Managing users

This topic describes different types of users in TrueSight Network Automation and locking and unlocking of users.

Users in TrueSight Network Automation

During installation, TrueSight Network Automation creates one Administrator account. If you choose to authenticate users externally during installation, you supply the user name for the Administrator during installation. This account must be present and enabled in the external authentication server. If you choose to authenticate users locally, the default Administrator is sysadmin with password, sysadmin.

If you have installed the BMC Remedy ITSM integrations, Network Automation creates one ao_adapter account. This account is required by the embedded TrueSight Orchestration to use the Network Automation web services. Do not delete or edit this account.

Each user is assigned to one or more roles defining the access rights. Essential user activity is logged in the Event log, including login and logout, database management, and device configuration management. Additional system-wide user account security parameters are defined under Admin > System Parameters.

Locking and unlocking of users

A user gets locked automatically if the user tries to log in too many times (default is 5 times) with the incorrect password. If a user gets locked, either the system can unlock the user automatically after a configurable amount of time elapses, or an administrator or a user with the Unlock Users system right can unlock that user. Following events are logged in the event log whenever a user is locked or unlocked:

  • System event with warning level whenever a user is locked
  • System event with info level whenever a user is auto unlocked
  • User event with info level whenever a user is unlocked by other user

Note

  • If you are using RADIUS or TACACS/TACACS+ authentication, invalid users are also locked after the failed login attempts.
  • If an administrator gets locked, a user with the Unlock Users right can unlock the administrator. If no other user has this right, either administrator get unlocked automatically after a specific time period, or you need to restart the Network Automation services. If these services are restarted, other users also get unlocked.

You can configure the number of allowed failed login attempts and the time after which a user gets unlocked automatically by using the following properties in the catalina.properties file. This file is located in the BCAN_HOME\tomcat\conf directory.

  • bna.lockOutRealm.failureCount: Indicates the maximum number of failed login attempts after which a user gets locked. Default value is 5.
  • bna.lockOutRealm.lockOutTime: Indicates the time (in seconds) after which a user gets unlocked automatically. Default value is 86400 (24 hours).

You can also configure the following cache settings in the catalina.properties file:

  • bna.lockOutRealm.cacheSize: Indicates the number of users to be kept in cache that got locked due to failed login attempts. Default value is 1000.
  • bna.lockOutRealm.cacheRemovalWarningTime: Indicates the time (in seconds) after which a warning message is logged if a locked user is removed from the cache because the cache is too big before it has been in the cache for at least this period of time. Default value is 3600 (1 hour).

Where to go from here

To add, edit, view, unlock users, or change a user password, see the following topics:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*