Through the N1 Grid Service Provisioning System, you can create user accounts and define user groups. Because an individual user's permissions are determined by the permissions granted to his or her group, you must consider how you plan to set up accounts and groups.
This chapter covers the following topics.
All permissions are tied to user groups. By adding or removing a user from a user group, you directly impact the tasks that the user can perform. For more information about permissions, see Chapter 3, Controlling Access Using Permissions.
When setting up user groups and user accounts, you must also consider how you plan to set up your folders. Folder-based permissions establish permissions on objects that are contained within a folder, which are components, plans, and subfolders. System-wide permissions establish permissions on objects not contained in folders, for example, hosts, comparisons, and users. You can set system-wide permissions in each user group's Details page. You can also set permissions at the folder level.
You should first set up user groups based on the roles you expect users to take. Then you create new user accounts and decide to which user groups they should be added.
When setting up user accounts, consider the following items.
The type of functions that each user will be performing
The security level that is required between users
A user group is a user-definable object that is used to categorize users and define permissions. By carefully planning out the names for user groups and which permissions to grant each group, you can easily manage individual user permissions by making them part of one or more groups.
User Group Characteristics
User groups can include one or more individual users.
User groups can also include one or more user groups.
A user group can be a super set of all the user groups included in its member list.
Nested user groups inherit the permissions of the containing user groups.
Since permissions can only be added, the top-level user group should be the least permissive. Nested user groups represent more permissive user groups.
System-wide permissions are set in a user group's Details page.
Folder-specific permissions are set in the folder's Details page.
For more information about the different types of user group permissions, see Chapter 3, Controlling Access Using Permissions.
The provisioning system provides three default user groups after installation: admin, registered, and universal. Default user groups cannot be deleted and cannot have their names changed.
The provisioning system provides the admin user group after installation to allow initial system configuration. This user group is designed for administrators of the provisioning system.
Members of the admin user group have all permissions on all objects in the provisioning system and can modify an object whether or not they own it.
Members of the admin user group perform many functions.
setting up hosts
adding new user accounts and user groups
setting permissions of user groups
creating folders for user groups
importing plug-ins
The admin user group comes with one default user, the admin user. However, if you have more than one administrator of the provisioning system, you can add other users to the admin user group.
Since the admin user group has complete control over all aspects of the provisioning system, be careful when assigning users to this group.
For more information about the admin user, see Default User Account.
For more information about creating new users, see How to Create User Accounts.
The registered user group consists of all users that have been created in the provisioning system.
registered User Group Characteristics
Every user is a member of the registered user group, and members cannot be removed.
Read permissions for all objects are granted to the user group.
Read permissions cannot be revoked.
New permissions can be assigned to the user group.
The affect of granting a permission to the registered group is to allow all users in the system to perform the associated action.
Although all users are assigned to the registered user group, this user group will not display in a user's user group list.
The universal user group includes all users. By default, no permissions are granted to this group. However, new permissions can be granted, which has the affect of allowing anyone to perform the associated operation. The registered group may not be removed as a child of this group.
This procedure describes how to create user groups by using the browser interface. You can also create user groups by using the following command.
udb.g.add – Creates a new user group.
For a detailed description of this command, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
Before you create user groups, you should determine how you want to organize your users. For information about how to set up user groups, see Planning User Groups and User Accounts.
To create a user group, you must belong to a user group that has write permissions on users and groups.
Go to the User Groups page.
In the top row of the table that lists user groups, type a name and a description for the new user group and click Create.
The Details page for the new user group is displayed.
Add a user or user group to the group.
Newly created user groups do not contain any members.
To add a user, select the user account from the User menu in the Members of Group area and click Add.
Users added to the user group inherit the permissions given to this user group and all user groups that contain this user group.
To add a user group, select the user group from the User Group menu in the Members of Group area and click Add.
The Details page updates to show the added user or members of the added user group in the Current Group Members field.
The Current Group Members field lists a user only once, even if that user belongs to two or more groups that you have added to the group.
In the Permissions of Group Users area of the page, set system-wide permissions for the new user group.
Permissions set in this user group are inherited by members of the user group. These members include individual users as well as other, nested user groups.
If you give the user group comparison permissions, select the host set on which the users in the group can run comparisons.
For more information, see System-Wide Permissions.
When you have finished configuring the group, click Save.
The User Groups page lists the new user group.
You can view the users and the permissions of a particular user group.
This procedure describes how to view user groups by using the browser interface. You can also view user groups by using the following commands.
udb.g.la – Displays all user groups.
udb.g.lo – Displays detailed information about a particular user group.
udb.g.lp – Displays system-wide permissions granted to a user group.
udb.g.lu – Displays members of a user group.
For a detailed description of these commands, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
From the navigation menu, choose User Setup.
The User Setup page is displayed.
In the User Setup page, click User Groups.
This displays the User Groups page, which lists the user groups already defined.
(Optional) To view a list of users within a group or the permissions held by a user group, find the row that lists the group that you want to view and click Details.
Editing user groups allows you perform the following tasks after you have created a user group.
Add a user to the user group
Add another user group to the user group
Remove a user or user group from the user group
Change system-wide permissions of the user group
This procedure describes how to edit user groups by using the browser interface. You can also edit user groups by using the following command.
udb.g.mod – Edits a user group.
For a detailed description of this command, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
To edit a user group, you must belong to a user group that has write permissions on users and groups.
Go to the Details page of the user group that you plan to edit.
(Optional) Add a user or user group to the group.
Newly created user groups do not contain any members.
To add a user, select the user account from the User menu in the Members of Group area and click Add.
Users added to the user group inherit the permissions given to this user group and all user groups that contain this user group.
To add a user group, select the user group from the User Group menu in the Members of Group area and click Add.
The Details page updates to show the added user or members of the added user group in the Current Group Members field.
The Current Group Members field lists a user only once, even if that user belongs to two or more groups that you have added to the group.
(Optional) In the Permissions of Group Users area of the page, set system-wide permissions for the user group.
Permissions set in this user group are inherited by members of the user group. These members include individual users as well as other, nested user groups.
If you give the user group comparison permissions, select the host set on which the users in the group can run comparisons.
For more information, see System-Wide Permissions.
(Optional) In the Permissions of Group Users area of the page, select the host set on which users can run comparisons.
When you complete your modifications, click Save.
When a user group is deleted, the user group is removed from all user groups to which it belonged. Users and user groups that belonged to the deleted group continue to exist, but they no longer belong to the user group, and therefore, no longer have the permissions granted by the deleted user group.
If a folder granted the user group certain permissions, those permissions are also deleted when the user group is deleted.
The browser interface provides two options for deleting user groups. You can delete multiple user groups at once from the User Groups page or one at a time from the user group's Details page. This procedure provides instructions on how to delete several user groups at a time.
You can also delete user groups by using the following command.
udb.g.del – Deletes a user group.
For a detailed description of this command, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
To delete a user group, the following requirements must be met.
You must belong to a user group that has write permissions on users and groups.
The user group must not be the default admin, registered, or universal user groups.
The user group must not own any folders.
If the user group owns a folder, change the folder's owner user group. Then delete the user group.
Go to the User Groups page.
Select the user groups that you plan to delete.
At the bottom of the User Groups table, click Delete.
A verification page lists the user groups that you selected.
Click Continue to Delete.
After the user groups have been deleted, the User Groups page updates and the user groups that you deleted no longer appear.
The N1 Grid Service Provisioning System software restricts access and provides audit trails through the use of user accounts and the plan run history. All users are required to log in to use the application. The Master Server includes a single default account, admin. All other accounts are user definable.
The provisioning system's default user account provides initial access to the product and is intended for system administrators. The user name for this account is admin and the default password is defined during product installation.
After you have logged in as admin, you can set up other user accounts and user groups.
The admin user is a member of the admin user group. The admin user cannot be removed from the admin user group. For more information on the role of the admin user, see admin User Group.
This section describes how to view and create user accounts. You can also modify user accounts and passwords after an account is created.
You will need to create new user accounts when users need to access the system.
Any user added to the provisioning system has read permissions on all objects within the system. If you are storing sensitive information in the system, ensure that you only add users that should have access to that sensitive information.
You can also create user accounts by using the following command.
udb.u.add – Adds a user account.
For a detailed description of these commands, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
To create a user account, you must belong to a user group that has write permissions on users and groups.
If you plan to add a user who will be externally authenticated, ensure the following criteria are met.
The user exists in the external system before the user attempts to login to the provisioning system.
The user name begins with a letter, does not contain spaces, and does not exceed 32 characters.
Go to the Users page.
In the top row of the table that lists user accounts, type a name for the new user account and click Create.
The Details page for the new user account is displayed.
Select an authentication method from the menu.
If the authentication method that you select has an asterisk, *, you will need to enter a password for the user account in the New Password and Confirm New Password fields.
To add new login configurations to the provisioning system, see Appendix A, Authentication Methods.
Use the controls in the Member of User Groups area to add this user account to one or more user groups.
In the provisioning system, permissions are based on user groups rather than on individual user accounts. By adding this user account to a group, you determine the privileges it is assigned. For more information, see Folder-Specific Permissions.
For more information about adding a user to a user group, see How to Edit User Groups.
(Optional) To hide this user account, select Hidden.
Click Save.
You might want to view user accounts in the following situations.
You need to audit user accounts to ensure that users who are no longer authorized to access the provisioning system are removed.
You need to ensure that users belong to the correct groups and have the correct set of permissions.
You need to ensure that you have permissions to perform your job without any obstacles.
This procedure describes how to view user accounts by using the browser interface. You can also view user accounts by using the following commands.
udb.u.la – Displays all user accounts.
udb.u.lo – Displays detailed information about a particular user account.
udb.u.lp – Displays system-wide permissions granted to a particular user account.
For a detailed description of these commands, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
From the navigation menu, choose User Setup.
The User Setup page is displayed.
In the User Setup page, click Users.
The Users page lists user accounts that are active and not hidden.
(Optional) To view hidden or deactivated users, select Show Hidden Users.
The browser interface displays all users. Hidden or deactivated user accounts appear in different colors.
(Optional) To view the details of a particular user, find the row describing the user and click Details.
The Details page for the selected user is displayed.
When you deactivate a user account, the user is no longer allowed to access the provisioning system. Since the provisioning system tracks system activity by user account, you are not able to remove user accounts from the provisioning system.
You can hide a user account as a way to manage the number of users that display in the Users page.
This procedure describes how to deactivate or hide user accounts by using the browser interface. You can also deactivate or hide user accounts by using the following command.
udb.u.mod – Edits a user account.
For a detailed description of this command, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
To deactivate a user account, you must belong to a user group that has write permissions on users and groups.
Go to the Details page of the user account that you plan to edit.
In the table that lists users, find the row describing the user you plan to deactivate, and click Details.
The user's Details page is displayed.
To hide or deactivate this user account, select Hidden or Deactivate.
If you select Deactivate, the user account will automatically be hidden.
Click Save.
This procedure describes how to change a user's group membership by using the browser interface. You can also change group membership by using the following command.
udb.u.mod – Edits a user account.
For a detailed description of this command, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
To edit a user account, you must belong to a user group that has write permissions on users and groups.
Go to the Details page of the user account that you plan to edit.
In the table that lists users, find the row describing the user account you plan to modify, and click Details.
The user's Details page is displayed.
To change membership in any group, use the controls in the Member of User Groups area to add this user account to or remove it from one or more user groups.
Click Save.
If you need to need to change your password, you can change your password from the Log In page as long as you are using internal authentication for your password. If you are using external authentication, change your password through that application.
When you use this procedure to change your password, all of your encrypted session variables are re-encrypted using your new password.
In the navigation menu on the Log In page, click Change Password.
If you are already logged in, click Log Out in the top right corner to navigate to the Log In page.
Type your user name in the User Name field.
Type your current password in the Current Password field.
Type the new password you would like to use in the new password field.
Confirm that you have typed the new password correctly by typing it in the Confirm New Password field.
Click the Change Password button.
You can change anyone's password under the following conditions.
The password is internally validated.
You have permission to edit and create users.
If you don't have user and group permissions, see How to Change Your Password From the Log In Page.
This procedure describes how to change a user's password by using the browser interface. You can also change passwords by using the following command.
udb.u.cp – Changes the password of a specific user.
For a detailed description of these commands, see udb.g: Managing User Groups in N1 Grid Service Provisioning System 5.0 Command-Line Interface Reference Manual.
When you change the password on a user account and the user account has session variables encrypted by the user account's old password, the user is prompted to clear or restore the session variables the next time the user logs in.
To change the password of someone else's user account, you must belong to a user group that has write permissions on users and groups.
Go to the Details page of the user account.
Type the new password in the New Password field.
Confirm the new password by typing it in the Confirm New Password field.
Click Save.
This procedure describes how to change a user's authentication method by using the browser interface. You can also change authentication methods by using the following command.
udb.u.mod – Changes the user's authentication method.
When you change a user's authentication method and the user account has session variables encrypted by the user account's old password, the user is prompted to clear or restore the session variables the next time the user logs in.
Before you can change the authentication method of a user account, the new authentication method must be configured with the provisioning system. See Appendix A, Authentication Methods.
To change a user's authentication method, you must belong to a user group that has write permissions on users and groups.
You cannot change the authentication method of the admin user. The admin user must always be set to internal authentication.