A user represents an individual’s identity. Through the OpenSSO Enterprise Identity Management module, users can be created and deleted in organizations, containers and groups and can be added or removed from roles and/or groups. You can also assign services to the user.
If a user in a sub organization is created with the same user ID as amadmin, the login will fail for amadmin. If this problem occurs, the administrator should change the user’s ID through the Directory Server console. This enables the administrator to login to the default organization. Additionally, the DN to Start User Search in the authentication service can be set to the people container DN to ensure that a unique match is returned during the login process.
Navigate to the organization, container or people container where the user is to be created.
Click the user tab.
Click New from the user list.
Enter data for the following values:
This field takes the name of the user with which he or she will log into OpenSSO Enterprise. This property may be a non-DN value.
This field takes the first name of the user. The First Name value and the Last Name value identify the user in the Currently Logged In field. This is not a required value.
This field takes the last name of the user. The First Name value and the Last Name value identify the user.
This field takes the full name of the user.
This field takes the password for the name specified in the User Id field.
Confirm the password.
This option indicates whether the user is allowed to authenticate through OpenSSO Enterprise. Only active users can authenticate. The default value is Active.
Click OK.
When a user who has not been assigned an administrative role authenticates to OpenSSO Enterprise, the default view is their own User Profile. Additionally, administrators with the proper privileges can edit user profiles. In this view the user can modify the values of the attributes particular to their personal profile. The attributes displayed in the User Profile view can be extended. For more information on adding customized attributes for objects and identities, see the OpenSSO Enterprise Developer's Guide.
Select the user who's profile is to be edited. By default, the General view is displayed.
Edit the following fields:
This field takes the first name of the user.
This field takes the last name of the user.
This field takes the full name of the user.
Click the Edit link to add and confirm the user password.
This field takes the email address of the user.
This field takes the employee number of the user.
This field takes the telephone number of the user.
This field can take the home address of the user.
This option indicates whether the user is allowed to authenticate through OpenSSO Enterprise. Only active users can authenticate through OpenSSO Enterprise. The default value is Active. Either of the following can be selected from the pull-down menu: .
Active: The user can authenticate through OpenSSO Enterprise.
Inactive: The user cannot authenticate through OpenSSO Enterprise, but the user profile remains stored in the directory.
Changing the user status to Inactive only affects authentication through OpenSSO Enterprise. The Directory Server uses the nsAccountLock attribute to determine user account status. User accounts inactivated for OpenSSO Enterprise authentication can still perform tasks that do not require OpenSSO Enterprise. To inactivate a user account in the directory, and not just for OpenSSO Enterprise authentication, set the value of nsAccountLock to true. If delegated administrators at your site will be inactivating users on a regular basis, consider adding the nsAccountLock attribute to the OpenSSO Enterprise User Profile page. See the Sun OpenSSO Enterprise 8.0 Developer’s Guide for details.
If this attribute is present, the authentication service will disallow login if the current date and time has passed the specified Account Expiration Date. The format for this attribute is mm/dd/yyyy hh:mm.
This attribute sets the authentication chain for the user.
The field defines a list of aliases that may be applied to the user. In order to use any aliases configured in this attribute, the LDAP service has to be modified by adding the iplanet-am-user-alias-list attribute to the User Entry Search Attributes field in the LDAP service.
This field specifies the locale for the user.
This attribute specifies the URL that the user will be redirected to upon successful authentication.
This attribute specifies the URL that the user will be redirected to upon unsuccessful authentication.
This is used to select the questions on the forgotten password page, which is used to recover a forgotten password.
Sets the User Discovery service's resource offering for the user.
Defines the user's MSISDN number if using MSISDN authentication.
Click the Users tab.
Click the name of the user you wish to modify.
Select either the Roles or Groups tab.
Select the role or group to which you wish to add the user and click Add.
Click Save.
To remove a user from Roles or groups, Select roles or groups and click Remove and then Save.
OpenSSO Enterprise objects are added to a policy through the policy’s subject definition. When a policy is created or modified, organizations, roles, groups, and users can be defined as the subject in the policy’s Subject page. Once the subject is defined, the policy will be applied to the object. For more information, see Modifying Policies and Referrals.