Managing users
Management Station provides several features to implement security. All users must log in to Management Station and create a password that satisfies security requirements. Passwords expire after a certain amount of time.
In addition, users with administrator privileges can set up (or remove) authorized users, view and modify user information, log users out at any time, reset users who are locked out of the Management Station, and grant privileges to control access to various Management Station functions.
A typical use case would be to allow users to view reports, but deny them all other privileges. By restricting the other privileges, you can make sure that no one inadvertently does something unintended, like shutting down services, reconfiguring managed hosts, or accessing sensitive log information.
Users who can access Management Station:
- Administrators, who have all privileges and implement security features.
- Non-administrators, whose privileges are determined by the administrator. These users can view their privileges but not change them. They can, however, change basic information their password, phone number, and so on. See Managing user settings for details.
Note: Non-administrators can have the privilege to add new users and their privileges. The role is called Create and Manage Non-Admin Users. They cannot grant this role to other users, and they cannot change the privileges of others who already have the role.
To access the administrator functions:
- Click the Administration tab.
- Click Users. Information about the current user appears.
- Click User Management from the left frame. (This function is available only if you have administrator privileges.) Basic information about existing authorized users appears.
For example:
Note: The default Administrator user is the super user and has all administrator privileges. This user cannot be removed from the list of users, nor can other administrators log the super user out, change his or her user information, or modify any privileges.
The following tasks are available to administrators. Some features are available to non-administrators who have the privilege to create and manage other users.
Create new users and grant privileges
To create authorized users and grant privileges:
- Click Add New User in the right corner.
-
Enter the username and password, then confirm the password. (This is a temporary password since new users must change their password when logging in for the first time.) For security purposes, the username must not contain the following characters:
Character Name ' Single quote " Double quote \ Backslash ; Semi-colon , Comma - Click Next.
The User Information page for the new user appears for you to enter other details like first and last name, email and phone number, and so on.
- Click Submit.
The privileges page for that user appears (not all privileges are shown).
By default, the user is granted all privileges, except administrator privileges.
- Set privileges:
- If the user is to be a non-administrator, then uncheck privileges as desired. The Unmark All button lets you do this quickly.
- If this user is to be an administrator, then check the first option, Administrator Privileges. An administrator is always granted all privileges. You cannot restrict access to any Management Station functions.
- Click Submit.
The User Management page reappears with the new user added to the list. The user information is written to the Management Station database. The password is stored as a secure hash function of the real password.
Change a user’s settings
As an administrator, you can do several things from the User Management page:
- Click Edit to modify a user’s information.
- Click Privileges to view and modify user privileges.
- Click Log Out to log that user out. The user is redirected to the user login screen upon the next action he or she makes in the Management Station.
- Click Remove to remove that user from the list of authorized users. The user is logged out and is unable to log back in again.
- Click the user’s name to send him or her an email (maybe you’re going to log him out and want to let him know). The name will be inactive if no email address was provided when setting up this user.
Click Submit when done making changes.
Note: Once you have created a new user, only that user can change the password.
Reset the Management Station lockout (and a user’s password)
The Management Station locks users out after five unsuccessful login attempts and generates a major alarm. The lockout can be reset in one of two ways:
- The administrator can unlock the user via the Unlock button (Administration→Users→User Management). This resets the user’s password to changeit. They must change to a secure password at their next login. For example:
- If you, the administrator, gets locked out, run the $MSTATION_HOME/scripts/unlockuser script. For example:
- Windows:
unlockuser.bat lockedOutUsername - Linux:
./unlockuser.sh lockedOutUsername
This resets your password back to changeit. In fact, you can run this script to unlock any locked-out user and reset his password to changeit.
- Windows:
The Management Station keeps the count of unsuccessful attempts for 24 hours. If the user has not made another unsuccessful attempt within 24 hours, the count is reset to zero and the next attempted login starts at one.
For example:
|
Timestamp |
Successful login |
Count |
|---|---|---|
|
8/16/2012 8:00 |
No |
1 |
|
8/16/2012 10:30 |
No |
2 |
|
8/16/2012 13:00 |
No |
3 |
|
8/16/2012 14:00 |
No |
4 |
|
8/17/2012 15:00 |
No |
1 |
Reset the session-expiration timeout
The Management Station automatically logs users out after one hour of inactivity. To change this session-expiration timeout, set userInactivityLogoutMinutes in $MSTATION_HOME/mserver/webapps/mserver/config/mserver_cfg.properties.
For example, to change the timeout to two hours, specify:
userInactivityLogoutMinutes=120
Restart the Management Station for the change to take effect.
Reset the inactivity timeout
The Management Station automatically locks user accounts if there is no inactivity for a configurable number of days. To change this timeout, set LockAccountAfterXDaysOfInactivity in $MSTATION_HOME/mserver/webapps/mserver/config/mserver_cfg.properties.
For example, to change the timeout to 60 days, specify:
LockAccountAfterXDaysOfInactivity=60
Restart the Management Station for the change to take effect.
Modify user preferences
The User Preferences page lets you change how often the Management Station refreshes the network tree view. You can change the default settings or turn off the refresh rate completely.
To display this page, click the Administration tab→Miscellaneous. The User Preferences page appears.
The Network Tree Refresh Rate specifies how often the Management Station updates the operational status of configured hosts and services in the network tree. The default is 10 seconds.
For example:
