User authentication and permissions



The MainView Middleware Monitor (MVMM ) product supports the following authentication modes: 

  • Internal Security – local authentication that uses the distributed directory information service
  • Active Directory Delegate Mode – combines Active Directory Authentication (user identification and password checking) and Internal LDAP authorization

The MVMM  product uses LDAP as the underlying security protocol for all user authentication. All references to LDAP in the documentation refer to the underlying security method and not an external LDAP directory service, otherwise known as a Directory System Agent. Connecting to a Directory System Agent is not supported.

The following sections provide guidelines on the processes related to user authentication and processes:

Related topics

Changing the default passwords 

Defining-user-access-and-security-settings

Configuring-Active-Directory-security

Users, user groups, and permissions

Regardless of your user authentication mode, user permission is handled using the concept of user groups. A user is a member of at least one user group. Permissions are granted to the groups and, by extension, to the members of the group.
All users in a group have identical permissions. Changes applied to one user in a group are applied to all user in the group. Users can be added to and removed from groups as required.

A user can belong to more than one group. When a user belongs to groups with different permissions, the user is granted the union of all permissions.

Warning

After you choose the type of security, either Internal (default) or Active Directory, do not switch from one to the other even if you run the Security Configuration Tool again. If you have chosen Active Directory and it is working, do not switch to another Active Directory unless it has the same groups.

If you need to change the type of security or switch to a different Active Directory with a different directory of groups, contact BMC support for advice on how to do this. Changing the directory of groups affects both MainView Middleware Monitor and MainView Middleware Administrator, regardless of its edition.

Internal Security mode

User authenticated is handled by an internal Apache Directory Server. 

Active Directory Delegate Mode

Active Directory Delegate Mode Security allows for configuring MainView Middleware Monitor security to authenticate a user via their Active Directory credentials and group memberships while allowing for MainView Middleware Monitor user and group authorization and configuration information to be stored in its internal database.

This mode alleviates the need to modify the Active Directory schema. It might require the Active Directory administrator to set up Groups and User associations that are used to dictate a user's level of authority. Internal users (such as TopicService, and so on) are maintained in the internal MainView Middleware Monitor database, and are not required in the Active Directory domain.

You can configure Active Directory Delegate Mode security either automatically with the securityconfig tool (the recommended method), or manually by modifying the services.cfg file.

In MainView Middleware Monitor, access permission is granted at a group level. Members of the group inherit all permissions granted to the group. Changes to a group's permissions are applied to all users in the group. Users in more than one group inherit the union of permissions from all the groups in which they are members.

Notes

  • Users have no access rights until they are members of at least one group.
  • If you use Active Directory security, contact your Active Directory administrator for assistance. Note that the "ADS" mode of integration with Microsoft Active Directory is not supported. See also, Configuring-Active-Directory-security.

Important

BMC recommends you to change the default password for the SA user as soon as possible. For more information, see Duplicating-editing-and-deleting-users-and-groups.

MainView Middleware Monitor security enables you to create user accounts and security groups to manage user access to MainView Middleware Monitorfunctionality. For a full review of the security options, see the Administering section.

 

 

Automatic logout on user inactivity

The MainView Middleware Monitor Console automatically logs out users after a period of inactivity. Unsaved changes are lost after the user is logged out. The user can configure the timeout duration of user inactivity before they are logged out.

In the services.cfg file, assign a numerical value as the timeout value (in minutes) to the user_inactivity_session_timeout_minutes parameter under the [Management_Console] section. For more information, see [Management_Console].

For example: user_inactivity_session_timeout_minutes=30

Users can assign '0' as a value of the user_inactivity_session_timeout_minutes parameter to disable the automatic logout on user inactivity feature. This enables the user to stay logged in even if they are inactive.

For example: user_inactivity_session_timeout_minutes=0

The user can also configure the timeout duration of the pop-up notification before it closes automatically. In the services.cfg file, assign a numerical value as the timeout value (in minutes) to the user_inactivity_dialog_timeout_minutes parameter. Users receive a pop-up notification on session timeout with an option to stay logged in. If the user does not choose an option, the pop-up closes after a short duration and they are logged out automatically.

For example: user_inactivity_dialog_timeout_minutes=1

Note

After modifying the timeout configurations, restart the application service for the new setting to take effect.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*