| Home Prev |  InCenter 2.2.5 On-Premises Administration Guide
|
Next |
|---|
The InCenter server maintains a database of InCenter users. That is, the users that are allowed to login and make use of InCenter. When the InCenter server is started for the first time, there is a single predefined user account already set up with the following credentials:
Username: admin
Password: admin
Any number of new InCenter user accounts can be created for administration and/or auditing purposes. Having a number of different users can be useful for logging purposes, where the username responsible for an action is included in that action's log message and history entry.
![[Note]](images/note.png) |
Note: User changes are not part of the history |
|---|---|
|
It should be noted that modifications to the user database and are not themselves kept in InCenter's revision history and therefore user changes cannot be reverted in the same way that other changes can. |
Authentication Methods
The following user authentication methods are available:Authentication with Username/Password Credentials
This default type of authentication involves the user entering credentials consisting of a username and password combination.
SSH Public Key Authentication
It is possible for a user to have CLI access to InCenter using SSH with public key authentication instead of using username/password credentials. Setting up public key authentication for a user is described in Section 3.1, SSH Access to the CLI.
Multi Factor Authentication in the WebUI
InCenter can be configured to use Multi Factor Authentication (MFA) where WebUI authentication is done using an external Clavister EasyAccess authentication server. This is discussed further in Section 9.4, Setting Up MFA.
User Access Levels
Every InCenter user has one of the following two values for its AccessLevel property:Administrator
The user has full system access and can read or change any part of the configuration. InCenter will not allow the number of this type of user to fall below one.
Auditor
The user has no ability to change the configuration or affect the operation of InCenter but has read-only access to the complete configuration. The user also has the ability to execute informational CLI commands such as the techsupport and statistics commands.
Also note that an auditor cannot read or download files in the InCenter system using SFTP or SCP. However, they can read or download such files using the REST API.
The access level does not have a default value so it must be specified for every user that is added to the system. Users that already existed prior to upgrading to a version with the access level feature will automatically get the Administrator level.
Conforming to the User Password Policy
When the InCenter PasswordPolicy object is enabled (it is by default) then the password which is set for a new user must conform to the length and content specified by the policy. By default, the password length must be not less than 8 characters and must contain at least one upper case, one lower case, one numeric plus one non-alphabetic/non-numeric character. This is explained further in Section 9.3, User Password Policy.Simultaneous Access by Multiple Users
It is possible for more than one InCenter user to be logged in at the same time to the same InCenter server instance. It is also possible for the same user to be logged in at the same time from multiple client computers.In the case of such multiple login sessions by an administrator user, all sessions will see and update the same configuration set. In other words, the changes made in one session will affect all other concurrent sessions.
In the case of an auditor user, they can see the changes being made by an administrator user but cannot activate or otherwise affect such changes.
Disabling Users
By default, a user is enabled. However, it is possible to disable a user account. This means that the user remains in the user database but their credentials will not be recognized at login.In the CLI, all InCenter user account management is performed exclusively using the user command. For example, adding a new user account to InCenter using the CLI is done with the following command:
admin@InCenter:/> user -add
-username=user2
-password=mypassword
-role=AdministratorUnlike other configuration changes, modifying the user database does not require that a activate and commit command sequence is entered to apply changes. User changes are applied immediately. In addition, user changes are not part of the InCenter configuration history.
Modifying an Existing User
The -update option is used when modifying an existing user. For example, to change a password:admin@InCenter:/> user -update -id=user2 -password=mypassword2Note that once a user exists in the user database, it is identified in the user command with the id=<username> parameter.
Displaying All Users
The CLI command for displaying all users is the following:admin@InCenter:/> user -show
Username Role Comments
-- -------- ------------- ----------
admin Administrator
user1 Auditor
user2 AdministratorHere, the output shows three user accounts: admin which is the default user account plus two others called user1 (an auditor) and user2 (a second administrator).
Deleting a User
The CLI command for deleting a user, say the user called user3, is the following:admin@InCenter:/> user -delete -id=user3Disabling a User
The following command can be used to disable a user:admin@InCenter:/> user -disable -id=user1When a user is disabled, a small "o" symbol will appear next to them when all users are listed:
admin@InCenter:/> user -show
Username AccessLevel Comments
-- -------- ------------- ----------
admin Administrator
o user1 AuditorTo re-enable the same user, the command would be:
admin@InCenter:/> user -enable -id=user1