This section provides detail on the standard user management module used in Pleasant products. This module is used to manage users, roles, policies and directories.

User Accounts

User accounts can be tied to directories (Active Directory/LDAP) or can be simply local accounts. Accounts that are tied to Active Directory/LDAP always authenticate against the Active Directory/LDAP server, so the password is always in sync.

Integrating with Active Directory/LDAP

For instructions on setting up Active Directory/LDAP, see the Quick Active Directory and OpenLDAP Usage Guide (the guide applies to products other than Password Server as well, with the difference that the Users & Roles menu is typically called the Admin menu in these products).

Managing Users

Users can be managed through the Admin > Manage Users page (Users & Roles > Manage Users for Password Server) by users with administrative permissions. The paragraphs below describe various functions that can be accessed through the Manage Users page.

Enabling/Disabling Users:

  • A user account can be enabled or disabled through the by selecting the Enable User or Disable User option in the Actions dropdown list (the change will then be reflected in the Status column). A user who is disabled cannot log into the system, and the message The account is currently disabled is displayed if they try to do so. Exception: if an AD Guest account is enabled (not recommended), user authentication will be allowed if a securely encrypted connection can be established.

Setting Passwords:

  • The administrator can set a user's password without knowing the user's old password through the Set Password action in the Actions dropdown. The password requirements do not have to follow the User's policy in this location.

  • The administrator can also set a user's roles (Set Roles), delete a user (Delete User), force a user to change their password upon the next login (Expire User Password) in the same dropdown.

Adding Users: 

  • Users can be added using the actions above the users grid. The Add New User action adds a user whose information is specified and stored in the application's database.

Import Users from an Active Directory / LDAP Server:

  • Leads to the Manage Directories page, from where Import Users action in the Actions dropdown retrieves user information from a remote directory and then allows the administrator to choose which users to import into the application.

Updating User From Directory:

  • Directory users' information can be updated later on using the Update User from Directory action in the Actions dropdown on the Manage Users page. However, if all users in a directory need their information updated, it is faster to use the Update Users action in the Actions dropdown on the Manage Directories page.

Viewing/Editing User Details: 

  • Also on the Manage Users page, a user's personal information, such as their display name, email address and phone number, can be viewed by clicking on their username and can be edited by clicking on the edit link beside the username. The edit link also allows setting the user's policy. Policies are described in detail in the Policy Administration section.

Lockouts:

  • Finally, if lockouts are enabled (note: they are not enabled in the default policy, but this can be changed in the Manage Policy section), then the administrator can unlock a locked out user through the Unlock User action in the Actions dropdown on the Manage Users page. A user who remains locked out cannot log into the system, and the message The account has been temporarily locked due to repeated login failures is displayed if they try to do so.

Roles

An application will typically have a fixed set of permissions. Roles are groups of permissions, and a user who is assigned a role will gain all of its associated permissions. A role R1 can have another role R2 as a sub-role, in which case R1 gains all of the permissions associated with R2 along with the permissions it directly possesses.

Managing Roles

Roles can be managed through the Admin > Manage Roles page (Users & Roles > Manage Roles for Password Server) by users who have administrative permissions. The paragraphs below describe various functions that can be accessed through the Manage Roles page.

Adding Roles:

  • A new role can be added by clicking the Add New Role button and specifying a name for the new role.

Importing Roles:

  • Roles can also be imported from a remote directory using the Import Roles from an Active Directory / LDAP Server action, which leads to the Manage Directories page, from which the Import Roles action in the Actions dropdown allows the administrator to choose which roles to import into the application.

Managing Roles:

  • Roles can be renamed, deleted, assigned sub-roles and assigned permissions using the Rename Role, Delete Role, Set Sub-Roles and Set Permissions actions, respectively, in the Actions dropdown.
  • The list of users in a role can be viewed through the Users link beside the role name.
  • Roles can be assigned to users through the Manage Users page, as described in the User Accounts section.

Policy Administration

The policy administration section, which can be accessed through the Admin > Manage Policies page (Users & Roles > Manage Policies for Password Server) by users who have administrative permissions, consists of two parts: global settings and policies.

Global Settings:

  • are those settings that apply to the application as a whole. They can be viewed on the Manage Policies page in the Global Settings section, and can be edited using the Edit link beside the section heading. Each setting is documented on the view/edit page itself.

Individual Policies are groups of non-global settings values, and can be applied per-user or per-role.

Managing Policies:

  • Policies can be created using the New Policy button in the Policy section on the Manage policies page.
  • Policies can be assigned to roles in the Role Policies section on the same page, or can be assigned to users from the Edit link on the Manage Users page as described in the User Accounts section.

Tag page
You must login to post a comment.