When you add a new user, the user cannot access any of the Framework consoles until the user is added to a group that contains a role allowing the appropriate access. For example, if you want a user to be able to access only the Compliance Auditor console, you must create a group and configure the appropriate Compliance Auditor roles, then create the user and add the user to the group.
You can create additional users with the same access as the admin user by adding them to the admin group, or create your own group with access to all modules and roles. You can also configure these additional users to be superusers. Only users who belong to a group with the “super” role can view and administer superusers.
The
option allows you to set the default values for user settings such as minimum password length. When you add a new user, these default settings apply, but they can be overridden for individual users by modifying the individual account settings.Click
on the home page of the console.Click
in the navigation pane.Click
in the task pane.Configure the following account options:
Inactivity timeout (minutes): Specify the number of minutes that users can be inactive before logging them out of the Framework Manager console.
Account lockout: Specify the number of times a user can enter the wrong password before being locked out. You can re-enable the user’s account by using the
option and clearing the check box. You can reset the user’s password by using the option.Inactive days (disable): Specify the number of days that a user’s account can be inactive before it is disabled. You can reactivate the user’s account by using the
option and using the account check box in the section.Inactive days (delete): Specify the number of days a user’s account can be inactive before it is deleted.
Display Last Logon: Specify when the
box is displayed during a Framework login. The options are , , or .Authentication Domain: Specify a configured Privileged Account Domain. Privileged Account Domains are configured through the Command Control Privileged Accounts. Valid authentication domains can be configured to validate against Novell eDirectory or Microsoft Active Directory. Authentication Domains are used for External Groups within Command Control, or for authentication to the RDP Relay Console.
Password lifetime (days): Specify the number of days a user’s password can be used before it expires and the user is prompted to change the password.
Minimum password length: Specify the minimum number of characters that must be used in a user’s password.
Password history: Specify the number of unique passwords that a user must use before being allowed to reuse an old password.
Minimum alpha: Specify the minimum number of alphabetic characters that must be used in a user’s password.
Minimum numerics: Specify the minimum number of numeric characters that must be used in a user’s password.
Cache native passwords: Enable this option if you want the Framework Manager passwords updated with LDAP passwords. When you set up a mapping for users with an LDAP server, the Framework Manager password is updated to match the LDAP password with each successful login. (For information on setting up an LDAP mapping, see Modify User: Native Maps.)
If a user never successfully logs into the LDAP server, the local password is never updated, and the user can use the local Framework Manager password to log in.
If this option is disabled, the local Framework Manager passwords are never updated with the LDAP passwords. Users can attempt an LDAP login, and if that fails, they can log in locally with their Framework Manager passwords.
Configure the following help desk attributes.These attributes control the functionality of the Help Desk role and determine the actions that can be performed by a help desk user. For information about creating a group to use these attributes, see Section 4.2.3, Configuring a Help Desk Group.
Disabled: Allows the help desk user to enable and disable user accounts.
Password: Allows the help desk user to change an existing password.
Change at next login: Allows the help desk user to determine whether the user is forced to change the password on the next login.
Last changed: Displays the last time the password was changed and allows the help desk user to reset it to the current date and time.
Bad logons: Displays the number of bad logins and allows the help desk user to reset the count.
Last bad logon: Displays the time and date of the last bad login and allows the help desk user to reset it to the current date and time.
Last logon: Displays the last successful login of the user and allows the help desk user to reactivate the account.
Group membership: Allows the help desk user to assign the user to non-administrative accounts.
Click
.When you add a new Framework user:
The user’s account is set up according to the default values defined in the
option. You can change these settings for individual users by using the option.The user’s password is set to expire immediately so he or she is prompted to change it on the first login to the Framework Manager console. You can change this setting for individual users by using the
option.The user cannot access any of the Framework consoles until you have added the user to a group with the required roles defined. For more information, see Section 4.1.3, Modifying a Framework User and Section 4.2.4, Configuring Roles.
To add a new Framework user:
Click
on the home page of the console.Click
in the navigation pane.Click
in the task pane.Specify a name for the user in the
field.Specify a password for the user in the
field.The password must comply with the default account settings for the Framework.
Click
.To configure additional settings for the user’s account, continue with Section 4.1.3, Modifying a Framework User.
The
option allows you to override the default account settings for an individual user, and also provides a number of additional configuration settings and tasks, including resetting a user’s password and assigning a user to a group.To modify a Framework user account:
Click
on the home page of the console.Click
in the navigation pane.In the left pane, select the user account you want to modify.
Click
in the task pane.Change the settings as desired:
Disabled: Select this option to disable the user’s account.
Comment: Specify a short comment in the text box.
Description: Specify a detailed description in the text box.
To configure additional options, select the section you want:
Password: Allows you to reset the user’s password and configure other password settings. For specific instructions and additional options, see Modify User: Password.
Password validation: Allows you to define the minimum number of alphabetic and numeric characters required in the user’s password. For specific instructions and additional options, see Modify User: Password Validation.
Account: Allows you to configure the user as a superuser, provides information about the user’s account, and provides other account configuration options. For specific instructions and additional options, see Modify User: Account.
Account Details: Allows you to enter personal information for the user, including Staff ID and contact details. For specific instructions and additional options, see Modify User: Account Details.
Host Access Control: Allows you to control where the user can access the console from. For specific instructions and additional options, see Modify User: Host Access Control.
Native Maps: Allows you to map the Framework user account to a user account on a UNIX platform or on an LDAP server. For specific instructions and additional options, see Modify User: Native Maps.
Logon Script: Allows you to define a Perl logon script for the user. For specific instructions and additional options, see Modify User: Logon Script.
Groups: Allows you to add the user to one or more groups. For specific instructions and additional options, see Modify User: Groups.
Authentication Script: Allows you to enable additional authentication apart from the default password authentication. For specific instructions and additional options, see Modify User: Authentication Script.
When you have completed your changes, click
.To set password options for a Framework user:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Change the options as desired:
Password: To reset the user’s password, type the new password and retype it in the
field.NOTE:The password must comply with the default account settings for the Framework, and comply with individual user settings defined by using this option and the
option.Change at next login (Expired): Select the
check box to expire the user’s current password immediately, forcing the user to change it on the next login.Last changed: Indicates when the password was last changed by the user, or, if the password has not yet been changed by the user, indicates when the user and password were created.
Reset password age: Select the Section 4.1.1, Configuring Account Settings), or in the field if it has been configured.
check box to reset the age of the password to zero. The user can use the password for the full number of days defined in P (seeMinimum length: Override the default account settings by specifying the minimum number of characters you require in a user’s password.
Maximum age: Override the default account settings by specifying the number of days before a user’s password expires, prompting the user to change the password.
History: Override the default account settings by specifying the number of unique passwords that a user must use before being allowed to reuse an old password.
Click
or select another option.To set password validation options for a Framework user:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.To override the default account settings for this user, select the appropriate check box and set the required values as follows:
Min alpha characters: Specify the minimum number of alphabetic characters you require in the user’s password.
Min numeric characters: Specify the minimum number of numeric characters you require in the user’s password.
Click
or select another option.To set account options for a Framework user:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Change the options as desired:
Super user: Select the
check box to make this user a superuser.NOTE:The
option is available only if you are logged in as a superuser. Superusers can be viewed and administered only by users belonging to a group with the super role defined for the auth module.Last bad logon: The last time the user failed to log on successfully.
Last logon: Indicates when the user last logged in to the Framework Manager console.
Reactivate account: Select the
check box to re-enable a user’s account that has been locked through bad logons.Disable inactive days: Override the default account settings by specifying the number of days the user’s account can be inactive before it is disabled. You can reactivate the user’s account by using the
account option described above.Delete inactive days: Override the default account settings by specifying the number of days the user’s account can be inactive before it is deleted.
Inactivity logout mins: Override the default account settings by specifying the number of minutes the user can be inactive before the user is logged out of the Framework Manager console.
Bad logons: The number of times the user has failed to log on successfully since the last successful logon.
Reset bad logon count: Resets the number of unsuccessful logons to zero.
Lockout: Override the default account settings by specifying the number of times the user can enter the wrong password before being locked out. You can re-enable the user’s account by clearing the
check box in the main section. You can reset the user’s password in the section.Message of the day: Override the default account settings by specifying a message to be displayed to the user after a successful logon.
Click
or select another option.To set personal account details for a Framework user:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.To set the following options, select the appropriate check box and specify the text:
Staff ID: Specify the user’s staff ID, for example, the user’s unique company identifier.
Display name: Specify a display name for the user, for example, the user’s full name. If a name is defined here it can be automatically entered as the Modifying an Account Group and Modifying a User Group). It can also be used in Compliance Auditor reports (see Section 7.3.1, Adding or Modifying an Audit Report).
in Account Group and User Group definitions for Command Control by selecting the manager’s Framework user name (seeEmail address: Specify the user’s e-mail address. If an e-mail address is defined here, it can also be used in Command Control (see Modifying an Account Group and Modifying a User Group) and in the Compliance Auditor (see Section 7.3.1, Adding or Modifying an Audit Report).
Telephone number: Specify the user’s telephone number. If a telephone number is defined here, it can also be used in Command Control (see Modifying an Account Group and Modifying a User Group) and in the Compliance Auditor (see Section 7.3.1, Adding or Modifying an Audit Report).
Click
or select another option.You can control where the user can access a Framework Manager console from by defining a list of ports and hosts to which access is allowed, or a list of ports and hosts to which access is denied.
If you make no entries for this option, access is allowed from any location.
To control where the user can access the Framework Manager console from:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.(Optional) Define a list of locations from where the user is allowed to access the console, and deny access from all other locations:
If auditing is required, select the
check box and use the drop-down list to select the events you want to be audited.Select the
check box.Click the
button below the list.In the
column, specify the required port number or range of port numbers. The following entries are allowed:
* |
All ports |
port |
A single port, such as 80 |
port-port |
A range of ports, such as 20-30 |
svcname |
Resolves a service name to its port, such as HTTP |
In the
column, specify the required host definition. The following entries are allowed:
* |
All hosts |
ip address |
A full IP address, such as 192.168.1.1 |
ip address-ip address |
A range of IP addresses, such as 192.168.1.1-192.168.1.12 |
part ip address |
Part of an IP address, such as 192.168.1 |
network/netmask |
A network/netmask pair, such as 192.168.1.0/255.255.255.0 |
network/nnn CIDR |
A network/nnn CIDR, such as 192.168.11.0/24 |
hostname |
A hostname, such as dellsrv1.netiq.com |
domain |
A domain name, such as *.netiq.com |
In the
column, click the check box.Repeat Step 4.c through Step 4.e for any other required location definitions.
(Optional) Define a list of locations from which the user is denied access to the console, and allow access from all other locations:
If auditing is required, select the
check box and use the drop-down list to select the events you want to be audited.Select the
check box.Click the
button below the Host Access list.Specify the desired locations as described in Step 4.d and Step 4.e above.
To make this a deny entry, make sure the check box is not selected in the
column.Repeat steps Step 5.c and Step 5.e for any other required location definitions.
Click
or select another option.The
option allows you to map Framework User accounts to UNIX or Linux accounts and to LDAP accounts.The Privilege User Manager Framework provides the ability to perform a number of functions from the command line. When using the command line, you are required to authenticate to the Framework. For example, the following command returns the status of all agents:
/opt/novell/npum/sbin/unifi -u admin regclnt status -a
The command contains a switch for the username (-u admin). When the command is executed, the user is prompted for a password.
You can use the
option to map a platform system user to a Privileged User Manager account.If you use an additional switch in the command line call, you are no longer required to provide authentication. A user with a native map can enter the following command:/opt/novell/npum/sbin/unifi -n regclnt status -a
The native map plus the -n switch allows the command to be executed without prompting the user for a name or a password.
To add a native map for a UNIX or Linux user:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Click
.In the
column, specify the user’s name for the UNIX or Linux platform.In the
column, select the hostname for the UNIX or Linux platform.Repeat Step 4 through Step 6 for any additional maps you require.
To edit a native map, select it and make the required changes.
To remove a native map, select it and click
.Click
or select another option.Native maps can be used to allow Framework Manager users to obtain their authentication credentials from an LDAP server. This allows the LDAP server to remain the authoritative source for user credentials and active accounts. If you want LDAP mapped users to be able to log in when the LDAP server is not available, see the Section 4.1.1, Configuring Account Settings.
option inTo configure an LDAP mapping:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Click
.In the
column, specify the user’s fully qualified distinguished name. For example:cn=plou,ou=development,o=novell
In the ldap or ldaps) and IP address of the LDAP server. Specify a port only if the LDAP server is not using the standard port for the scheme. For example:
column, specify the scheme (ldaps://10.10.16.165 ldaps://10.10.16.166:736
Click
or select another option.You can assign a Perl script to a user to be run when the user logs on to the Framework Manager console. For example, you could assign a script that causes an e-mail to be sent to a manager when the user logs on.
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Specify the logon script you require for this user. You can type the script or paste it from another document.
Click
or select another option.To assign a Framework user to one or more groups:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Select the check boxes for the groups you want this user to belong to.
Click
or select another option.You can also assign a user to a group by using the
option, by dragging the user onto the group, or by dragging the group onto the user.You can remove a user from a group by deselecting the check box for the required group. See Section 4.1.4, Removing a Framework User Group from a User for other methods.
Two factor authentication is required to enhance the security and to ensure the identity of the user is valid. Any framework user has to enter the secondary password to log in to the PUM Administration Console. To enable two factor authentication:
Click
on the home page of the console.Select the user account you want to modify, then click
.Click
.Add the following script based on your requirement:
Script to Prompt the Secondary Password in the Hidden Mode
my $module = $args->child("Args")->child("Module"); my $http_req = $args->child("Args")->child("http_req"); #RDPRelay Checks if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) ) { return 0; } #Non Admin Module Checks if($$module && ($module->arg("name") ne "admin")) { return 0; } my $exauth = get_msgs($args); if($exauth) { my $pwd=$exauth->arg("imsg"); if($pwd && $pwd eq "letmein") { return 0; } else { return -1; } } else { add_conv($args,"Enter your Secondary Password in the below Text Box and Press on 'Finish' Button", 1); return 1; }
Script to Prompt the Secondary Password and Display It
my $module = $args->child("Args")->child("Module"); my $http_req = $args->child("Args")->child("http_req"); #RDPRelay Checks if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) ) { return 0; } #Non Admin Module Checks if($$module && ($module->arg("name") ne "admin")) { return 0; } my $exauth = get_msgs($args); if($exauth) { my $pwd=$exauth->arg("imsg"); if($pwd && $pwd eq "letmein") { return 0; } else { return -1; } } else { add_conv($args,"Enter your Secondary Password in the below Text Box and Press on 'Finish' Button", 0); return 1; }
Show the Configured Message After Primary Login
my $module = $args->child("Args")->child("Module"); my $http_req = $args->child("Args")->child("http_req"); #RDPRelay Checks if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) ) { return 0; } #Non Admin Module Checks if($$module && ($module->arg("name") ne "admin")) { return 0; } my $exauth = get_msgs($args); if($exauth) { return 0; } else { add_msg($args, "Message from Administrator : Click on OK to Login"); return 1; }
Combination of all the Previous Scripts
my $module = $args->child("Args")->child("Module"); my $http_req = $args->child("Args")->child("http_req"); #RDPRelay Checks if($http_req && ($http_req->child()->arg("HTTP_REFERER") =~ m/rdprelay/) ) { return 0; } #Non Admin Module Checks if($$module && ($module->arg("name") ne "admin")) { return 0; } my @exauth = get_msgs($args); if($#exauth > 0) { my $pwd=$exauth[0]->arg("imsg"); my $inp=$exauth[2]->arg("imsg"); # Second Password is - letmein # Third Password is - 123 if($pwd && $pwd eq "letmein" && $inp && $inp eq "123") { return 0; } else { #(Show the message if any or both the passwords are wrong) $eval_rsp->arg('message', "Admin Message : Wrong Password!!!"); return -1; } } else { #(Ask for input as password) add_conv($args, "Enter your Secondary Password", 1); #(Show the message with 'OK') add_msg($args, "Click on OK"); #(Ask for input as clear text) add_conv($args, "Enter your Third Password", 0); return 1; }
Click
.There are several ways of removing a Framework user group from a Framework user’s account. You can modify the user, modify the group, or use the objects in the navigation pane.
Click
on the home page of the console.Select the group you want to remove from the user’s account.
In the right pane, select the user.
Click
in the task pane. The user is removed.Click
on the home page of the console.Click
in the navigation pane.In the left pane, select the user you want to delete.
Click
in the task pane.Click
to confirm the deletion.