Add or Modify Users with Account Admin

uim203
The Account Admin allows bus users to manage account contact users and access control lists (ACLs) for user groups. You must have appropriate ACL permissions to view and make changes within the Account Admin view.
In Account Admin, you can add, modify, or delete accounts and account contact users, and set passwords for account contacts. You can also add, copy, or delete an ACL and turn permissions within an ACL on or off. You can also associate LDAP groups with ACLs and accounts.
Changes that you make to ACLs in the Account Admin view are reflected in Infrastructure Manager.
Contents
Create, Edit, or Delete an Account
The Account Admin allows you to create, edit, and delete accounts and account contact users.
The
Account Admin
window has two tabs:
Accounts
and
ACLs & LDAP
. When
Accounts
is selected, the left-hand pane displays existing accounts and the right-hand pane displays users currently assigned to the selected account.
To create, edit, and delete accounts, you must have Manage ACL permission. If you are an account administrator, non-editable fields will appear in gray.
To add an account:
  1. Select the
    Accounts
    tab at the top of the page.
  2. Click on the
    New
    icon to the right of the Accounts header in the left-hand pane.
  3. Enter the description of the account name in the right-hand pane.
  4. Select the
    Ownership
    for the account.
  5. Fill in any additional information for the account, such as
    Description
    or
    Web Site
    .
  6. Click on the
    Create
    button at the lower-right corner of the pane.
The
Account Name
and
Ownership (origin)
fields are mandatory. The account name must be a character string. By default, no origin is selected. None of the other fields is validated and any input will be saved.
Once you create an account, the account name is displayed in grey and cannot be changed. To use a different account name, you must create a new account.
The
Ownership
is the set of origins assigned to the account, which determines what information is visible for account contact users. You can assign more than one origin to an account. If you are an MSP, for example, you might designate the primary hub for each customer as the origin, thereby separating customer information. In OC, account contact users can only see devices, alarms and QoS metrics from origins assigned to the account.
To edit existing account information:
  1. Click the
    Edit
    icon to the right of the account name or double-click the account name in the left-hand pane.
  2. Enter changes and then click on the
    Update
    button at the lower-right of the right-hand pane.
To delete an existing account:
Deleting an account also deletes any users that are not associated with other accounts.
  1. Click on the
    Delete
    icon to the right of the account name.
  2. Click
    Yes
    in the dialog box that appears.
Add, Edit, or Delete a User
To create, edit, and delete users, you must have the Account Administration permission.
To add a user to an account:
  1. Click on the account of interest. A list of assigned users will appear in the right-hand pane.
  2. Click on the
    Add
    icon at the right-hand side of the pane header.
  3. Enter information for the user in the right-hand pane. Note that:
    • The associated account and ACL can be selected through the dropdown menus.
    • The language selected will be applied to entire OC.
    • You must associate a user with at least one account.
  4. Click on the
    Create
    button at the lower-right corner of the pane.
On logging in, users cannot see or assign ACLs with a higher access level than their own.
If CA UIM has been installed to authenticate users using Login IDs, the Login ID, Password, and E-mail fields are mandatory. The Login ID must be a unique alphanumeric string, may contain periods, dashes, and underscore characters, but may not begin or end with a period. The email address must also be unique. The password must be at least six characters long.
If CA UIM has been installed to authenticate users using email addresses, the Login ID field must be a valid email address.
To edit user information:
Users appear under each account they are assigned to. To edit a user account, you can select it from any account it is listed under.
  1. Click on the
    Edit
    icon to the right of the user name.
  2. Change the user information. You can edit the following fields:
    • Password
    • ACL
    • Email
    • Name
      (first and last)
    • Language
    • Accounts
  3. Click on the
    Update
    button at the lower-right corner of the pane.
To delete a user:
If you have users assigned to multiple accounts, the behavior for user deletion is dependent on the permissions assigned to the deleting user:
  • Bus Users
    The user is deleted from
    all accounts
    .
  • Users with the Account Administration Permissions for ALL Accounts the User Belongs To
    The user is deleted from
    all accounts
    .
  • Users with the Account Administration Permissions for SOME Accounts the User Belongs To
    The user is removed from the accounts visible to the user performing the deletion.
  1. Select the account and find the user of interest.
  2. Click on the
    Delete
    icon for that user.
  3. Click
    Yes
    on the dialog box that appears.
Manage ACLs and LDAP in Account Admin
You may sometimes need to give a unique set of permissions to an account contact user. To do so, you can change the permissions associated with the user's ACL or create a new ACL, define its permissions, and apply it to the user.
You may also want to associate an LDAP group with an ACL, giving all members of that group certain permissions within OC. LDAP groups can be given access to all account data or only data for a specific account.
A bus user with the Manage ACL permission can create, copy, edit, or delete ACLs.
In the Account Admin window, click the
ACLs & LDAP
tab at the top of the page to open the Edit ACL screen. The left-hand pane then displays the existing ACLs and the right-hand pane displays the permissions and other functions associated with the selected ACL.
Create a New ACL
Follow these steps:
  1. Click on the
    New
    button on the right of the left-hand pane.
  2. Enter a name in the ACL Name field in the right-hand pane.
  3. Click on the
    Create
    button in the lower-right corner of the screen.
Copy an Existing ACL
Follow these steps:
  1. Locate the name of an ACL in the left-hand pane.
  2. Click on the
    Copy
    icon to the right of the name.
  3. Enter the name of the new ACL on the right-hand pane.
  4. Click on the
    Create
    button in the lower-right corner of the screen.
Delete an ACL
Follow these steps:
  1. Locate the name of an ACL in the left-hand pane.
  2. Click on the
    Delete
    icon to the right of the name.
  3. Click
    Yes
    in the dialog box that appears.
Edit an ACL
The right-hand pane contains tabs for turning permissions on and offand associating an LDAP group to an ACL and account. The header for the pane will change from Edit ACL to Copy ACL based on the operation being completed.
Properties
The Properties window includes the ACL name and its permissions. On logging into Account Admin, a bus user will see all ACLs and their permissions. The user must have the
Manage ACL
permission to see and change permissions.
Permissions are sortable on any column: Permission, Type, and Access. In order to redefine permissions, all permissions can be assigned or deactivated, and selected permissions can be sorted to appear at the top of the list.
An ACL associated with one or more users cannot be deleted.
These restrictions become important if, for instance, someone is assigned the task of changing permissions for groups but does not have the Manage ACL permission.
Follow these steps:
  1. Click on the ACL name of interest in the left-hand pane.
  2. Click the box to the left of
    Permissions
    at the top of the permissions list to select and deselect all permissions.
  3. Click on boxes to the left of individual permissions to turn them on or off.
  4. Click on the
    Permissions
    header to sort the list of permissions.
  5. If further changes are not needed, click on the
    Update
    button at the lower-right corner of the pane.
Alarm Filters
You can now define alarm filters for each ACL. This ability gives you more flexibility and control as it allows you to define more complex alarm filters at the ACL level. You can create your alarm filters for ACLs with multiple criteria using Or/AND operators. This provides quick views into specific data that you need to isolate alarms of interest. For example, you can set a base filter for your ACL using this functionality. You can use the available options in the Alarm Filter view (under Account Admin) to filter alarms for the currently selected ACL.
Follow these steps:
  1. Log in to OC.
  2. Access the
    Settings
    ,
    Account Admin
    view.
  3. Click the
    ACLs & LDAP
    tab.
  4. Click the
    Alarm Filter
    tab in the right pane.
  5. Click the + icon (Add alarm filter) to add the alarm filter. The following view opens:
  6. Add the required information in the fields. For more information about the available options, see the table that explains all the options.
  7. Click
    Update
    when you are done.
You have successfully defined the alarm filter for the selected ACL. The following screenshot shows the example filters:
You can use the following menus and buttons in the Account Admin view to filter alarms for the ACL currently selected:
Field
Description
and/or pull-down menu
Choose the
and
or
or
operator to apply to this row of the filter definition. This operator is present only in the second and subsequent rows.
menu(Blank)/not pull-down menu
Choose
not
in order to search for all systems except those that meet this row of the filter definition. Otherwise, leave blank.
Criterion pull-down menu
Choose the criterion to filter for, such as
Severity
,
Hostname
,
Origin
, and so on.
Operator pull-down menu
Choose the appropriate operator, such as
is
,
contains
,
starts with
, and so on.
If you select Severity, the following operators are available:
=
,
<=
,
>=
If you select
in
as the operator value, then you can put multiple filter values in separate lines. The following example screenshot shows
Probe
as the criterion value and
in
as the operator value. Now, note the multiple values (for example, cdm and snmpget) that you can specify in the text field:
Text field/Alarm severity-level pull-down
Enter the appropriate text for the criterion you selected.
If you select Severity for the criterion, a pull-down menu listing alarm severity-levels is displayed. Choose from the following:
Clear
(0),
Informational
(1),
Warning
(2),
Minor
(3),
Major
(4),
Critical
(5).
Add Filter/Remove Filter icons
Click to add or remove rows for the filter definition. The Add icon is at the top of the page; the Remove icon is in line with the condition.
Dragger icons
Drag to move the row up or down. Filter rows are applied in sequential order.
LDAP
You can link an LDAP group to an ACL and specific accounts. LDAP must be enabled to use this feature; if it is not, the ACL tab title will be grayed out.
  1. Select an ACL from the list in the left-hand pane.
  2. Click on the
    LDAP
    tab in the right-hand pane.
  3. If 50 or fewer LDAP groups exist, the drop-down list for
    LDAP Group
    is displayed in the right-hand pane. Select a group name from this drop-down list.
    If more than 50 LDAP groups exist, no drop-down list will appear and you must enter the name of the LDAP group. The name must match an LDAP group name; an error will be displayed until the names match. If the LDAP group name or spelling is unknown, refer to the list of groups on the LDAP server and copy the name into the input field.
  4. Select all accounts that apply under the
    Account Link
    field below the LDAP Group name. See details below on this field.
  5. Click on the
    Update
    button at the bottom-right corner of the pane.
The LDAP group is now associated with the ACL in the left-hand pane and any selected accounts (if appropriate). Repeat the steps for each ACL to associate it with an LDAP group as needed.
The Account Link field associates an LDAP group with all selected accounts. If the Account Link field is left blank, members of the LDAP group can view data according to their permissions for all accounts. If accounts are specified in the Account Link field, LDAP group members will have permissions to view data for any of the accounts that were selected.
Additional Considerations for Users in Multiple Accounts
Admin Console does not currently support users in multiple accounts.
Only bus users or account contact users in the Account Administrator ACL can edit the accounts that a user is in.
If a user is part of multiple LDAP groups, you can assign that user to more than one account through the
ACLs & LDAP
tab.
Follow these steps:
  1. Click
    Settings
    ,
    Account Admin
    .
  2. Select the ACL for the user under the
    ACLs & LDAP
    tab.
  3. Select the
    LDAP
    tab in the
    Edit ACL
    pane.
  4. Select the name of the account to be added under
    Account Link
    .
A user can view data for any of the accounts to which he or she belongs. However, a user assigned to multiple accounts can only have one account active at a time. For example, a user may be assigned to the following accounts:
  • Business_One
  • Business_Two
  • Business_Three
When the user is logged into Business_One, he or she will only see information for that account and no information specific to Business_Two or Business_Three. The name of the active account is displayed in the right-hand side of the dockbar.
To see information for the other accounts, the user must change accounts using one of the following methods:
  • Specify the account during log in. For example, if the user wants to log in to their Business_One account, their user name would be
    Business_One/User.
  • Add the
    ?account=
    parameter to an OC URL. For example, if you wanted to view the Azure Unified Dashboard for Business_One, the URL is
    http://
    <oc_IP>
    /user/
    <user_name>
    /azure?account=Business_One. 
    Using a URL with the
    ?account=
    parameter only works when you are either logged out of OC or already logged in to the specified account.