24 Administer Management Console Users and User Groups

This section discusses how to:

24.1 Configure the Management Console for User Setup

This section describes:

You must use the jde_admin user ID and password to sign into the Management Console initially. This non-JD Edwards EnterpriseOne user ID and password are configured during the Server Manager installation. The jde_admin user has the authority to perform all functions within the Management Console and is responsible for adding and setting up the initial Management Console users from JD Edwards EnterpriseOne, as well as assigning permissions to those users.

You can import users from JD Edwards EnterpriseOne using the Management Console Setup and Configuration Wizard, or you can add them as needed using the Management Console. JD Edwards EnterpriseOne users are authenticated using the security server services of an EnterpriseOne Enterprise Server. The Enterprise Server name and port used by the Management Console must be properly configured.

Note:

JD Edwards EnterpriseOne users cannot access the Management Console with their JD Edwards EnterpriseOne user IDs and passwords until they have been added as Management Console users.

See Complete the Management Console Setup Wizard for information about using the Management Console Setup Wizard to add JD Edwards EnterpriseOne users to the Management Console.

24.1.1 Specify the JD Edwards EnterpriseOne Server Used for User Authentication

In addition to user authentication, you must define the name and port number of the security server to enable the use of site keys for the encryption of sensitive data stored in EnterpriseOne configuration (ini) files. If site keys are set up in the Security Server jde.ini file, when sensitive data such as a password is entered in a server configuration setting in Server Manager, Server Manager accesses the site keys to encrypt the data. The Server Manager agent will return the site key to the Server Manager Console even if the Security Server is not running. See "Encrypting Sensitive Data in EnterpriseOne" in the JD Edwards EnterpriseOne Tools Security Administration Guide for more information on how to generate site keys.

Important:

All servers managed by an instance of Server Manager must use the same site key. For example, to have a production environment with servers that use one site key and a test environment with servers that use a different site key, you would need to install two separate Management Consoles, one for all servers in the production environment and one for all servers in the test environment.

The configured Security Server must be a managed instance in the Server Management Console. Previously, the Security Server could have been managed by a different Server Manager Console.

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

    This image is described in surrounding text.
  2. In the Server Manager User Authentication pane, in the Server Name field, enter the name of the Enterprise Server to use for security services. The server must be running and listening on the same JDENET port that this instance is configured to use for outgoing connections.

  3. In the Outgoing JDENET Port field, enter the TCP port to use for outgoing JDENET communications with a JD Edwards EnterpriseOne Enterprise Server. This value must match the JDENET Incoming Port (ServiceNameListen) defined for the Enterprise Server(s) with which this web server will communicate.

  4. Click the Save button.

    Note:

    It may be necessary to restart the management console application for the new settings to take effect.

24.1.2 Change the jde_admin User Password

The jde_admin user password is the only password that you can change in the Management Console. All other Management Console users use their JD Edwards EnterpriseOne user ID and password to sign in to the Management Console and these passwords are changed in JD Edwards EnterpriseOne.

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

    This image is described in surrounding text.
  2. In the jde_admin Password section in the left pane, complete the Old Password, New Password, and Verify New Password fields to change the jde_admin password.

    Note:

    If you lose the jde_admin password, there is no way to recover it. You will have to reinstall the Management Console.

24.2 Manage Management Console Users

All users that you add to the Management Console are displayed in a grid in the interface. The Management Console displays the name of the user along with the user groups that are assigned to the user. You can sort each column alphabetically by clicking a column heading. All changes made to Management Console users and user groups take effect immediately.

This section describes:

24.2.1 Add a User

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

    This image is described in surrounding text.
  2. On Server Manager Users, in the Management Console Users pane, enter the name of the JD Edwards EnterpriseOne user in the EnterpriseOne User Name field.

  3. Click Add User.

    The Management Console adds the user to its user repository. The added user will not belong to any user groups.

24.2.2 Remove a User

  1. On Server Manager Users, in the Management Console Users pane, select the check box next to the user that you want to delete.

  2. Click the Delete button.

24.3 Manage User Groups

This section describes:

The Management Console employs user groups to manage permissions and group together users who perform similar tasks. Permissions are assigned to user groups, not individual users. A user may belong to zero or more user groups and will be authorized to perform the actions that are granted to each user group to which the user belongs.

See Assign Server Manager Permissions for a list of all the permissions that you can assign to user groups in Server Manager.

The Management Console displays each user group that you add in a grid. You can sort alphabetically on each column of the grid by clicking the column heading. The Management Console displays this information for each user group:

  • User Group Name

  • User Group Description

  • Users Belonging to User Group

  • Granted Permissions

The Management Console is delivered with the following predefined groups:

  • console_user

    Any user who successfully authenticates and possesses this role may utilize the management console. If users do not belong to this user group, they cannot access any of the management console pages. You must have this permission to sign into the Management Console.

  • console_admin

    This role is equivalent to having all permissions granted to a user. Users who belong to this user group automatically assume the rights of the console_user user group; it is not necessary to assign them to the console_user user group. The jde_admin user is always a member of the console_admin user group.

    Note:

    The user groups that are delivered with Server Manager cannot be altered or deleted.

24.3.1 Create a User Group

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

    This image is described in surrounding text.
  2. In the User Groups pane, click the Create User Group button.

  3. Complete the User Group Name and Description fields and then click the Add User Group button.

The Management Console adds the new user group and displays the details about the user group in the grid.

24.3.2 Delete a User Group

Note:

You cannot delete a user group if one or more users belong to that group.
  1. In the User Groups pane, select the check box of the row that contains the user group that you want to delete.

  2. Click the Delete User Group button.

24.3.3 Assign Users to a User Group

  1. On the Server Manager Users page, scroll down to the Management Console Users pane and select the check box next to the user that you want to add to a user group.

  2. Click the Grant or Revoke User Groups button.

  3. In the User Group Name drop-down menu, select the user group to which you want to assign the user and then click the Grant User Group button.

24.3.4 Remove Users from a User Group

  1. On the Server Manager Users page, select the check box next to the user that you want to remove from the user group.

  2. Click the Grant or Revoke User Groups button.

24.4 Assign Server Manager Permissions

This section provides an overview of Server Manager permissions and discusses how to:

24.4.1 Understand Server Manager Permissions

Server Manager contains two types of permissions that you can assign to user groups global permissions and server group permissions. Both types of permissions are only assigned to user groups, not individual users. Server Manager follows Oracles secure by default security model. Management Console users cannot perform any functions unless they are authorized and have been assigned the appropriate permission to do so.

Global permissions allow users to perform administrative tasks in the Management Console that do not pertain to a particular server group, such as updating the Management Console software, distributing software components to managed homes, and granting other JD Edwards EnterpriseOne users access to the Management Console.

Server group permissions allow users to perform certain tasks on a particular server group. When you assign a server group permission, the permission applies to all servers that belong to the server group.

See Administer Server Groups for information about setting up and managing server groups.

24.4.2 Assign Global Permissions

Global permissions include:

  • Application Server Management appServerConfig

    This permission is required to perform management tasks on an application server (Oracle WebLogic or IBM WebSphere). A user who has this permission may register new application server instances, create new J2EE servers within the application server, start and stop application server components, and modify the configuration of the application server components. Users without this permission may see the application servers within the management console but may not perform any actions directly on those servers.

  • Manage Software Components managedComponents

    This permission allows users to manage software components within Server Manager. With this permission, users can add software components to the Management Console User Repository, distribute or copy those components to managed homes, and delete software components both from the managed homes and from the management consoles.

  • Monitor Configuration monitorConfig

    This permission allows users to manage the monitoring components of Server Manager. With this permission, users can create, delete, and start or stop configured monitors. Any user allowed to use Server Manager may view the contents of a running monitor; however, this permission is required to make any changes to the configuration of an existing monitor. In addition, users with this permission may remove any monitor reports from the monitor history.

  • Console Configuration and Administration consoleConfig

    This permission allows users to manage the configuration of Server Manager. With this permission, users can update the Server Manager release, update deployed managed home agents, remove managed homes, configure the TCP/IP ports used by Server Manager, and download managed home agent installers. This permission is not required to manage the Management Console user repository; that permission is granted by the userManagement permission.

  • Server Manager User Management userManagement

    This permission allows users to administer the Server Manager user management repository. With this permission, users can add additional JD Edwards EnterpriseOne users as Management Console users and assign permissions.

  • Web Product User Session Management

    This permission allows users to manage web product user sessions. It allows users to terminate OWVirtual sessions, terminate user sessions including any running OWVirtual sessions, broadcast messages to OWVirtual clients, and temporarily disable logins to a web product.

To assign global permissions to a user group:

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

  2. In the User Groups pane, click the link of the user group to which you want to add permissions. For example, if you chose Global Permissions you would have these available options:

    This image is described in surrounding text.
  3. On Modify a User Group, in the Global Permissions pane, select a permission from the Available Options box.

  4. Click the Move link (single right arrow) to move the permission to the Selected Options box.

    You can also grant the user group all global permissions by clicking the Move All link (double right arrow).

To remove global permissions from a user group:

  1. In the User Groups pane, click the link of the user group to which you want to remove permissions.

  2. In the Global Permissions pane, select the permission that you want to remove from the Select Options box.

  3. Click the Remove link (single left arrow).

    You can also remove all permissions in the Selected Options box by clicking the Remove All link (double left arrow).

24.4.3 Assign Server Group Permissions

Server group permissions include:

  • Permit Clearing JDBj Caches clearCache

    This permission allows users to clear the JDBj caches that are maintained with the JD Edwards EnterpriseOne web products.

  • Enterprise Server Instance Management - enterpriseServerInstance

    This permission allows users to create new Enterprise Servers, remove existing Enterprise Servers, configure Enterprise Servers, and start or stop Enterprise Servers. This permission also allows users to change the JD Edwards EnterpriseOne Tools release of a corresponding server. This permission is required to manage a JD Edwards EnterpriseOne Enterprise Server.

  • View Group Members viewGroupMembers

    This permission allows users to view the JD Edwards EnterpriseOne servers that are members of a server group. Without this permission, users cannot view the server group members in the Management Console. You must explicitly grant this permission to each desired server group; no other permission implies or inherits this permission.

  • Web Product Instance Management webProductInstance

    This permission allows users to create new web product instances, remove existing web product instances, configure web products, register/de-register application servers, configure application servers, and start or stop application servers and web products. This permission also allows users to change the JD Edwards EnterpriseOne Tools release of a corresponding server. This permission is required to allow users to manage JD Edwards EnterpriseOne web products including HTML servers, Transaction Servers, Business Service servers, and the corresponding application servers (Oracle WebLogic and IBM WebSphere).

  • Web Product User Session Management webSessions

    This permission allows users to manage web product user sessions. With this permission, users can terminate OWVirtual sessions and user sessions (including any running OWVirtual sessions), broadcast messages to OWVirtual clients, and temporarily disable anyone from signing onto a web product.

To assign server group permissions to a user group:

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

  2. In the User Groups pane, select the user group to which you want to assign server group permissions.

    The Management Console displays a separate pane for each server group in the Management Console. Each pane displays the permissions for that particular server group.

    This image is described in surrounding text.
  3. On Modify A User Group, scroll to the server group to which you want to add server group permissions for the user group.

  4. Select the permission from the Available Options box and then click the Move link (single right arrow) to move the permission to the Selected Options box.

    You can also grant the user group all server group permissions by selecting the Move All link (double right arrow).

To remove server group permissions from a user group:

  1. In the User Groups pane, select the user group to which you want to remove server group permissions.

  2. On Modify A User Group, scroll to the server group to which you want to remove server group permissions from the user group.

  3. On Modify A User Group, in the Server Group pane, select the permission from the Selected Options box and then click the Remove link (single left arrow) to remove the permission.

    You can also remove all server group permissions from the user group by selecting the Remove All link (double left arrow).

24.5 Run the User Access Report

The User Access Report generates a list of all the Management Console users and lists the following information for each user:

  • The user groups that a user is a member of

  • Global permissions assigned to each user group of which a user is a member

  • Server group permissions assigned to each user group of which a user is a member

Use this report to verify that you have added users to the appropriate user groups and that you have applied the appropriate permissions to each user group.

You must have the userManagement global permission to be able to view the report.

To run the User Access Report:

  1. In the Quick Links section of the Management Console, click the Server Manager Users link.

  2. In the User Management Tasks section, click the User Access Report link.

    This image is described in surrounding text.