This section provides detail on the standard user management module used in Pleasant products. This module is used to manage users, roles, policies and directories.
User accounts can be tied to directories (Active Directory/LDAP) or can be simply local accounts. Accounts that are tied to Active Directory/LDAP always authenticate against the Active Directory/LDAP server, so the password is always in sync.
Integrating with Active Directory/LDAP
For instructions on setting up Active Directory/LDAP, see the Quick Active Directory and OpenLDAP Usage Guide (the guide applies to products other than Password Server as well, with the difference that the Users & Roles menu is typically called the Admin menu in these products).
Users can be managed through the Admin > Manage Users page (Users & Roles > Manage Users for Password Server) by users with administrative permissions. The paragraphs below describe various functions that can be accessed through the Manage Users page.
Enable / Disable Users:
A user account can be enabled or disabled through the by selecting the Enable User or Disable User option in the Actions drop-down list (the change will then be reflected in the Status column).
A user who is disabled cannot log into the system, and the message The account is currently disabled is displayed if they try to do so. Exception: if an AD Guest account is enabled (not recommended), user authentication will be allowed if a securely encrypted connection can be established.
- Force Re-Authentication: to force users to login / re-authenticate again, disable the user(s) and then re-enable. Once the user makes a request again they will be asked to login / re-authenticate, and will be brought back to their original page or section where they were working.
The administrator can set a user's password without knowing the user's old password through the Set Password action in the Actions drop-down. The password requirements do not have to follow the User's policy in this location.
The administrator can also set a user's roles (Set Roles), delete a user (Delete User), force a user to change their password upon the next login (Expire User Password) in the same drop-down.
Users can be added using the actions above the users grid. The Add New User action adds a user whose information is specified and stored in the application's database.
Import Users from an Active Directory / LDAP Server:
Leads to the Manage Directories page, from where Import Users action in the Actions drop-down retrieves user information from a remote directory and then allows the administrator to choose which users to import into the application.
Update User From Directory:
Directory users' information can be updated later on using the Update User from Directory action in the Actions drop-down on the Manage Users page. However, if all users in a directory need their information updated, it is faster to use the Update Users action in the Actions drop-down on the Manage Directories page.
View / Edit User Details:
Also on the Manage Users page, a user's personal information, such as their display name, email address and phone number, can be viewed by clicking on their username and can be edited by clicking on the edit link beside the username. The edit link also allows setting the user's policy. Policies are described in detail in the Policy Administration section.
An administrator can perform an Unlock User action in the Actions drop-down on the Manage Users page: if lockouts are enabled and the user has been locked out. User lockouts are not enabled in the default policy, but can be changed in the Manage Policy section.
A user who remains locked out cannot log into the system, and if they attempt to do so will be given a generic login error message for security reasons.
An application will typically have a fixed set of permissions. Roles are groups of permissions, and a user who is assigned a role will gain all of its associated permissions. A role R1 can have another role R2 as a sub-role, in which case R1 gains all of the permissions associated with R2 along with the permissions it directly possesses.
Roles can be managed through the Admin > Manage Roles page (Users & Roles > Manage Roles for Password Server) by users who have administrative permissions. The paragraphs below describe various functions that can be accessed through the Manage Roles page.
A new role can be added by clicking the Add New Role button and specifying a name for the new role.
Roles can also be imported from a remote directory using the Import Roles from an Active Directory / LDAP Server action, which leads to the Manage Directories page, from which the Import Roles action in the Actions drop-down allows the administrator to choose which roles to import into the application.
- Roles can be renamed, deleted, assigned sub-roles and assigned permissions using the Rename Role, Delete Role, Set Sub-Roles and Set Permissions actions, respectively, in the Actions drop-down.
- The list of users in a role can be viewed through the Users link beside the role name.
Roles can be assigned to users through the Manage Users page, as described in the User Accounts section.
The policy administration section, which can be accessed through the Admin > Manage Policies page (Users & Roles > Manage Policies for Password Server) by users who have administrative permissions, consists of two parts: global settings and policies.
are those settings that apply to the application as a whole. They can be viewed on the Manage Policies page in the Global Settings section, and can be edited using the Edit link beside the section heading. Each setting is documented on the view/edit page itself.
Individual Policies are groups of non-global settings values, and can be applied per-user or per-role.
- Policies can be created using the New Policy button in the Policy section on the Manage policies page.
Policies can be assigned to roles in the Role Policies section on the same page, or can be assigned to users from the Edit link on the Manage Users page as described in the User Accounts section.