User Management

Applications Manager permits five different roles to work with the product apart from the default admin role. The different roles are Normal Admin, Delegated Admin, User, Operator and Manager.

Default / Super Admin : The system Super Administrators are allowed to perform all admin activities. The Super Administrator role also has the privilege to configure user management. The Super Admin role is the default admin user and it cannot be deleted or renamed.

  • Normal Admin : Normal Administrators are allowed to perform all default admin activities except the following :
    • Access query tool and DB status from Support under Tools in Settings tab.
    • Shut down the Applications Manager service from within the product.
    • Access Account Policy tab in User Management under Product Settings in Settings tab.
    • Access all Admin permissions in Permissions tab in User Management under Product Settings in Settings tab.
  • Delegated Admin : The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't default administrators. More information on Delegated Admin role and how to enable Delegated Admin Preferences can be viewed here.
  • User : A system user will have read-only access to all components of the product. Users will not have the privilege to access, configure or edit the different components of the product.
  • Operator: The system operators have read-only access to only those components of the product that the default administrator assigns to the operator. The operator role does not have the privilege to access, configure or edit the different components of the product. If an operator is part of a Monitor Group, then the restrictions will be in effect only for the operator and not others.
  • Manager: The Manager has an integrated high-level view of the Business Infrastructure. Service Level Agreements (SLAs) can be created and associated with various business applications and servers. More information on Manager role can be viewed here.

In the Settings page, click User Management under Global Configurations to browse through the following tabs:

Note: User management is not supported for the Applications Manager plugin build over OpManager. At present, there are only two types of roles available for plugin users - Administrator and Read-Only User. Operator, Delegated Admin and Manager role is not supported. Applications Manager Plugin users cannot assign monitors to the any specific users in the Apps tab. They can view all the default monitors only.

Profiles

Applications Manager provides you with the ability to manage users and roles for your enterprise, with roles assigned to users and different permissions associated to each role. This is achieved by first adding users and associating the users with the roles.

You can also import users from Active Directory or LDAP. This functionality is implemented as a more convenient method to add a large number of users and to ease the user management in Applications Manager. You can import users and perform role configuration for LDAP and Active Directory users and groups in Applications Manager.

Add new users to Applications Manager

The system administrators are allowed to perform all admin activities as explained in Performing Admin Activities. The admin role also has the privilege to configure user management as explained below.

  1. In Settings page, click User Management under Global Configurations. This lists the User Profile(s) that consists of the User name and the role.
  2. To add a new user, click Add new. This opens the 'New User' screen.
  3. Specify a unique user name and provide a password.

    Note: Username field containing any of the following special characters will not be accepted: / \ [ ] : ; | = , * ? < > " ' ` % -- $$

  4. Provide a description and an e-mail for the user.
  5. Assign a role to the user (User/ Operator/ Administrator/ Manager ).
  6. Check the delegated admin checkbox if you wish to assign delegated administration privileges.
  7. You can upload a profile photo for the user in jpg, gif, png or jpeg format(optional). A file size less than 100 KB is preferred.
  8. You can select user groups to give a group of users the same privileges as the new user. (Not applicable to users without Operator, Administrator or Manager roles).
  9. Select the monitor group to which the new user or users must be granted privileges.(Not applicable to users without Operator, Administrator or Manager roles).
  10. If you want to configure the user login during specific time periods, enable the User Account Login based on Business Hours option and select the Business Hour during which the login has to be allowed for the user account. The user account login can be configured such that it is allowed during or outside the selected Business Hours. Use the drop-down menu to select your time window or click on 'Add New Business Hour' to create a new time window.
  11. Click Create User. The new user or user groups will be displayed in the User Profile(s) table displaying the status, description, e-mail address,role and the monitor groups assigned.
Note:
  • The default user access of Applications Manager is admin (Administrator). All users log into Applications Manager as Admin users and are given all the administrative privileges to work with the tool.
  • You can also assign the owners for the Monitor Groups while creating the Monitor Groups or while editing the existing Monitor Groups

Importing users from domain

You can import users and perform role configuration for LDAP, Active Directory and JumpCloud users and groups in Applications Manager.

Users imported from the Active Directory, LDAP, or JumpCloud can login into Applications Manager using their Active Directory/LDAP/JumpCloud credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

  • In Settings page, click User Management under Global Configurations. This lists the User Profile(s) that consists of the User name and the role.
  • Click the Import Users from domain link under the list of user profile
  • Select a domain name from the drop-down list.

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

    • Select the Add New Domain option from the Domain Name drop-down list.
    • Enter the following details:
      • Domain Name: Name of the domain from where the users need to be imported.
      • Domain Controller: The hostname or the IP address of the DNS server for the domain.
      • Domain Port: The port of the DNS server.
      • Authentication Type: The authentication type of the domain user. (LDAP, Active Directory, or JumpCloud)
      • Base DN: JumpCloud Base Distinguished Name (DN) of the user. Eg. For JumpCloud, ou=users,o=<YOUR ORG ID VALUE>,dc=jumpcloud, dc=com
      • Username: Active Directory / OpenLDAP / JumpCloud username of the domain user. The active directory username of the domain user should be provided in DOMAIN\username format. The LDAP user name should be provided in cn=user,dc=domain,dc=name format. The JumpCloud user name should be provided in uid=<LDAP Bind DN Username>,ou=users,o=<YOUR ORG ID VALUE>,dc=jumpcloud,dc=com format.
      • Password : Active Directory / OpenLDAP /JumpCloud password of the domain user.
      • Search Filter: To filter out search result you can use characters followed by * as well as the role criterion in OpenLDAP search filter format. For users imported from Active Directory / OpenLDAP / JumpCloud, Enforce strong password rules settings will not be applicable.
    • Click on the Fetch Users button to import users from the domain.
    • When the list of existing users is displayed select the user(s) to be added, assign roles and click on Add Users to add the users.
    • In the new Import Users tab from the pop-up window select the users that you wish to add from the drop-down list.

Note: Username field containing any of the following special characters will not be accepted: / \ [ ] : ; | = , * ? < > " ' ` % -- $$

  • Assign a role - Operator,User,Administrator or Manager to each of the users.
  • Click on the Add User button to import the user to Applications Manager or click on Add Users And Configure Another to add more users.

You can edit User Profiles from the list of users.  

Delete a user

  • In Settings page, click User Management under Global Configurations.
  • Select the user(s) to be deleted.
  • Click Delete

User Groups

You can create User Groups in Applications Manager with roles assigned to users or import user groups from Active Directory, LDAP, or JumpCloud.

Add new user groups to Applications Manager

  • In Settings page, click User Management under Global Configurations.
  • Click the User Groups tab. This lists down the User Groups in Applications Manager.
  • To add a new user group, click Add new. This opens the 'New User Group' screen.
  • Specify a User Group name.
  • Choose the users to be added to the group.
  • Select the monitor group to which the new users must be granted privileges.
  • Click Create User Group. The new user groups will be displayed in the User Groups table.

Importing user groups from domain

Users in the groups imported from the Active Directory, LDAP, or JumpCloud can login into Applications Manager using their Active Directory/LDAP/JumpCloud credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

  • In Settings page, click User Management under Global Configurations.
  • Click the User Groups tab.
  • Click the Import User Groups from domain link under the list of user profile
  • Select a domain name from the drop-down list.

The users in groups imported from Active Directory/LDAP/JumpCloud will be associated automatically to that particular usergroup during login.

For Active Directory Users, the admin can import their group and use this feature in permissions tab (Create a new user account if the user logs in with domain authentication.)

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

  • Select the Add New Domain option from the Domain Name drop-down list.
  • Enter the following details:
    • Domain Name: Name of the domain from where the users need to be imported.
    • Domain Controller: The hostname or the IP address of the DNS server for the domain.
    • Domain Port: The port of the DNS server.
    • Authentication Type: The authentication type of the domain user. (LDAP, Active Directory, or JumpCloud)
    • Base DN: JumpCloud Base Distinguished Name (DN) of the user. Eg. For JumpCloud, ou=users,o=<YOUR ORG ID VALUE>,dc=jumpcloud, dc=com
    • Username: Active Directory / OpenLDAP / JumpCloud username of the domain user. The active directory username of the domain user should be provided in DOMAIN\username format. The LDAP user name should be provided in cn=user,dc=domain,dc=name format. The JumpCloud user name should be provided in uid=<LDAP Bind DN Username>,ou=users,o=<YOUR ORG ID VALUE>,dc=jumpcloud,dc=com format.
    • Password : Active Directory / OpenLDAP /JumpCloud password of the domain user.
    • Search Filter: To filter out search result you can use characters followed by * as well as the role criterion in LDAP search filter format. These search filters use one of the following formats <filter>=(<attribute><operator><value>) or (<operator><filter1><filter2>). For example: "(&(objectCategory=person)(objectClass=user)(!cn=andy))"- All user objects but "andy".
  • Click on the Fetch User Groups button to import user groups from the active directory, LDAP, or JumpCloud.
  • When the list of existing users is displayed select the user(s) to be added, assign roles and click on Add User Groups to add the users.
  • You can also edit User Profiles from the list of users.

Delete a user group

  • In Settings page, click User Management under Global Configurations.
  • Click the User Groups tab.
  • Select the user groups to be deleted.
  • Click Delete.

Domains

You can import multiple users from other domains like Active Directory, OpenLDAP, and JumpCloud to Applications Manager. Configure the following details:

  • Domain Name : The fully qualified name of the domain from which the users are to be imported. Aliases are not supported.
  • Domain Controller : The hostname or the IP address of the DNS server for the domain.
  • Domain Port : The port of the DNS server.
  • Directory Service : OpenLDAP, Active Directory or JumpCloud.
  • SSL is enabled : Checks if SSL is enabled in the domain.

    Note: This option enables LDAPS and secures your LDAP server connection between client and server application to encrypt the communication.

  • Save Domain User Password : Saves encrypted domain user password in Applications Manager database and uses it for authentication when domain is unreachable.
  • User Permissions : The permission level for this domain.
    • Read Only - All users logged in through this domain will have read-only access.
    • Full Control - Users logged in will behave according to their roles specified.
  • After entering all the necessary details, click Add Domain.

Associating Users and User Groups to Multiple Domains:

You can associate users and user groups to multiple domains:

  • Click on Import Users from Active Directory / OpenLDAP / JumpCloud or Import User Groups from Active Directory / OpenLDAP / JumpCloud and import users/user groups from the directory.
  • Go to Profiles or User Groups and click on a user or group. The domain to which the user or group belongs will be displayed in the Domain Name field.
  • To add another domain, click in Domain Name text box and a drop-down list with other domains will be listed.
  • Choose the domain you wish to add.
  • Click Update User/User Group.

If the 'Create a new user account if the user logs in with domain authentication' checkbox in the Permissions tab is checked, users are created automatically based on their role in the user group.

Permissions

Operator Permissions:

Using the Permissions options, you can allow Operators to manage / unmanage monitors, reset the status of monitors, edit display names, execute actions, start/stop/restart services, update IP Addresses, use Command Shell and clear Alarms.

The operator role can also be granted permission to configure the Downtime Schedule and view Downtime Schedules. If you've chosen the option "Allow operator to configure Downtime Schedule", you will only see the Downtime Schedules configured by this user and you can schedule new downtimes to Monitors and Monitor Groups associated to you. If you'd like the user to view all the Downtime Schedules then please make sure you also choose the option "Allow operator to view all Downtime Schedules". The Downtime Scheduler option will be available as link in the Bulk Configuration view under the Monitor tab since the Settings tab is not available for the Operators.

You can also allow the "Jump to link" option to be displayed for operators (Jump to link refers to access Add-On Products (like OpManager, Service Desk) and Managed Servers). In addition, you can also allow the user to view Managed servers by enabling the 'Allow operator to view Managed servers' option for Enterprise Edition Admin server.

Admin Permissions:

You can allow admin to use Command Shell and to stop/start/restart Windows services. You can give permission to an administrator to Enable Delegated Admin Preferences. The admin can also be granted permission to create a new user account if the user logs in with domain authentication. The new user account will be created only when the Usergroup to which the user belongs is already imported from the same domain

IBM i Permissions:

IBM i Permissions allow you to permit Operators to execute IBM i Admin activities like controlling Message and Logging, Network Attributes, Date and Time, System Control, Library List, Storage, Allocation, Security, Jobs, Spool, Subsystem and using Non-Interactive Commands. By default, Applications Manager allows admin user(s) to execute IBM i operations but the option can be disabled.

Views

This is for Operator only. Using View option, you can define how to represent your subgroup in the webclient.You can either show the associated subgroups directly in the home tab itself or from the corresponding top level Monitor Group. 

Account Policy

You can configure Account Policies in Applications Manager to enhance web client security. Following is the list of options that are available under the Account Policy tab:

  • Enforce account lockout: Allows you to enforce account lockout in case of configured number of continuous failed logins and account lock timeout (in minutes) where the user account is locked due to incorrect credentials. By default, this option is enabled.
  • Enforce single user session: Allows you to enforce single-user sessions to user accounts by restricting concurrent sessions by a single-user account. Choose the login mode from either of the following options:
    • Restrict latest login: Restricts the later login requests if the user has already logged in.
    • Allow only latest login: Upon a successful login request, it allows the successful login alone and logs out of all the existing sessions.
  • Enforce strong password rules for users: Allows you to enforce strong password rules for the enhanced security of users. By default, the following are the password rules that are implemented in Applications Manager:
    • Password cannot be the same/part of your login name.
    • Password length should not be less than 8 characters.
    • Password length should not be greater than 255 characters.
    • Password should contain at least 1 numeric character.
    • Password should contain at least 1 special character.
    • Password should contain both uppercase and lowercase characters.
    • Password should not be same as your last 4 password(s). (Applicable only when the option Enforce strong password rules for users is enabled)
  • Enforce password change for users during first login: Allows you to enforce password change for users that are logging in for the first time and for users that update the password manually under Settings → User Management → Profiles. By default, this option is enabled.
  • Enforce password expiry for user accounts: Allows you to enforce password expiry by specifying the number of days after which the password is to be expired for the user accounts. By default, this option is enabled. You can choose to avoid enforcing password expiry by disabling this option for the user accounts.
  • Restrict user management operations for administrator accounts: Allows you to restrict user management operations (such as create, update or delete) to user profiles, user groups, and domains for all administrator accounts.
  • Enable business hour preferences for user accounts: Allows you to enable business hours preferences for the user accounts to login. By default, this option is enabled.
  • Enable Reset Password option for user accounts: Allows you to enable the Reset Password option for user accounts in the login page. By default, this option is enabled.
  • Minimum password length: Allows you to configure the minimum password length required for creating a user profile and logging into Applications Manager console. By default, minimum password length is 8 characters and should not exceed 255 characters.
    Note: Upon configuring the minimum password length, all newly-created users profiles as well as existing user profiles performing password update would be made to add passwords that meet the configured minimum length requirement.

Configuring Active Directory / LDAP with the configuration file

You can import users and perform role configuration for LDAP users and groups in Applications Manager. Users and groups are fetched into Applications Manager from different domains, based on the entry in the authentication.conf file found in the following location. For LDAP configuration, you can edit the ldapConfiguration.conf file found under <Applications Manager Home>/conf directory.

LDAP Configuration

ldap.group.commonNameAttribute=cn
ldap.group.primaryAttribute=cn
ldap.group.displayNameAttribute=cn
ldap.group.objectCategory=group
ldap.group.objectClass=posixGroup;groupOfNames
ldap.group.memberAttribute=member;memberUid
ldap.group.memberofAttribute=
ldap.group.groupTokenAttribute=gidNumber

ldap.user.commonNameAttribute=cn
ldap.user.primaryAttribute=uid
ldap.user.displayNameAttribute=cn
ldap.user.objectCategory=person
ldap.user.objectClass=person;posixAccount
ldap.user.memberofAttribute=
ldap.user.emailAttribute=mail
ldap.user.groupidAttribute=gidNumber

Active Directory Configuration

ad.group.commonNameAttribute=cn
ad.group.primaryAttribute=sAMAccountName
ad.group.displayNameAttribute=cn
ad.group.objectCategory=group
ad.group.objectClass=group
ad.group.memberAttribute=member
ad.group.memberofAttribute=memberOf
ad.group.groupTokenAttribute=primaryGroupToken

ad.user.commonNameAttribute=cn
ad.user.primaryAttribute=sAMAccountName
ad.user.displayNameAttribute=displayname
ad.user.objectCategory=person
ad.user.objectClass=
ad.user.memberofAttribute=memberOf
ad.user.emailAttribute=mail
ad.user.groupidAttribute=primaryGroupID

Note: If you have changes in LdapConfiguration.conf and later want to retain the initial configuration, simply rename the file (for example, rename it to LdapConfiguration_old.conf) or move the file to different location and restart Applications Manager.

Delegated Admin Preferences

The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't administrators. By delegating administration, you can assign a range of administrative tasks to the appropriate users and let operators take more control of their local network resources.

Enabling Delegated Admin Preferences:

  • In the Settings page, click User Management under Applications Manager Server Settings
  • Navigate to the Permissions tab.
  • In the Admin Permissions table, check the Enable Delegated Admin Preferences. Once this checkbox is checked, when an administrator adds a new user to Applications Manager, he is asked to specify by a checkbox if he wishes to add the new user as a Delegated Admin.
  • You can also perform the enable the following actions from the Admin Permissions table:
    • Allow Delegated Admin to view/use thresholds and anomaly profiles created by administrators (non-delegated administrators) and other delegated administrators in the same user group.
    • Allow Delegated Admin to view/use all actions created by administrators (non-delegated administrators) and other delegated administrators in the same user group.

Delegated Administrator Privileges

The following table lists the User Privileges of the Delegated Admin role in various scenarios:

Scenario Delegated Administrator User Privileges
Credential Manager

Permission to create profiles and to edit and delete profiles which he has created.
Action Permission to create new actions and to edit and delete actions which he has created. Additionally he can also view the actions associated to the monitors for which he has ownership.
New Monitor and Monitor Group Permission to create new monitors and monitor groups, and to edit and delete new monitors and monitor groups for which he has ownership.
Threshold and Anomaly Profiles Permission to create new profiles and to edit and delete profiles which he has created. Additionally he can also view the profiles associated to the monitors for which he has ownership.
Schedule Report Permission to create reports and to edit and delete reports which he has created.
Downtime Scheduler Permission to schedule the time period for which monitoring is not required.
Alarm Escalation Permission to escalate an alarm and configure rules for alarm escalation.
Configure Alarms Permission to configure alarms by monitor groups for which he has ownership.
Process and Service Template Permission to add and apply new process template to monitor groups and selected monitors alone.
Event Log Rules Permission to configure Event Log Rules applicable only to monitor groups and selected monitors.
Dashboards / Widgets Permission to create dashboards and view default dashboards in Read-Only mode.
Performance Polling, Global Trap, SNMP Trap Listener, User Management, Data Retention, Managed Server Administration, SLA, World Map View, Product License, Action Alarm Settings Not supported for Delegated Admin Role