ManageEngine® Applications Manager


User Administration

<< Prev

Home

Next >>

User Administration

 

Applications Manager permits four types of user access to work with the product. The different roles are User, Operator, Administrator and Manager.

User : A system user will have read-only access to all components of the product. Users will not have the privilege to access, configure or edit the different components of the product.

 

Operator: The system operators have read-only access to only those components of the product that the administrator assigns to the operator. The operator role does not have the privilege to access, configure or edit the different components of the product. If an operator is part of a Monitor Group, then the restrictions will be in effect only for the operator and not others.

 

Administrator: The system administrators are allowed to perform all admin activities. The administrator role also have the privilege to configure user administration.

Delegated Admin: The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't administrators. More information on Delegated Admin role and how to enable Delegated Admin Preferences can be viewed here.

Manager: The Manager has an integrated high-level view of the Business Infrastructure. Service Level Agreements (SLAs) can be created and associated with various business applications and servers. More information on Manager role can be viewed here.

In the Admin page, click User Administration under Global Configurations to browse through the following tabs:


 

Profiles

Applications Manager provides you with the ability to manage users and roles for your enterprise, with roles assigned to users and different permissions associated to each role. This is achieved by first adding users and associating the users with the roles.

 

You can also import users from Active Directory or LDAP. This functionality is implemented as a more convenient method to add a large number of users and to ease the user administration in Applications Manager. You can import users and perform role configuration for LDAP and Active Directory users and groups in Applications Manager.

 

Add new users to Applications Manager

 

The system administrators are allowed to perform all admin activities as explained in Performing Admin Activities. The admin role also has the privilege to configure user administration as explained below.

Note

The default user access of Applications Manager is admin (Administrator). All users log into Applications Manager as Admin users and are given all the administrative privileges to work with the tool.

You can also assign the owners for the Monitor Groups while creating the Monitor Groups or while editing the existing Monitor Groups

 

Importing users from active directory or LDAP

You can import users and perform role configuration for LDAP and Active Directory users and groups in Applications Manager.

 

Users imported from the Active Directory or LDAP can login into Applications Manager using their Active Directory/LDAP credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

 

 

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

You can edit User Profiles from the list of users.  

 

Delete a user


 

User Groups

You can create User Groups in Applications Manager with roles assigned to users or import user groups from Active Directory or LDAP.

Add new user groups to Applications Manager

 

Importing user groups from active directory or LDAP

 

Users in the groups imported from the Active Directory or LDAP can login into Applications Manager using their Active Directory/LDAP credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

 

The users in groups imported from Active Directory\LDAP will be associated automatically to that particular usergroup during login.

 

For Active Directory Users, the admin can import their group and use this feature in permissions tab (Create a new user account if the user logs in with domain authentication.)

 

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

Delete a user group


Domains

You can import multiple users from other domains like Active Directory and OpenLDAP to Applications Manager. Configure the following details:

Associating Users and User Groups to Multiple Domains:

You can associate users and user groups to multiple domains:

If the 'Create a new user account if the user logs in with domain authentication' checkbox in the Permissions tab is checked, users are created automatically based on their role in the user group.


 

Permissions:

 

Operator Permissions:

Using the Permissions options, you can allow Operators to manage / unmanage monitors, reset the status of monitors, edit display names, execute actions, start/stop/restart services, update IP Addresses, use Command Shell and clear Alarms.

 

The operator role can also be granted permission to configure the Downtime Schedule and view Downtime Schedules. If you've chosen the option "Allow operator to configure Downtime Schedule", you will only see the Downtime Schedules configured by this user and you can schedule new downtimes to Monitors and Monitor Groups associated to you. If you'd like the user to view all the Downtime Schedules then please make sure you also choose the option "Allow operator to view all Downtime Schedules". The Downtime Scheduler option will be available as link in the Bulk Configuration view under the Monitor tab since the Admin tab is not available for the Operators.

 

You can also allow the "Jump to link" option to be displayed for operators (Jump to link refers to access Add-On Products(like OpManager,OpStor,Service Desk) and Managed Servers)

 

 

Admin Permissions:

You can allow admin to use Command Shell and to stop/start/restart Windows services. You can give permission to an administrator to Enable Delegated Admin Preferences. The admin can also be granted permission to create a new user account if the user logs in with domain authentication.

 

 

AS400 Permissions:

AS400 Permissions allow you to permit Operators to execute AS400 Admin activities like controlling Message and Logging, Network Attributes, Date and Time, System Control, Library List, Storage, Allocation, Security, Jobs, Spool, Subsystem and using Non-Interactive Commands. By default, Applications Manager allows admin user(s) to execute AS400/iSeries operations but the option can be disabled.

 

 


 

Views:

This is for Operator only. Using View option, you can define how to represent your subgroup in the webclient.You can either show the associated subgroups directly in the home tab itself or from the corresponding top level Monitor Group.


Account Policy:

To enhance Web Client security, Account Policies can be configured. You can define the number of continuous failed login attempts to lock user account and Idle session timeout. You can enforce single user session and strong password rules.

Strong password rules:

 


 

Configuring Active Directory / LDAP with the configuration file

 

You can import users and perform role configuration for LDAP users and groups in Applications Manager. Users and groups are fetched into Applications Manager from different domains, based on the entry in the authentication.conf file found in the following location. For LDAP configuration, you can edit the ldapauthentication.conf file found in the location: ManageEngine/AppManager11/conf.

 

Ldap Configuration

ldap.group.commonNameAttribute=cn
ldap.group.primaryAttribute=cn
ldap.group.displayNameAttribute=cn
ldap.group.objectCategory=group
ldap.group.objectClass=posixGroup;groupOfNames
ldap.group.memberAttribute=member;memberUid
ldap.group.memberofAttribute=
ldap.group.groupTokenAttribute=gidNumber

ldap.user.commonNameAttribute=cn
ldap.user.primaryAttribute=uid
ldap.user.displayNameAttribute=cn
ldap.user.objectCategory=person
ldap.user.objectClass=person;posixAccount
ldap.user.memberofAttribute=
ldap.user.groupidAttribute=gidNumber

Active Directory Configuration

ad.group.commonNameAttribute=cn
ad.group.primaryAttribute=sAMAccountName
ad.group.displayNameAttribute=cn
ad.group.objectCategory=group
ad.group.objectClass=group
ad.group.memberAttribute=member
ad.group.memberofAttribute=memberOf
ad.group.groupTokenAttribute=primaryGroupToken


ad.user.commonNameAttribute=cn
ad.user.primaryAttribute=sAMAccountName
ad.user.displayNameAttribute=displayname
ad.user.objectCategory=person
ad.user.objectClass=
ad.user.memberofAttribute=memberOf
ad.user.groupidAttribute=primaryGroupID

Note

If you have changes in LdapConfiguration.conf and later want to retain the initial configuration, simply rename the file (for example, rename it to LdapConfiguration_old.conf) or move the file to different location and restart Applications Manager.


Delegated Admin Preferences

The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't administrators. By delegating administration, you can assign a range of administrative tasks to the appropriate users and let operators take more control of their local network resources.

 

Enabling Delegated Admin Preferences:

Delegated Administrator Privileges

 

The following table lists the User Privileges of the Delegated Admin role in various scenarios:

Scenario

Delegated Administrator User Privileges

Credential Manager

Permission to create profiles and to edit and delete profiles which he has created.

Action Permission to create new actions and to edit and delete actions which he has created. Additionally he can also view the actions associated to the monitors for which he has ownership.
New Monitor and Monitor Group Permission to create new monitors and monitor groups, and to edit and delete new monitors and monitor groups for which he has ownership.
Threshold and Anomaly Profiles Permission to create new profiles and to edit and delete profiles which he has created. Additionally he can also view the profiles associated to the monitors for which he has ownership.
Schedule Report Permission to create reports and to edit and delete reports which he has created.
Downtime Scheduler Permission to schedule the time period for which monitoring is not required.
Alarm Escalation Permission to escalate an alarm and configure rules for alarm escalation.
Configure Alarms Permission to configure alarms by monitor groups for which he has ownership.
Process and Service Template Permission to add and apply new process template to monitor groups and selected monitors alone.
Event Log Rules Permission to configure Event Log Rules applicable only to monitor groups and selected monitors.
Dashboards / Widgets Permission to create dashboards and view default dashboards in Read-Only mode.
Performance Polling, Global Trap, SNMP Trap Listener, User Administration, Data Retention, Managed Server Administration, SLA, World Map View, Product License, Action Alarm Settings Not supported for Delegated Admin Role

<< Prev

Home

Next >>

Configure Proxy

Add-On Settings