Open with table of contents

Managing administrator user access and roles

You can manage the administrator users, their roles and their access to the Gateway from the User Center Home page, accessible from the Users top-level menu option.

In this context, users are specifically administrator users who can access and modify parts of the Gateway, and not end-users themselves.

The Gateway supports three types of users:

• Local users - where users are added explicitly and their credentials are stored in the Gateway.
• Local Active Directory users - where users are added explicitly and their credentials are stored in Active Directory.
• Dynamic users - where users are granted access implicitly through their membership of an Active Directory group that is linked to a suitably-authorized Gateway role.

Users, roles, and permissions, can be added, modified and deleted from the Users and Roles tabs of the User Center Home page.

The system is initially supplied with one local administrator user for the Gateway interface. This is a super-administrator user named admin by default. You can rename the default admin user, but you cannot delete it. This user always has full access to all areas of the Gateway user interface.

The admin user can create additional users and roles, and if any of those new users have roles that give them the appropriate access permissions, they in turn can create further new users and roles.

Adding, modifying, and deleting roles

• Adding and modifying roles

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Roles tab.

  3. Either click New or select a role and click Edit.

     The Modify Role page is displayed.
     

  4. To add or modify overview information, move the mouse pointer over the Overview area and click Click here to change these settings.
  5. Provide a meaningful name for the role and an optional description, then click Save.
  6. Specifying or modifying a role's Active Directory group

     1. To specify or modify the Active Directory group associated with the role, move the mouse pointer over the Active Directory Group area and click Click here to change these settings.
     2. Provide the DN (Distinguished Name) of your intended AD group and click Save.
        

     Click the Search Active Directory groups icon - - to select an AD group from a list. Only Universal Security Groups (i.e. those where Group Scope is Universal, and Group Type is Security) are listed. You can type in another group name if you know that it exists and is functional. You can filter your search for groups by providing either a substring or a UPN, in which case the list will contain the groups whose names contain the substring, or the groups the UPN is a member of respectively.

     If you move a group in the AD hierarchy, you will need to update the group name in the Gateway. Note also that nested AD groups are not supported - each group must be linked individually.

  7. To review or modify the access control settings that apply to the role, move the mouse pointer over the Access Control area and click Click here to change these settings.
  8. Make your required changes to the Access Control settings for the role and click Save when finished:
     • Check the Administration Role checkbox to give the role administrator permissions.
     • Check the appropriate Specific Permissions checkboxes according to your needs. If you are configuring an administrator role, all of these will be checked and you will not be able to change them.
     • Review the Message Areas grid and make your required adjustments. If you are configuring an administrator role, all of the checkboxes will be checked and you will not be able to change them.
• Deleting roles

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Roles tab.

  3. Select the role you wish to delete from the list and click Delete.
     

     It is not possible for you to delete your own role, or the role of a local, or local AD user. It is possible to delete the role of a dynamic user, in which case, if they are logged in, they will be denied further access to the system.

  4. Click Yes in the Confirm Delete? dialog box.

Creating, modifying, and deleting users

• Creating local users

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Users tab.

  3. Click New.

     The Create User Type dialog is displayed.

  4. Click Local User and then Create.

     An administrative user must have exactly one role.

  5. Complete the dialog box, as required, for the new user, selecting an appropriate role if one exists. You can also select Create New Role in the Role drop-down, and give the role a sensible name and permissions after you have created the user.

  6. Click Add.

• Creating local AD users

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Users tab.

  3. Click New.

     The Create User Type dialog is displayed.

  4. Click Active Directory User and then Create.

     You must configure at least one Active Directory forest before you can create a local AD user. See To add an Active Directory forest to the system or modify an existing entry.

  5. Complete the dialog box for the new user, entering the user's User Principal Name and selecting an appropriate Role if one exists. You can also select Create New Role in the Role drop-down, and give the role a sensible name and permissions after you have created the AD user.

     Click the Check user details icon - - to verify the new user's details.

  6. Click Add.

Clearswift Gateway denies access by default to any new message areas created after a user is created.

• Modifying local users or local AD users

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Users tab.

  3. Select the user you wish to modify from the list and click Edit.

     The Modify User page is displayed.

     If you are modifying a local user, the What would you like to do? panel contains a Change user type option - choose this to convert a local user to a local AD user. This choice cannot be reversed. Click the Check user details icon - - in the dialog to verify the user's AD details.

  4. Make and save the required changes in the Overview and Role areas.

  Ensure that you Apply Configuration changes if you want the updates to be applied to all peers, and not simply on the local peer.

• Deleting local or local AD users

  1. From the Home page, click the Users menu option.

     The User Center Home page is displayed.

  2. Choose the Users tab.

  3. Select the user you wish to delete from the list and click Delete.

  4. Click Yes in the Confirm Delete? dialog box.

• Deleting dynamic users

  To delete a dynamic user, you should remove them from the AD group associated with their role - this will revoke Gateway access.

Tell me about...

• Access Control

  Using an assigned role, you can configure a user with permission to perform certain tasks while using the Gateway. You can provide a combination of permissions to a user by selecting any of the available tasks in the Access Control panel of the Modify Role page. You can configure roles to correspond to a user's responsibilities, for instance as a helpdesk operator, policy administrator, or network administrator. This prevents access to the area of the interface unrelated to the user.

  Use the Access Control panel on the Modify Role page to create a user with an Administration Role, that is to say, all permissions by default.

  The check box under Administration Role allows you to set the same permissions as the admin super-user. This grays-out all other options, as they are allowed by default. If you want to specify individual permissions, deselect this check box and proceed to the Specific Permissions section and Message Areas sections of the panel.

  The Specific Permissions and Message Areas sections control what the user can do, and what message areas they can see in the Gateway, respectively. Ensure that you have set this up correctly, as otherwise they might not be able to see what they need to access or perform the action to which they do have access. Within Message Areas, you can control what a user can view for any given message area, for example 'confidential' or 'spam'.

• Login failures

  Local users are permitted three failed login attempts. After the third failed attempt, they are locked out of the system for 10 minutes and cannot try again during this time. If they cannot remember their details and require you to change their password, modify their user details and click on Change the password in the "What would you like to do?" panel.

  Local AD users are never locked out of the Gateway, but a count of their login failures is maintained. If configured in AD, it is possible that local AD users may be locked in AD, but the Gateway will not be aware of this.

  Refer to the User Interface Service Access Log for details of failed login attempts and related information. Choose System > Monitoring & Control > Logs & Alarms from the main menu and select the System Logs tab to see a full list of logs.

• Modifying users

  If your own user is assigned a role that has the required permissions, or you are using the admin super-user, you can modify the details of other users, including passwords and access controls. You can also change the details of your own user.

© 1995–2018 Clearswift Ltd.