User Administration


Applications Manager permits five different roles to work with the product apart from the default admin role. The different roles are Normal Admin, Delegated Admin, User, Operator and Manager.

Default / Super Admin : The system Super Administrators are allowed to perform all admin activities. The Super Administrator role also has the privilege to configure user administration. The Super Admin role is the default admin user and it cannot be deleted or renamed.

  • Normal Admin : Normal Administrators are allowed to perform all default admin activities except the following :
    • Access query tool and DB status from Support under Tools in Admin tab.
    • Shut down the Applications Manager service from within the product.
    • Access Account Policy tab in User Management under Product Settings in Admin tab.
    • Access all Admin permissions in Permissions tab in User Management under Product Settings in Admin tab.
  • Delegated Admin : The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't default administrators. More information on Delegated Admin role and how to enable Delegated Admin Preferences can be viewed here.
  • User : A system user will have read-only access to all components of the product. Users will not have the privilege to access, configure or edit the different components of the product.
  • Operator: The system operators have read-only access to only those components of the product that the default administrator assigns to the operator. The operator role does not have the privilege to access, configure or edit the different components of the product. If an operator is part of a Monitor Group, then the restrictions will be in effect only for the operator and not others.
  • Manager: The Manager has an integrated high-level view of the Business Infrastructure. Service Level Agreements (SLAs) can be created and associated with various business applications and servers. More information on Manager role can be viewed here.

In the Admin page, click User Administration under Global Configurations to browse through the following tabs:

Note :

User management is not supported for the Applications Manager plugin build over OpManager. At present, there are only two types of roles available for plugin users - Administrator and Read-Only User. Operator, Delegated Admin and Manager role is not supported. Applications Manager Plugin users cannot assign monitors to the any specific users in the Apps tab. They can view all the default monitors only.

Profiles

Applications Manager provides you with the ability to manage users and roles for your enterprise, with roles assigned to users and different permissions associated to each role. This is achieved by first adding users and associating the users with the roles.

You can also import users from Active Directory or LDAP. This functionality is implemented as a more convenient method to add a large number of users and to ease the user administration in Applications Manager. You can import users and perform role configuration for LDAP and Active Directory users and groups in Applications Manager.

Add new users to Applications Manager

The system administrators are allowed to perform all admin activities as explained in Performing Admin Activities. The admin role also has the privilege to configure user administration as explained below.

  1. In Admin page, click User Administration under Global Configurations. This lists the User Profile(s) that consists of the User name and the role.
  2. To add a new user, click Add new. This opens the 'New User' screen.
  3. Specify a unique user name and provide a password.

    Note: Username field containing any of the following special characters will not be accepted: / \ [ ] : ; | = , * ? < > " ' ` % -- $$

  4. Provide a description and an e-mail for the user.
  5. Assign a role to the user (User/ Operator/ Administrator/ Manager ).
  6. Check the delegated admin checkbox if you wish to assign delegated administration privileges.
  7. You can upload a profile photo for the user in jpg, gif, png or jpeg format(optional). A file size less than 100 KB is preferred.
  8. You can select user groups to give a group of users the same privileges as the new user. (Not applicable to users without Operator, Administrator or Manager roles).
  9. Select the monitor group to which the new user or users must be granted privileges.(Not applicable to users without Operator, Administrator or Manager roles).
  10. Click Create User. The new user or user groups will be displayed in the User Profile(s) table displaying the status, description, e-mail address,role and the monitor groups assigned.

Note :

The default user access of Applications Manager is admin (Administrator). All users log into Applications Manager as Admin users and are given all the administrative privileges to work with the tool.

 You can also assign the owners for the Monitor Groups while creating the Monitor Groups or while editing the existing Monitor Groups

Importing users from active directory or LDAP

You can import users and perform role configuration for LDAP and Active Directory users and groups in Applications Manager.

Users imported from the Active Directory or LDAP can login into Applications Manager using their Active Directory/LDAP credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

  • In Admin page, click User Administration under Global Configurations. This lists the User Profile(s) that consists of the User name and the role.
  • Click the Import Users from Active Directory / LDAP link under the list of user profile
  • Select a domain name from the drop-down list.

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

  • Select the Add New Domain option from the Domain Name drop-down list.
  • Enter the following details:
    • Domain Name: Name of the domain from where the users need to be imported.
    • Domain Controller: The hostname or the IP address of the DNS server for the domain.
    • Domain Port: The port of the DNS server.
    • Authentication Type: LDAP or Active Directory.
    • Username and Password: The active directory username of the domain user should be provided in DOMAIN\username format. The LDAP user name should be provided in cn=user,dc=domain,dc=name format.
    • Search Filter: To filter out search result you can use characters followed by *.
  • Click on the Fetch Users button to import users from the active directory or LDAP.
  • When the list of existing users is displayed select the user(s) to be added, assign roles and click on Add Users to add the users.
  • In the new Import Users tab from the pop-up window select the users that you wish to add from the drop-down list.
  • Note: Username field containing any of the following special characters will not be accepted: / \ [ ] : ; | = , * ? < > " ' ` % -- $$

  • Assign a role - Operator,User,Administrator or Manager to each of the users.
  • Click on the Add User button to import the user to Applications Manager or click on Add Users And Configure Another to add more users.

You can edit User Profiles from the list of users.  

Delete a user

  • In Admin page, click User Administration under Global Configurations.
  • Select the user(s) to be deleted.
  • Click Delete

User Groups

You can create User Groups in Applications Manager with roles assigned to users or import user groups from Active Directory or LDAP.

Add new user groups to Applications Manager
  • In Admin page, click User Administration under Global Configurations.
  • Click the User Groups tab. This lists down the User Groups in Applications Manager.
  • To add a new user group, click Add new. This opens the 'New User Group' screen.
  • Specify a User Group name.
  • Choose the users to be added to the group.
  • Select the monitor group to which the new users must be granted privileges.
  • Click Create User Group. The new user groups will be displayed in the User Groups table.
Importing user groups from active directory or LDAP

Users in the groups imported from the Active Directory or LDAP can login into Applications Manager using their Active Directory/LDAP credentials. Since user authentication is done in the Domain Controller all the account policy regulations of the company/domain is automatically inherited to Applications Manager credentials also.

  • In Admin page, click User Administration under Global Configurations.
  • Click the User Groups tab.
  • Click the Import User Groups from Active Directory / LDAP link under the list of user profile
  • Select a domain name from the drop-down list.

The users in groups imported from Active Directory\LDAP will be associated automatically to that particular usergroup during login.

For Active Directory Users, the admin can import their group and use this feature in permissions tab (Create a new user account if the user logs in with domain authentication.)

Adding a New Domain

You can select an already added domain from the drop-down list or add a new domain. You can also edit the existing Domain controller settings in the same manner.

  • Select the Add New Domain option from the Domain Name drop-down list.
  • Enter the following details:
    • Domain Name: Name of the domain from where the users need to be imported.
    • Domain Controller: The hostname or the IP address of the DNS server for the domain.
    • Domain Port: The port of the DNS server.
    • Authentication Type: LDAP or Active Directory.
    • Username and Password: The active directory username of the domain user should be provided in DOMAIN\username format. The LDAP user name should be provided in cn=user,dc=domain,dc=name format.
    • Search Filter: To filter out search result you can use characters followed by * as well as the role criterion in LDAP search filter format. These search filters use one of the following formats <filter>=(<attribute><operator><value>) or (<operator><filter1><filter2>). For example: "(&(objectCategory=person)(objectClass=user)(!cn=andy))"- All user objects but "andy".
  • Click on the Fetch User Groups button to import user groups from the active directory or LDAP.
  • When the list of existing users is displayed select the user(s) to be added, assign roles and click on Add User Groups to add the users.
  • You can also edit User Profiles from the list of users.
Delete a user group
  • In Admin page, click User Administration under Global Configurations.
  • Click the User Groups tab.
  • Select the user groups to be deleted.
  • Click Delete.

Domains

You can import multiple users from other domains like Active Directory and OpenLDAP to Applications Manager. Configure the following details:

  • Domain Name : The fully qualified name of the domain from which the users are to be imported. Aliases are not supported.
  • Domain Controller : The hostname or the IP address of the DNS server for the domain.
  • Domain Port : The port of the DNS server.
  • Directory Service : OpenLDAP or Active Directory.
  • User Permissions : The permission level for this domain.
    • Read Only - All users logged in through this domain will have read-only access.
    • Full Control - Users logged in will behave according to their roles specified.

Associating Users and User Groups to Multiple Domains:

You can associate users and user groups to multiple domains:

  • Click on Import Users from Active Directory / OpenLDAP or Import User Groups from Active Directory / OpenLDAP and import users/user groups from the directory.
  • Go to Profiles or User Groups and click on a user or group. The domain to which the user or group belongs will be displayed in the Domain Name field.
  • To add another domain, click in Domain Name text box and a drop-down list with other domains will be listed.
  • Choose the domain you wish to add.
  • Click Update User/User group.

If the 'Create a new user account if the user logs in with domain authentication' checkbox in the Permissions tab is checked, users are created automatically based on their role in the user group.

Permissions:

Operator Permissions:

Using the Permissions options, you can allow Operators to manage / unmanage monitors, reset the status of monitors, edit display names, execute actions, start/stop/restart services, update IP Addresses, use Command Shell and clear Alarms.

The operator role can also be granted permission to configure the Downtime Schedule and view Downtime Schedules. If you've chosen the option "Allow operator to configure Downtime Schedule", you will only see the Downtime Schedules configured by this user and you can schedule new downtimes to Monitors and Monitor Groups associated to you. If you'd like the user to view all the Downtime Schedules then please make sure you also choose the option "Allow operator to view all Downtime Schedules". The Downtime Scheduler option will be available as link in the Bulk Configuration view under the Monitor tab since the Admin tab is not available for the Operators.

You can also allow the "Jump to link" option to be displayed for operators (Jump to link refers to access Add-On Products (like OpManager, Service Desk) and Managed Servers)

Admin Permissions:

You can allow admin to use Command Shell and to stop/start/restart Windows services. You can give permission to an administrator to Enable Delegated Admin Preferences. The admin can also be granted permission to create a new user account if the user logs in with domain authentication. The new user account will be created only when the Usergroup to which the user belongs is already imported from the same domain

AS400 Permissions:

AS400 Permissions allow you to permit Operators to execute AS400 Admin activities like controlling Message and Logging, Network Attributes, Date and Time, System Control, Library List, Storage, Allocation, Security, Jobs, Spool, Subsystem and using Non-Interactive Commands. By default, Applications Manager allows admin user(s) to execute AS400/iSeries operations but the option can be disabled.

Views:

This is for Operator only. Using View option, you can define how to represent your subgroup in the webclient.You can either show the associated subgroups directly in the home tab itself or from the corresponding top level Monitor Group. 

Account Policy:

To enhance Web Client security, Account Policies can be configured. You can define the number of continuous failed login attempts to lock user account and Idle session timeout. You can enforce single user session and strong password rules.

Strong password rules:

  • Password cannot be same/part of your Login name
  • Password length should not be less than 8 characters
  • Password length should not be greater than 255 characters
  • Password should contain at least 1 numeric character
  • Password should contain at least 1 special character
  • Password should contain both uppercase and lowercase character
  • Password should not be same as your last 4 password(s)

Configuring Active Directory / LDAP with the configuration file

You can import users and perform role configuration for LDAP users and groups in Applications Manager. Users and groups are fetched into Applications Manager from different domains, based on the entry in the authentication.conf file found in the following location. For LDAP configuration, you can edit theldapauthentication.conf file found in the location: ManageEngine/AppManager_Home/conf.

Ldap Configuration

ldap.group.commonNameAttribute=cn
ldap.group.primaryAttribute=cn
ldap.group.displayNameAttribute=cn
ldap.group.objectCategory=group
ldap.group.objectClass=posixGroup;groupOfNames
ldap.group.memberAttribute=member;memberUid
ldap.group.memberofAttribute=
ldap.group.groupTokenAttribute=gidNumber

ldap.user.commonNameAttribute=cn
ldap.user.primaryAttribute=uid
ldap.user.displayNameAttribute=cn
ldap.user.objectCategory=person
ldap.user.objectClass=person;posixAccount
ldap.user.memberofAttribute=
ldap.user.groupidAttribute=gidNumber

Active Directory Configuration

ad.group.commonNameAttribute=cn
ad.group.primaryAttribute=sAMAccountName
ad.group.displayNameAttribute=cn
ad.group.objectCategory=group
ad.group.objectClass=group
ad.group.memberAttribute=member
ad.group.memberofAttribute=memberOf
ad.group.groupTokenAttribute=primaryGroupToken

ad.user.commonNameAttribute=cn
ad.user.primaryAttribute=sAMAccountName
ad.user.displayNameAttribute=displayname
ad.user.objectCategory=person
ad.user.objectClass=
ad.user.memberofAttribute=memberOf
ad.user.groupidAttribute=primaryGroupID

Note :

If you have changes in LdapConfiguration.conf and later want to retain the initial configuration, simply rename the file (for example, rename it to LdapConfiguration_old.conf) or move the file to different location and restart Applications Manager.

Delegated Admin Preferences

The delegated administration role is used to assign limited administrative privileges to users in your organization who aren't administrators. By delegating administration, you can assign a range of administrative tasks to the appropriate users and let operators take more control of their local network resources.

Enabling Delegated Admin Preferences:

  • In the Admin page, click User Administration under Applications Manager Server Settings
  • Navigate to the Permissions tab.
  • In the Admin Permissions table, check the Enable Delegated Admin Preferences. Once this checkbox is checked, when an administrator adds a new user to Applications Manager, he is asked to specify by a checkbox if he wishes to add the new user as a Delegated Admin.
  • You can also perform the enable the following actions from the Admin Permissions table:
    • Allow Delegated Admin to view/use thresholds and anomaly profiles created by administrators (non-delegated administrators) and other delegated administrators in the same user group.
    • Allow Delegated Admin to view/use all actions created by administrators (non-delegated administrators) and other delegated administrators in the same user group.

Delegated Administrator Privileges

The following table lists the User Privileges of the Delegated Admin role in various scenarios:

Scenario Delegated Administrator User Privileges
Credential Manager

Permission to create profiles and to edit and delete profiles which he has created.

Action Permission to create new actions and to edit and delete actions which he has created. Additionally he can also view the actions associated to the monitors for which he has ownership.
New Monitor and Monitor Group Permission to create new monitors and monitor groups, and to edit and delete new monitors and monitor groups for which he has ownership.
Threshold and Anomaly Profiles Permission to create new profiles and to edit and delete profiles which he has created. Additionally he can also view the profiles associated to the monitors for which he has ownership.
Schedule Report Permission to create reports and to edit and delete reports which he has created.
Downtime Scheduler Permission to schedule the time period for which monitoring is not required.
Alarm Escalation Permission to escalate an alarm and configure rules for alarm escalation.
Configure Alarms Permission to configure alarms by monitor groups for which he has ownership.
Process and Service Template Permission to add and apply new process template to monitor groups and selected monitors alone.
Event Log Rules Permission to configure Event Log Rules applicable only to monitor groups and selected monitors.
Dashboards / Widgets Permission to create dashboards and view default dashboards in Read-Only mode.
Performance Polling, Global Trap, SNMP Trap Listener, User Administration, Data Retention, Managed Server Administration, SLA, World Map View, Product License, Action Alarm Settings Not supported for Delegated Admin Role