Managing Users

Describes the procedure to manage users

You require users in every system to run the business application. The foremost step in any system involves setting up users that operate on different faces of the application.

In ESA, setting up a user involves operations such, as assigning roles, setting up password policies, setting up Active Directories (ADs) and so on. This section describes the various activities that constitute the user management for ESA. In ESA, you can add the following users:

  • OS Users: Users for for managing and debugging OS related operations.
  • Appliance users: User for performing various operations based on the roles assigned to them. Created or imported from other directory services too.

Understanding ESA Users

In any given environment, users are entities that consume services provided by a system. Only authorized users can access the system. In Protegrity appliances, users are created to manage ESA for various purposes. These users are system users and LDAP administrative users.

On ESA, the users navigate to Settings > Users > User Management to view the list of the users that are available in the appliance.

In ESA, users can be categorized as follows:

Internal Appliance Users

These are the users created by default when the ESA is installed. These users are used to perform various operations on the Web UI, such as managing cluster, managing LDAP, and so on. On ESA Web UI, navigate to Settings > Users > User Management to view the list of the users that are available in the appliance.

The following is the list of users that are created when ESA is installed.

User NameDescriptionRole
adminAdministrator account with access to the Web UI and CLI Manager options.Security Administrator
viewerUser with view only access to the Web UI and CLI Manager options.Security Administrator Viewer
ldap_bind_userCreated when local LDAP is installedN/A
samba_admin_userAccess folders shared by CIFS service running on File Protector Vault.N/A
PolicyUserPerform security operations on the protector node.Policy User
ProxyUserPerform security operations on behalf of other policy users.ProxyUser

OS users

These are the users that contain access to all the CLI operations in the appliance. You can create local OS users from the CLI Manager. On CLI Manager, navigate to Administration > Accounts and Passwords > Manage Passwords and Local Accounts to view and manage the OS users in the appliance.

The following is the list of OS users in the appliance.

OS UsersDescription
allianceHandles DSG processes
rootSuper user with access to all commands and files
local_adminLocal administrator that can be used when an LDAP user is not accessible
www-dataDaemon that runs the Apache, Service dispatcher, and Web services as a user
ptyclusterHandles TAC related services and communication between TAC through SSH.
service_admin and service_viewerInternal service accounts used for components that do not support LDAP
clamavHandles ClamAV antivirus
rabbitmqHandles the RabbitMQ messaging queues
epmdDaemon that tracks the listening address of a node
openldapHandles the openLDAP utility
dpsdbuserInternal repository user for managing policies

Policy Users

These users are imported from a file or an external source for managing policy operations on ESA. Policy users are used by protectors that communicate with ESA for performing security operations.

External Appliance users

These are external users that are added to the appliance for performing various operations on the Web UI. The LDAP users are imported by using the External Groups or Importing Users.You can also add new users to the appliances from the User Management screen.

Ensure that the Proxy Authentication Settings are configured before importing the users.

Managing Appliance Users

After you configure the LDAP server, you can either add users to internal LDAP or import users from the external LDAP. The users are then assigned to roles based on the permissions you want to grant them.

Default users

The default users packaged with ESA that are common across appliances are provided in the following table. You can edit each of these roles to provide additional privileges.

User NameDescriptionRole
adminAdministrator account with full access to the Web UI and CLI Manager options.Security Administrator
viewerUser with view only access to the Web UI and CLI Manager options.Security Administrator Viewer
ldap_bind_userUser who accesses the local LDAP in ESA or other appliances.n/a
PolicyUserUsers who can perform security operations on the DSG Test Utility.Policy User
ProxyUserUsers who can perform security operations on behalf of other policy users on the Protection Server.
Note: The Protection Server is deprecated. This user should not be used.
ProxyUser

Proxy users

The following table describes the three types of proxy users in ESA:

CalloutDescription
LocalUsers that are authenticated using the local LDAP or created during installation.
ManualUsers that are manually created or imported manually from an external directory service.
AutomaticUsers that are imported automatically from an external directory service and a part of different External Groups. For more information about External Groups, refer here.

User Management Web UI

The user management screen allows you to add, import, and modify permissions for the users. The following screen displays the ESA User Management Web UI.

User Management Screen

CalloutColumnDescription
1User NameName of the user. This user can either be added to the internal LDAP server or imported from an external LDAP server.
2Password PolicyEnable password policy for selected user. This option is available only for local users.
For more information about defining password policy for users, refer Password Policy.
3User Password Status
Indicates status of the user. The available states are as follows.
Valid – user is active and ready to use ESA.
Warning – user must change password to gain access to ESA. When the user tries to login after this status is flagged, it will be mandatory for the user to change the password to access the appliance.
Note:As the administrator sets the initial password, it is recommended to change your password at the first login for security reasons.
4Lock StatusUser status based on the defined password policy. The available states are as follows:
Locked – Users who are locked after series of incorrect attempts to log in to ESA.
Unlocked – Users who can access ESA.
<value> - Number of attempts remaining for a user after entering incorrect password.
5Expiration DateIndicates expiry status for a user. The available statuses are as follows:
Time left for expiry – Displays
6User TypeIndicates if user is a local, manual or automatically imported user.
7Last Unsuccessful Login (UTC)Indicates the time of the last unsuccessful login attempted by the user. The time displayed is in UTC.
Note:If a user successfully logs in through the Web UI or the CLI manager, then the time stamp for any previous unsuccessful attempts is reset.
8RolesLinked roles to that user.
9Add UserAdd a new internal LDAP user.
10Import UserImport users from the external LDAP server.
Note: This option is available only when Proxy Authentication is enabled.
11ActionThe following Actions are available.
tasks_reset_password.png - Click to reset password for a user.
When you reset password for a user, Enter your password prompt appears. Enter the password and click Ok.
Note: If the number of unsuccessful password attempts exceed the defined value in the password policy, the account gets locked.
aog_delete_icon.png - Click to remove a user.
When you remove a user, Enter your password prompt appears. Enter the password and click Ok.
Note: If the number of unsuccessful password attempts exceed the defined value in the password policy, the account gets locked.
aog_user_icon.png - Click to convert the external LDAP user to a local LDAP user.
When you convert a user to a local LDAP user, ESA creates the user in its local LDAP server.
12Page NavigationNavigate through pages to view more users.
13View EntriesSelect number of users to be displayed in a single view. You can select to view up to 50 users.
14Search User NameEnter the name of the user you want to filter from the list of users.

Adding users to internal LDAP

Describes the procedure to add users to internal LDAP

Importing users to internal LDAP

Describes the procedure to import users to internal LDAP

Password policy configuration

Describes the procedure to import users to internal LDAP

Edit users

Describes the procedure to edit users