Name

Enter the full name of the user.

Email

Enter the user's associated e-mail address. This address is automatically applied to applications from which e-mails are sent.

Password

Enter the associated password for the given user account.

Note!

The password is required when executing certain mzcli commands, so you should take into consideration the special characters used by bash and we do not recommend the use of these characters as part of your password. These characters are $, \, /, |, *, &, space and any other special characters used by bash. For a better understanding of the characters not recommended to be included in your password, refer to https://mywiki.wooledge.org/BashGuide/SpecialCharacters .

Verify Password

Re-enter the password to confirm it.

Successor

A successor must be defined for when you want to remove the user that has ownership of configuration objects. The ownership of the configuration will be moved to whichever user is set as this user's successor.

Validity Period

Check to enable the user's validity period for access to the system. Once the validity period for the user is over, the user will be disabled but not removed from the users list. This is so the user can be enabled again if needed.

From

From Date.  User is allowed to login from this Date.

To

To Date.  User is allowed to login until this Date.

Allow Access Through SCIM

Check to enable access through SCIM API.  Refer to SCIM for more information.

Group

A list of groups that are available to assign to user.

Member

If enabled, the user is registered as a member of the specific group.

Default

If enabled, the access group set in Group will be set as default group for the user. By default, this group will have read, write and execute permissions for new configurations created by the user.


For details on how to change your password see The File Menu in Desktop User Interface.

Access Groups Tab

The administrator is a predefined access group. By default, this group has full access to all the activities and functions in the system and it cannot be deleted. You can only change the Access Controller permissions for the Administrator group.

To add a new group to the system, select the Access Groups tab and click New.

 

Access Controller - Access Groups tab

Setting

Description

Setting

Description

Name

Enter the name of the group. Valid characters are: A-Z, a-z, 0-9, '-' and '_'.

Description

Descriptive information about the group.

Allow Access Through SCIM

Check to enable access through SCIM API.  Refer SCIM

Application

This column is a list of all applications in the system.

Execute

Select to enable the members of the access group to start an instance of the relevant application. Clear to prohibit the access group members from using it.

Write

Check to enable the members of the access group to edit and save a configuration within the relevant application.

Checking Write for Data Management and Tools & Monitoring features will allow members of the access group to manipulate the data contained within.

Clear to prohibit the user from doing so.

Application Category

A drop down menu that allows the user to filter on application type. Options are All, Configuration, Inspection, Tools, Web Interface or Web API.

Select All

Enables Write (if applicable) and Execute for all permissions in the chosen category.

Deselect All

Disables Write and Execute for all permissions in the chosen category.

For information about how to modify configuration permissions, see Configuration Browser.
 

Advanced Tab 

You use the Advanced tab to specify the number of consecutive erroneous login attempts permitted by a user, enable logging in the System Log when a user fails to login to  , and configure user authentication by selecting the relevant authentication method.

Access Controller - Advanced tab

Options

Description

Options

Description

Login

Number of Consecutive Erroneous Login Attempts

In order to configure the maximum number consecutive failed login attempts, open the Advanced tab, and set a value in Number Of Consecutive Erroneous Login Attempts.

The default is 3. 

When the maximum number of failed login attempts is reached, the user must restart the Desktop. If enhanced user security is enabled, the user account is also locked.  Refer Enhanced User Security

When user account is locked, the password settings for the user account must be updated in the Users tab, unless Enable Automatic Unlocking Of Users is selected.

Enable Logging for User Login

In order to configure the system to log failed attempts in the System Log, open the Advanced tab, and select the check box Enable Logging For User Login. Successful logins and locked accounts are always logged regardless of this setting.

Enable Automatic Unlocking Of Users

This checkbox is available when enhanced user security is enabled.  Refer Enhanced User Security

Select this check box to automatically unlock accounts that have been disabled due to failed login attempts. Accounts that have been manually disabled from the Users tab are not affected by this setting.

Time Before Automatic Unlocking (Minutes)

This field is enabled when checkbox for Enable Automatic Unlocking Of Users is checked.

Enter the time that should pass before a locked account is automatically unlocked by the system.

The minimum value is 1 minute.

Authenthication

Reauthenticate Users after Inactivity

In order to configure the system to reauthenticate users after a period of inactivity in the Desktop or mzcli shell (interactive mode), open the Advanced tab,  and select the check box Reauthenticate Users After Inactivity.

Time Before Reauthentication (Minutes)

This field is enabled when checkbox for Reauthenticate Users After Inactivity is checked.  

Set the maximum inactive time here.

In the Desktop, the duration of time that the user does not perform any actions is counted as inactive time, regardless of ongoing processes. However, users are not logged out due to inactivity, but must authenticate again in order to continue the session.

In the mzcli shell, the duration of time that the user does not press any key is counted as inactive time, provided that there is no ongoing command execution. Users are logged out as a result of inactivity and are prompted to enter the password again.

Authentication Method

There are two selections available in this dropdown list: Default, LDAP.

User authentication is by default performed in . As an alternative, you can connect   to an external LDAP directory for delegated authentication. This facilitates automation of administrative tasks such as creation of users and assigning access groups as mentioned in LDAP Authentication

By selecting LDAP, more fields for LDAP settings will be displayed.