Administrators

Access to the UGMC web console is controlled by creating additional administrator accounts, assigning them access profiles, defining an administrator password management policy, and configuring web console access with the correct permissions for the service in the network zone properties.

NoteA local superuser named Admin/system is created during the initial setup of UGMC.

To create additional device administrator accounts, follow these steps:

Name

Description

Шаг 1. Создать профиль доступа администратора.

In the Administrators ➜ Administrator profiles section, click Add and enter the desired settings.

Шаг 2. Создать учетную запись администратора и назначить ей один из созданных ранее профилей администратора.

In the Administrators section, click Add and select the desired option.

  • Add local administrator: create a local user, set a password for the user, and assign them one of the access profiles created earlier.

  • Add LDAP user: add a user from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the username must be specified in the user@domain/system or domain\user/system format. Assign this user a profile created earlier.

  • Add LDAP group: add a user group from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the username must be specified in the user@domain/system or domain\user/system format. Assign this user a profile created earlier.

  • Add administrator with auth profile: create a user and assign them an administrator profile created earlier and an auth profile (this requires correctly configured auth servers).

Important! In this section of the management console service settings, only a local administrator can be assigned as a realm administrator. This is because different LDAP servers can be used for authenticating UGMC service administrators and realm administrators. If you need to use LDAP users as realm administrators, they need to be create in the same realm. Более подробно об администраторах области смотрите в разделе Администраторы области.

When creating an administrator access profile, specify the following parameters:

Name

Description

Name

Profile name.

Description

Profile description.

Administrator's type

To grant the rights to manage UGMC services, select the UGMC administrator type. The Realm administrator option should be selected when creating a root administrator for the managed realm.

Managed realm

If you selected the Realm administrator option as the Administrator's type, you must specify the managed realm for which the root administrator is being created. The realm must exist at that point.

Permissions

The list of web console tree objects available for delegation. The following access options are available:

  • No access

  • Read only

  • Read and write.

A UGMC administrator can configure additional administrator account protection settings, such as password complexity and temporary account blocking on exceeding the max authentication failures time.

To configure the above settings, follow these steps:

Name

Description

Шаг 1. Настроить политику паролей.

In the Administrators ➜ Administrators section, click Configure.

Шаг 2. Заполнить необходимые поля.

Provide values for these fields:

  • Strong password: enables the additional password complexity settings presented below, such as Minimum length, Minimum uppercase letters, Minimum lowercase letters, Minimum digit letters, Minimum special characters, and Maximum characters repetition block.

  • Number of invalid auth attempts: the number of failed attempts to authenticate as an administrator after which the account is blocked for Block time.

  • Block time: the time for which the account is blocked.

The Administrators ➜ Administrator sessions section displays all administrators who are logged in to the UGMC administrative web console. Any of the administrator sessions can be reset (closed) if necessary.

The administrator can define the zones from which access to the web console service will be allowed (TCP port 8010).

ПримечаниеНе рекомендуется разрешать доступ к веб-консоли для зон, подключенных к неконтролируемым сетям, например, к сети интернет.

To allow the web console service for a specific zone, go to the zone properties and allow access to the Administrative console service in the Access control tab. For more details on configuring zone access control, see the section Zone Configuration.