6.3. Administrators

Access to the UGMC web console is controlled by creating additional administrator accounts, assigning them access profiles, defining an administrator password management policy, and configuring web console access with the correct permissions for the service in the network zone properties.

Note

A local superuser named Admin/system is created during the initial setup of UGMC.

To create additional device administrator accounts, follow these steps:

Task

Description

Step 1. Create an administrator access profile.

In the Administrators --> Administrator profiles section, click Add and enter the desired settings.

Step 2. Create an administrator account and assign it one of the administrator profiles created earlier.

In the Administrators section, click Add and select the desired option.

  • Add local administrator: create a local user, set a password for the user, and assign them one of the access profiles created earlier.

  • Add LDAP user: add a user from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the user name must be specified in the user@domain/system or domain\user/system format. Assign this group a profile created earlier.

  • Add LDAP group: add a user group from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the user name must be specified in the user@domain/system or domain\user/system format. Assign this group a profile created earlier.

  • Add administrator with auth profile: create a user and assign them an administrator profile created earlier and an auth profile (this requires correctly configured auth servers).

Important! In this section of the management console service settings, only a local administrator can be assigned as a realm administrator. This is because different LDAP servers can be used for authenticating UGMC service administrators and realm administrators. If you need to use LDAP users as realm administrators, they need to be create in the same realm. For more details on realm administrators, see the section Realm Administrators.

When creating an administrator access profile, specify the following parameters:

Name

Description

Name

Profile name.

Description

Profile description.

Administrator's type

To grant the rights to manage UGMC services, select the type UserGate Management Center administrator. The Realm administrator option should be selected when creating a root administrator for the managed realm.

Managed realm

If you selected the Realm administrator option as the Administrator's type, you must specify the managed realm for which the root administrator is being created. The realm must exist at that point.

Permissions

The list of web console tree objects available for delegation. The following access options are available:

  • No access.

  • Read only.

  • Read and write.

A UGMC administrator can configure additional administrator account protection settings, such as password complexity and temporary account blocking on exceeding the max authentication failures time.

To configure the above settings, follow these steps:

Task

Description

Step 1. Configure the password policy.

In the Administrators --> Administrators section, click Configure.

Step 2. Fill in the relevant fields.

Provide values for these fields:

  • Strong password: enables the additional password complexity settings presented below, such as Minimum length, Minimum uppercase letters, Minimum lowercase letters, Minimum number of digits, Minimum number of special characters, and Maximum characters repetition block.

  • Number of invalid auth attempts: the number of failed attempts to authenticate as an administrator after which the account is blocked for Block time.

  • Block time (sec): the time for which the account is blocked.

The Administrators --> Administrator sessions section displays all administrators who are logged in to the UGMC administrative web console. Any of the administrator sessions can be reset (closed) if necessary.

The administrator can define the zones from which access to the web console service will be allowed (TCP port 8010).

Note

Web console access should not be allowed for zones connected to uncontrolled networks (e.g. the Internet).

To allow the web console service for a specific zone, go to the zone properties and allow access to the Administrative console service in the Access control tab. For more details on configuring zone access control, see the section Zone Configuration.