Understanding user accounts
A user account provides an individual a user name and password to connect to assets managed by OMS.
All users who want to access an asset managed by OMS must have a user account in OMS that is either verified locally with an internally-stored password or through a third-party authentication server. To use an asset or asset element:
A user account must be verified. As an OMS administrator, you can choose to use a combination of locally and remotely authenticated user accounts in your environment.
A user account must be a member of a user group to connect to any assets.
A user group's permission policy determines the level of access to each asset, including no access.
The asset or asset element must be in a user group to which the user account is also a member.
A user account may be a member of zero, one, or more user groups.
Permissions for verified and constantly reverified whenever a user attempts an action (such as logging in, redirecting a probe, starting a packet capture, viewing a report, and so on). If the account has been disabled or deleted, the user is denied access.
There are three types of users:
Local user: User name and password are entered into and authenticated by OMS. Local users are easier to configure and manage for small teams who are not using third-party authentication servers or for groups in a lab or testing environment who want to remain separate from the wider enterprise for their testing.
Remote user: User name and password are from and authenticated by a third-party authentication server. If you are adding more than a handful of users, we recommend these accounts be imported into OMS rather than manually added. If your organization has a large number of users to manage, you may want to choose to authenticate users remotely since it reduces your burden as an OMS administrator. It is also one less password each user must remember and maintain.
admin: A special type of local user. It cannot be deleted or disabled nor does it need to be a member of any user groups. It has full access at all times. The default password is admin—this password is case-sensitive—and should be changed for your environment.
How to add new users
New users can either be manually added to an internal list or imported from third-party authentication systems.
Before adding a user, consider how you want the users to authenticate: locally using a user list maintained by OMS or remotely using a third-party authentication server. See Configuring how user accounts should authenticate.
There are two ways to get user accounts into OMS: you can add them using the process below or you can import them. See How to import users from third-party authentication servers. Choose the one that is best for you.
1. Starting in the dashboard, click Auth > Users.
2. Click and complete the fields using the information in User settings if necessary.
3. Click User Groups. Listed are the available user groups. Adding a user to a user group is an easy drag-and-drop operation from the Available list to the Members of list.
Note: If the user is not added to at least one user group that user will not be able to log in or use any asset.
4. Click the accept icon .
The user account is created and now has access to any assets allowed by the user group.
User settings
The User settings control how and whether a user may log in and use an asset.
If you imported users from a remote authentication server, this is automatically inserted.
The case-sensitive user name for this user.
Valid Input: Any character may by used, except for these five: " ' & > <.The length may be 2-71 characters.
Descriptions are optional and displayed in the Users table.
Consider a real name, or a department name if the user name is shared.
Email addresses are optional and displayed in the Users table.
Login enabled
As an alternative to deletion, a user can be disabled.
Only enabled users may log in. The 'admin' user cannot be disabled.
Management type
Specifies if the user name and password of this user is maintained by a third-party authentication tool ('Authenticates Remotely') or by OMS ('Local User').
Local is selected by default unless explicitly changed.
Set password
Password to be used with the user name.
If you import users and change Management type to 'Local User,' this field appears to contain a password. In fact, it is blank and a password must be set manually either by you, as the OMS administrator, or by the user while in a session where you are logged on. As OMS administrator, you can provide users a password or have them type one themselves. To have users use their password from the remote authentication server, set Auth > Users > [User] > Management type to 'Authenticates Remotely.'
Valid Input: Any character may by used, except for these five: " ' & > <. The length may be 1-71 characters.
How to disable a user
Disabling a user account prevents that user from accessing any assets while keeping the account, which may be necessary for auditing or logging purposes.
1. Starting in the dashboard, click Auth > Users.
2. Select the user account to disable.
3. Clear Login enabled.
4. Click the accept icon .
The user may no longer access any assets.
How to enable a user
If a user is locked out of their OMS account or cannot access assets they normally can, the user account may have been disabled. With the correct permissions, you can re-enable a user account that was disabled.
To enable a user:
1. Starting in the dashboard, click Auth > Users.
2. Select the user account to enable.
All disabled user accounts will show (disabled) near the name.
3. Select Login enabled.
4. Click the accept icon .
The user can now log in and access assets they have permission to access.
How to delete a user
You can delete a user account from the OMS internal list or remove access for a user if authentication is through LDAP, Active Directory, RADIUS, or TACACS+.
If the user account is from the OMS internal list, the user is deleted from OMS. If you get the user from LDAP, Active Directory, RADIUS, or TACACS+, the user is removed from OMS but remains active on those third-party authentication servers.
Tip! Instead of deleting the user, consider whether disabling the user is more appropriate for you. Some organizations require inactive accounts be maintained for auditing purposes. See How to disable a user.
1. Starting in the dashboard, click Auth > Users.
2. Select the user account to delete.
3. Click the garbage can icon .
4. Click Yes to confirm the deletion.
The user is deleted when the Deleted the user: pop-up appears on the screen. The user no longer has access to any assets managed by OMS.
How to change a user's password
Only users listed as 'Local User' may have their password changed. Users who authenticate remotely must change their password through the normal mechanism for the authentication server.
You must be a member of a user group that has an authorization policy that allows you Admin or Level One Edit rights to OMS > AAA > Users.
If a password has not been set or has been forgotten by either you or the user, it can be changed at any time without needing to know the original password.
To change the password:
1. Starting in the dashboard, click Auth > Users.
2. Select the user account to change.
3. Choose one:
Have the user change their password. This would be done with both of you at the same system. If you are logged on at the user's system, be sure to log off before leaving.
This choice prevents you as administrator from having knowledge of their password.
Change the user's password and inform them of the new password.
This choice is less secure since you will know what the password is and the user cannot change the password.
4. Click the accept icon .
The user password is changed when the Saved user: pop-up appears on the screen.
5. If necessary, have the user log off and log on.
This ensures the user has access to the features to which they have rights.
The password is changed.
Invalid login credentials or access denied
The message Invalid login credentials or access denied generally means exactly what it says; however, it can also mean that the user account is not a member of any group, which will prevent the user from being able to log in. Adding a user to a group or re-enabling the user may resolve the error.
A user can become “locked out” of accessing OMS and assets after five unsuccessful login attempts. The account is disabled for 10-minutes and a warning message is recorded in the OMS log.