4.1 Managing Users

When you add a new user, the user cannot access any of the Framework consoles until the user is added to a group that contains a role allowing the appropriate access. For example, if you want a user to be able to access only the Compliance Auditor console, you must create a group and configure the appropriate Compliance Auditor roles, then create the user and add the user to the group.

You can create additional users with the same access as the admin user by adding them to the admin group, or create your own group with access to all modules and roles. You can also configure these additional users to be superusers. Only users who belong to a group with the “super” role can view and administer superusers.

4.1.1 Configuring Account Settings

The Account Settings option allows you to set the default values for user settings such as minimum password length. When you add a new user, these default settings apply, but they can be overridden for individual users by modifying the individual account settings.

  1. Click Framework User Manager on the home page of the console.

  2. Click Users in the navigation pane.

  3. Click Account Settings in the task pane.

  4. Configure the following account options:

    Inactivity timeout (minutes): Specify the number of minutes that users can be inactive before logging them out of the Framework Manager console.

    Account lockout: Specify the number of times a user can enter the wrong password before being locked out. You can re-enable the user’s account by using the Modify User option and clearing the Disabled check box. You can reset the user’s password by using the Modify User option.

    Inactive days (disable): Specify the number of days that a user’s account can be inactive before it is disabled. You can reactivate the user’s account by using the Modify User option and using the Reactivate account check box in the Account section.

    Inactive days (delete): Specify the number of days a user’s account can be inactive before it is deleted.

    Display Last Logon: Specify when the Last Logon box is displayed during a Framework login. The options are After Failure, Never, or Always.

    Authentication Domain: Specify a configured Privileged Account Domain. Privileged Account Domains are configured through the Command Control Privileged Accounts. Valid authentication domains can be configured to validate against Novell eDirectory or Microsoft Active Directory. Authentication Domains are used for External Groups within Command Control, or for authentication to the RDP Relay Console.

    Password lifetime (days): Specify the number of days a user’s password can be used before it expires and the user is prompted to change the password.

    Minimum password length: Specify the minimum number of characters that must be used in a user’s password.

    Password history: Specify the number of unique passwords that a user must use before being allowed to reuse an old password.

    Minimum alpha: Specify the minimum number of alphabetic characters that must be used in a user’s password.

    Minimum numerics: Specify the minimum number of numeric characters that must be used in a user’s password.

    Cache native passwords: Enable this option if you want the Framework Manager passwords updated with LDAP passwords. When you set up a mapping for users with an LDAP server, the Framework Manager password is updated to match the LDAP password with each successful login. (For information on setting up an LDAP mapping, see Modify User: Native Maps.)

    If a user never successfully logs into the LDAP server, the local password is never updated, and the user can use the local Framework Manager password to log in.

    If this option is disabled, the local Framework Manager passwords are never updated with the LDAP passwords. Users can attempt an LDAP login, and if that fails, they can log in locally with their Framework Manager passwords.

  5. Configure the following help desk attributes.These attributes control the functionality of the Help Desk role and determine the actions that can be performed by a help desk user. For information about creating a group to use these attributes, see Section 4.2.3, Configuring a Help Desk Group.

    Disabled: Allows the help desk user to enable and disable user accounts.

    Password: Allows the help desk user to change an existing password.

    Change at next login: Allows the help desk user to determine whether the user is forced to change the password on the next login.

    Last changed: Displays the last time the password was changed and allows the help desk user to reset it to the current date and time.

    Bad logons: Displays the number of bad logins and allows the help desk user to reset the count.

    Last bad logon: Displays the time and date of the last bad login and allows the help desk user to reset it to the current date and time.

    Last logon: Displays the last successful login of the user and allows the help desk user to reactivate the account.

    Group membership: Allows the help desk user to assign the user to non-administrative accounts.

  6. Click Finish.

4.1.2 Adding a Framework User

When you add a new Framework user:

  • The user’s account is set up according to the default values defined in the Account Settings option. You can change these settings for individual users by using the Modify User option.

  • The user’s password is set to expire immediately so he or she is prompted to change it on the first login to the Framework Manager console. You can change this setting for individual users by using the Modify User option.

  • The user cannot access any of the Framework consoles until you have added the user to a group with the required roles defined. For more information, see Section 4.1.3, Modifying a Framework User and Section 4.2.4, Configuring Roles.

To add a new Framework user:

  1. Click Framework User Manager on the home page of the console.

  2. Click Users in the navigation pane.

  3. Click Add User in the task pane.

  4. Specify a name for the user in the Username field.

  5. Specify a password for the user in the Password field.

    The password must comply with the default account settings for the Framework.

  6. Click Finish.

  7. To configure additional settings for the user’s account, continue with Section 4.1.3, Modifying a Framework User.

4.1.3 Modifying a Framework User

The Modify User option allows you to override the default account settings for an individual user, and also provides a number of additional configuration settings and tasks, including resetting a user’s password and assigning a user to a group.

To modify a Framework user account:

  1. Click Framework User Manager on the home page of the console.

  2. Click Users in the navigation pane.

  3. In the left pane, select the user account you want to modify.

  4. Click Modify User in the task pane.

  5. Change the settings as desired:

    Disabled: Select this option to disable the user’s account.

    Comment: Specify a short comment in the text box.

    Description: Specify a detailed description in the text box.

  6. To configure additional options, select the section you want:

    Password: Allows you to reset the user’s password and configure other password settings. For specific instructions and additional options, see Modify User: Password.

    Password validation: Allows you to define the minimum number of alphabetic and numeric characters required in the user’s password. For specific instructions and additional options, see Modify User: Password Validation.

    Account: Allows you to configure the user as a superuser, provides information about the user’s account, and provides other account configuration options. For specific instructions and additional options, see Modify User: Account.

    Account Details: Allows you to enter personal information for the user, including Staff ID and contact details. For specific instructions and additional options, see Modify User: Account Details.

    Host Access Control: Allows you to control where the user can access the console from. For specific instructions and additional options, see Modify User: Host Access Control.

    Native Maps: Allows you to map the Framework user account to a user account on a UNIX platform or on an LDAP server. For specific instructions and additional options, see Modify User: Native Maps.

    Logon Script: Allows you to define a Perl logon script for the user. For specific instructions and additional options, see Modify User: Logon Script.

    Groups: Allows you to add the user to one or more groups. For specific instructions and additional options, see Modify User: Groups.

    Authentication Script: Allows you to enable additional authentication apart from the default password authentication. For specific instructions and additional options, see Modify User: Authentication Script.

  7. When you have completed your changes, click Finish.

Modify User: Password

To set password options for a Framework user:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Password.

  4. Change the options as desired:

    Password: To reset the user’s password, type the new password and retype it in the Confirm field.

    NOTE:The password must comply with the default account settings for the Framework, and comply with individual user settings defined by using this option and the Password Validation option.

    Change at next login (Expired): Select the Change at next login check box to expire the user’s current password immediately, forcing the user to change it on the next login.

    Last changed: Indicates when the password was last changed by the user, or, if the password has not yet been changed by the user, indicates when the user and password were created.

    Reset password age: Select the Reset password age check box to reset the age of the password to zero. The user can use the password for the full number of days defined in Password lifetime (days) (see Section 4.1.1, Configuring Account Settings), or in the Maximum age field if it has been configured.

    Minimum length: Override the default account settings by specifying the minimum number of characters you require in a user’s password.

    Maximum age: Override the default account settings by specifying the number of days before a user’s password expires, prompting the user to change the password.

    History: Override the default account settings by specifying the number of unique passwords that a user must use before being allowed to reuse an old password.

  5. Click Finish or select another option.

Modify User: Password Validation

To set password validation options for a Framework user:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Password validation.

  4. To override the default account settings for this user, select the appropriate check box and set the required values as follows:

    Min alpha characters: Specify the minimum number of alphabetic characters you require in the user’s password.

    Min numeric characters: Specify the minimum number of numeric characters you require in the user’s password.

  5. Click Finish or select another option.

Modify User: Account

To set account options for a Framework user:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Account.

  4. Change the options as desired:

    Super user: Select the Super user check box to make this user a superuser.

    NOTE:The Super user option is available only if you are logged in as a superuser. Superusers can be viewed and administered only by users belonging to a group with the super role defined for the auth module.

    Last bad logon: The last time the user failed to log on successfully.

    Last logon: Indicates when the user last logged in to the Framework Manager console.

    Reactivate account: Select the Reactivate account check box to re-enable a user’s account that has been locked through bad logons.

    Disable inactive days: Override the default account settings by specifying the number of days the user’s account can be inactive before it is disabled. You can reactivate the user’s account by using the Reactivate account option described above.

    Delete inactive days: Override the default account settings by specifying the number of days the user’s account can be inactive before it is deleted.

    Inactivity logout mins: Override the default account settings by specifying the number of minutes the user can be inactive before the user is logged out of the Framework Manager console.

    Bad logons: The number of times the user has failed to log on successfully since the last successful logon.

    Reset bad logon count: Resets the number of unsuccessful logons to zero.

    Lockout: Override the default account settings by specifying the number of times the user can enter the wrong password before being locked out. You can re-enable the user’s account by clearing the Disabled check box in the main Modify User section. You can reset the user’s password in the Password section.

    Message of the day: Override the default account settings by specifying a message to be displayed to the user after a successful logon.

  5. Click Finish or select another option.

Modify User: Account Details

To set personal account details for a Framework user:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Account Details.

  4. To set the following options, select the appropriate check box and specify the text:

    Staff ID: Specify the user’s staff ID, for example, the user’s unique company identifier.

    Display name: Specify a display name for the user, for example, the user’s full name. If a name is defined here it can be automatically entered as the Manager Name in Account Group and User Group definitions for Command Control by selecting the manager’s Framework user name (see Modifying an Account Group and Modifying a User Group). It can also be used in Compliance Auditor reports (see Section 7.3.1, Adding or Modifying an Audit Report).

    Email address: Specify the user’s e-mail address. If an e-mail address is defined here, it can also be used in Command Control (see Modifying an Account Group and Modifying a User Group) and in the Compliance Auditor (see Section 7.3.1, Adding or Modifying an Audit Report).

    Telephone number: Specify the user’s telephone number. If a telephone number is defined here, it can also be used in Command Control (see Modifying an Account Group and Modifying a User Group) and in the Compliance Auditor (see Section 7.3.1, Adding or Modifying an Audit Report).

  5. Click Finish or select another option.

Modify User: Host Access Control

You can control where the user can access a Framework Manager console from by defining a list of ports and hosts to which access is allowed, or a list of ports and hosts to which access is denied.

If you make no entries for this option, access is allowed from any location.

To control where the user can access the Framework Manager console from:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Host Access Control.

  4. (Optional) Define a list of locations from where the user is allowed to access the console, and deny access from all other locations:

    1. If auditing is required, select the Auditing check box and use the drop-down list to select the events you want to be audited.

    2. Select the Host Access check box.

    3. Click the Add button below the Host Access list.

    4. In the Port Range column, specify the required port number or range of port numbers. The following entries are allowed:

      *

      All ports

      port

      A single port, such as 80

      port-port

      A range of ports, such as 20-30

      svcname

      Resolves a service name to its port, such as HTTP

    5. In the Host/IP Subnet column, specify the required host definition. The following entries are allowed:

      *

      All hosts

      ip address

      A full IP address, such as 192.168.1.1

      ip address-ip address

      A range of IP addresses, such as 192.168.1.1-192.168.1.12

      part ip address

      Part of an IP address, such as 192.168.1

      network/netmask

      A network/netmask pair, such as 192.168.1.0/255.255.255.0

      network/nnn CIDR

      A network/nnn CIDR, such as 192.168.11.0/24

      hostname

      A hostname, such as dellsrv1.netiq.com

      domain

      A domain name, such as *.netiq.com

    6. In the Allow column, click the check box.

    7. Repeat Step 4.c through Step 4.e for any other required location definitions.

  5. (Optional) Define a list of locations from which the user is denied access to the console, and allow access from all other locations:

    1. If auditing is required, select the Auditing check box and use the drop-down list to select the events you want to be audited.

    2. Select the Host Access check box.

    3. Click the Add button below the Host Access list.

    4. Specify the desired locations as described in Step 4.d and Step 4.e above.

    5. To make this a deny entry, make sure the check box is not selected in the Allow column.

    6. Repeat steps Step 5.c and Step 5.e for any other required location definitions.

  6. Click Finish or select another option.

Modify User: Native Maps

The Native Maps option allows you to map Framework User accounts to UNIX or Linux accounts and to LDAP accounts.

UNIX or Linux Account Mapping

The Privilege User Manager Framework provides the ability to perform a number of functions from the command line. When using the command line, you are required to authenticate to the Framework. For example, the following command returns the status of all agents:

/opt/novell/npum/sbin/unifi -u admin regclnt status -a

The command contains a switch for the username (-u admin). When the command is executed, the user is prompted for a password.

You can use the Native Maps option to map a platform system user to a Privileged User Manager account.If you use an additional switch in the command line call, you are no longer required to provide authentication. A user with a native map can enter the following command:

/opt/novell/npum/sbin/unifi -n regclnt status -a

The native map plus the -n switch allows the command to be executed without prompting the user for a name or a password.

To add a native map for a UNIX or Linux user:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Native Maps.

  4. Click Add.

  5. In the User column, specify the user’s name for the UNIX or Linux platform.

  6. In the Host column, select the hostname for the UNIX or Linux platform.

  7. Repeat Step 4 through Step 6 for any additional maps you require.

  8. To edit a native map, select it and make the required changes.

  9. To remove a native map, select it and click Remove.

  10. Click Finish or select another option.

LDAP Account Mapping

Native maps can be used to allow Framework Manager users to obtain their authentication credentials from an LDAP server. This allows the LDAP server to remain the authoritative source for user credentials and active accounts. If you want LDAP mapped users to be able to log in when the LDAP server is not available, see the Cache native passwords option in Section 4.1.1, Configuring Account Settings.

To configure an LDAP mapping:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Native Maps.

  4. Click Add.

  5. In the User column, specify the user’s fully qualified distinguished name. For example:

    cn=plou,ou=development,o=novell
    
  6. In the Host column, specify the scheme (ldap or ldaps) and IP address of the LDAP server. Specify a port only if the LDAP server is not using the standard port for the scheme. For example:

    ldaps://10.10.16.165
    ldaps://10.10.16.166:736
    
  7. Click Finish or select another option.

Modify User: Logon Script

You can assign a Perl script to a user to be run when the user logs on to the Framework Manager console. For example, you could assign a script that causes an e-mail to be sent to a manager when the user logs on.

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Logon Script.

  4. Specify the logon script you require for this user. You can type the script or paste it from another document.

  5. Click Finish or select another option.

Modify User: Groups

To assign a Framework user to one or more groups:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Groups.

  4. Select the check boxes for the groups you want this user to belong to.

  5. Click Finish or select another option.

You can also assign a user to a group by using the Modify Group option, by dragging the user onto the group, or by dragging the group onto the user.

You can remove a user from a group by deselecting the check box for the required group. See Section 4.1.4, Removing a Framework User Group from a User for other methods.

Modify User: Authentication Script

Two factor authentication is required to enhance the security and to ensure the identity of the user is valid. Any framework user has to enter the secondary password to log in to the PUM Administration Console. To enable two factor authentication:

  1. Click Framework User Manager on the home page of the console.

  2. Select the user account you want to modify, then click Modify User.

  3. Click Authentication Script.

  4. Add the following script based on your requirement:

    Script to Prompt the Secondary Password in the Hidden Mode

    my $module = $args->child("Args")->child("Module");
    my $http_req = $args->child("Args")->child("http_req");
    
    #RDPRelay Checks
    if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) )  {
      return 0;
    }
    
    #Non Admin Module Checks
    if($$module && ($module->arg("name") ne "admin")) {
      return 0;
    }
    
    my $exauth = get_msgs($args);
    if($exauth) {
        my $pwd=$exauth->arg("imsg");
        if($pwd && $pwd eq "letmein") {
            return 0;
        } else {
            return -1;
        }
    } else {
        add_conv($args,"Enter your Secondary Password in the below Text Box and Press on 'Finish' Button", 1);
        return 1;
    }
    

    Script to Prompt the Secondary Password and Display It

    my $module = $args->child("Args")->child("Module");
    my $http_req = $args->child("Args")->child("http_req");
    
    #RDPRelay Checks
    if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) )  {
      return 0;
    }
    
    #Non Admin Module Checks
    if($$module && ($module->arg("name") ne "admin")) {
      return 0;
    }
    
    my $exauth = get_msgs($args);
    if($exauth) {
        my $pwd=$exauth->arg("imsg");
        if($pwd && $pwd eq "letmein") {
            return 0;
        } else {
            return -1;
        }
    } else {
        add_conv($args,"Enter your Secondary Password in the below Text Box and Press on 'Finish' Button", 0);
        return 1;
    }
    

    Show the Configured Message After Primary Login

    my $module = $args->child("Args")->child("Module");
    my $http_req = $args->child("Args")->child("http_req");
    
    #RDPRelay Checks
    if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) )  {
      return 0;
    }
    
    #Non Admin Module Checks
    if($$module && ($module->arg("name") ne "admin")) {
      return 0;
    }
    
    my $exauth = get_msgs($args);
    if($exauth) {
            return 0;
    } else {
        add_msg($args, "Message from Administrator : Click on OK to Login");
        return 1;
    }
    

    Combination of all the Previous Scripts

    my $module = $args->child("Args")->child("Module");
    my $http_req = $args->child("Args")->child("http_req");
    
    #RDPRelay Checks
    if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) )  {
      return 0;
    }
    
    #Non Admin Module Checks
    if($$module && ($module->arg("name") ne "admin")) {
      return 0;
    }
    
    my @exauth = get_msgs($args);
    if($#exauth > 0) {
        my $pwd=$exauth[0]->arg("imsg");
        my $inp=$exauth[2]->arg("imsg");
    
       # Second Password is - letmein
       # Third Password is - 123
    
       if($pwd && $pwd eq "letmein" && $inp && $inp eq "123") {
            return 0;
        } else {
            #(Show the message if any or both the passwords are wrong)
            $eval_rsp->arg('message', "Admin Message : Wrong Password!!!");
    
            return -1;
        }
    } else {
        #(Ask for input as password)
        add_conv($args, "Enter your Secondary Password", 1);
    
        #(Show the message with 'OK')
        add_msg($args, "Click on OK");
    
        #(Ask for input as clear text)
        add_conv($args, "Enter your Third Password", 0);
    
        return 1;
    }
    
  5. Click Finish.

4.1.4 Removing a Framework User Group from a User

There are several ways of removing a Framework user group from a Framework user’s account. You can modify the user, modify the group, or use the objects in the navigation pane.

  1. Click Framework User Manager on the home page of the console.

  2. Select the group you want to remove from the user’s account.

  3. In the right pane, select the user.

  4. Click Remove User in the task pane. The user is removed.

4.1.5 Deleting a Framework User

  1. Click Framework User Manager on the home page of the console.

  2. Click Users in the navigation pane.

  3. In the left pane, select the user you want to delete.

  4. Click Delete User in the task pane.

  5. Click Finish to confirm the deletion.