Before a user can access any of the system assets, you must establish a user account and an account policy. An account policy contains information about a user’s account and password. This information determines whether the user is allowed to log in to the secured system.
This section describes how to create user accounts and define their account policies.
Table 3-2 describes the permissions you must have to manage user accounts.
Action |
Permissions required |
|---|---|
Create a user account |
WRITE on the subject controlling asset. |
List the users in a domain |
LIST on the subject controlling asset. |
View the properties of a user account |
READ on the subject controlling asset. |
Update the properties of a user account |
UPDATE on the subject controlling asset. |
View a user’s digital certificates |
READ on the subject controlling asset. |
Register or remove a certificate |
UPDATE on the subject controlling asset. |
Move a user account to a different organization |
If the new organization is in the same domain, you need READ, DELETE, and WRITE on the subject controlling asset. If the organization is in a different domain, you need DELETE on the subject controlling asset in the current domain, and WRITE on the subject controlling asset in the new domain. |
Manage a user’s group memberships |
READ and UPDATE on the group controlling asset. |
Edit a user’s roles |
GRANT on the role controlling asset. |
Display a user’s access permissions |
LIST on the asset controlling asset in each domain where the user has permission to access assets. For example, if a user has permission to access assets in three different domains, you need LIST permission on the asset controlling asset in all three domains. |
Delete a user account |
READ and DELETE on the subject controlling asset. |
Creating a user account
In the Organization Manager tree view, select the organization, highlight Users, and click New.
In the Create New User dialog, enter:
Login Name – the name used to log in to the system.
First Name – user’s first name. This field is optional; however, if you enter either a first name or last name, you must enter both names.
Last Name – user’s last name. This field is optional; however, if you enter either a first name or last name, you must enter both names.
Common Name – the name that displays in Enterprise Security Manager. A user’s common name should be unique throughout the security system.
Password – a password for the user.
Verify Password – reenter the password so the system can verify that it was entered correctly.
E-Mail – the user’s e-mail address. This field is optional.
Work Phone – the user’s work telephone number. This field is optional.
Configure the account policy by selecting from the following:
Account is disabled – disables the account so the user cannot access the system until the PSO enables the account.
Password never expires – makes the provided password valid indefinitely.
Account never expires due to inactivity – keeps the account valid regardless of user activity.
Account has fixed expiration date – select if you want the account to expire on a specific date. If you select this, enter the expiration date. If you do not set an expiration date, it is determined by the value you set on the security domain’s account properties tab—see “Configuring account properties for a security domain”.
Click OK.
