Implementation Guide › Configuring Basic Users and Access

Configuring Basic Users and Access

This section contains the following topics:

About Basic Users and Access

Configuring the User Store

Configure Password Policies

Preserving Predefined Access Policies

Create the First Administrator

About Basic Users and Access

Configuration begins with setting the user store, creating one or more users with the predefined Administrator role, and configuring password policies. Typically, this configuration is performed by the installer, who can log onto CA User Activity Reporting Module with the EiamAdmin credentials. After this configuration is complete, the users defined as Administrators configure CA User Activity Reporting Module.

If the default user store configuration is accepted, the minimum configuration that must be completed by the EiamAdmin user is the account for the first Administrator. The first Administrator can configure password policies before configuring the other CA User Activity Reporting Module components.

Note: For details on creating other users, or creating custom roles with and custom access policies, see the CA User Activity Reporting Module Administration Guide.

Configuring the User Store

The user store is the repository for global user information. You can configure the user store as soon as you install a CA User Activity Reporting Module server. Only the EiamAdmin user can configure the user store, this is usually done immediately after the first logon.

Configure the user store in one of the following ways:

• Accept the default, Store in internal datastore

  Note: The default option could be displayed as the CA Management Database if, during installation, you pointed to a standalone CA EEM.

• Select Reference from an external directory, which can be an LDAP directory such as Microsoft Active Directory, Sun One, or Novell CA Directory
• Select Reference from CA SiteMinder

If you configure the user store as an external directory, you cannot create new users. You can only add predefined and user defined application groups, or roles, to the read-only global user records. You must add new users in the external user store and then add the CA User Activity Reporting Module permissions to the global user records.

Accept the Default User Store

You do not have to configure the user store if you accept the default, which is the internal datastore. This applies if there is no external user store to reference.

To verify that the default repository is configured as the user store

1. Log into a CA User Activity Reporting Module server as a user with Administrator privileges or with the EiamAdmin user name and associated password.
2. Click the Administration tab.

   If you log in as the EiamAdmin user, this tab displays automatically.

3. Select the User and Access Management subtab, and then click the User Store button on the left pane.

   The EEM Server Configuration for Global Users/Global Groups appears.

4. Verify that the option, Store in internal datastore, is selected.
5. Click Save and then click Close.

Note: With the default user store set, you can create new users, set temporary passwords, and set password policies.

More information:

User Store Planning

Reference an LDAP Directory

Configure the user store as a reference to an LDAP directory when global user details are stored in Microsoft Active Directory, Sun One, or Novell Directory.

Note: Application details are stored in the default repository. Referencing an external user store does not update that user store.

To reference an LDAP directory as the user store

1. Log into a CA User Activity Reporting Module server as a user with administrator privileges or as the EiamAdmin user.
2. Click the Administration tab.

   If you log in as the EiamAdmin user, this tab displays automatically.

3. Select the User and Access Management subtab, and then click User Store on the left pane.

   The CA EEM Server configuration for User Store appears.

4. Select Reference from an external directory.

   Fields for the LDAP configuration appear.

5. Complete these fields as planned on the external directory worksheet.

   Consider the following example for binding to Active Directory objects, with the following binding string:

   Set objUser = Get Object ("LDAP://cn=Bob, cn=Users, ou=Sales, dc=MyDomain, dc=com"), where cn is the Common Name, ou is the Organizational Unit, and dc is composed of two Domain Components that make up the full DNS name. For User DN, you would enter:

   cn=Bob,cn=Users,ou=Sales,dc=MyDomain,dc=com
   

6. Click Save.

   Saving this reference loads user account information into CA EEM. This makes it possible for you to access these user records as global users and then add application-level details such as application user group, the name for user role.

7. Review the displayed status to verify that the external directory bind is successful and that data is loaded.

   If the status displays a warning, click Refresh status. If the status displays an error, correct the configuration, click Save, and repeat this step.

8. Click Close.

More information:

User Store Planning

External LDAP Directory Worksheet

Reference CA SiteMinder as the User Store

If your user accounts are already defined to CA SiteMinder, reference this external directory when you configure the user store.

To reference CA SiteMinder as the user store

1. Log into a CA User Activity Reporting Module server as a user with administrator privileges or as the EiamAdmin user.
2. Click the Administration tab.

   If you log in as the EiamAdmin user, this tab displays automatically.

3. Select the User and Access Management subtab, and then click the User Store button on the left pane.

   The CA EEM Server configuration for User Store appears.

4. Select the option, Reference from CA SiteMinder.

   CA SiteMinder-specific fields appear.

   1. Complete these fields as planned on the SiteMinder Worksheet.
   2. To view or change connections and ports used by CA SiteMinder, click the ellipsis to display the Connection Attributes panel.
5. Click Save.

   Saving this reference loads user account information into CA EEM. This makes it possible for you to access these user records as global users and then add application-level details such as application user group, the name for user role.

6. Review the displayed status to verify that the external directory bind is successful and that data is loaded.

   If the status displays a warning, click Refresh status. If the status displays an error, correct the configuration, click Save, and repeat this step.

7. Click Close.

More information:

User Store Planning

CA SiteMinder Worksheet

Configure Password Policies

You can set password policies to ensure that the passwords users create for themselves meet the standards you set and are changed with the frequency you set. Set password policies after configuring the internal user store. Only the EiamAdmin user or a user assigned the Administrator role can set or modify password policies.

Note: CA User Activity Reporting Module password policies do not apply to user accounts created in an external user store.

To configure password policies

1. Log into a CA User Activity Reporting Module server as a user with Administrator privileges or as the EiamAdmin user.
2. Click the Administration tab.

   If you log in as the EiamAdmin user, this tab displays automatically.

3. Select the User and Access Management subtab, and then click the Password Policies button on the left pane.

   The Password Policies panel appears.

4. Specify whether to allow passwords to be the same as the user name.
5. Specify whether to enforce length requirements.
6. Specify whether to enforce policies on maximum repeating characters or minimum number or numeric characters.
7. Specify age and reuse policies.
8. Verify your settings, then click Save.
9. Click Close.

   The configured password policies apply to all CA User Activity Reporting Module users.

More information:

Password Policy Planning

User Name as Password

Password Length and Format

Password Age and Reuse

Preserving Predefined Access Policies

If you plan to use only the predefined application user groups, or roles, with the associated predefined policies, there may be little risk that predefined policies would ever get deleted or corrupted. However, if your Administrators plan to create user-defined roles and associated access policies, the predefined policies will be accessed, edited, and vulnerable to undesired changes. It is good practice to keep a backup of the original predefined policies that you can restore if needed.

Create a backup file containing each type of predefined policy using the Export function. You can copy these files to an external media or leave them on the disk of the server on which the Export was initiated.

Note: For procedures on backing up predefined policies, see the CA User Activity Reporting Module Administration Guide.

More information:

Back Up All Access Policies

Create the First Administrator

The first user you create must be assigned the Administrator role. Only users who are assigned the Administrator role can perform configuration. You can assign an Administrator role to a new user account you create or to an existing user account retrieved into CA User Activity Reporting Module.

Use the following process:

1. Log into the CA User Activity Reporting Module server as the EiamAdmin default user.
2. Create the first administrator.

   The method you use to create the first CA User Activity Reporting Module Administrator depends on how you configure the user store.

   • If you configure CA User Activity Reporting Module to use the internal user store, you create a new user account with the Administrator role.
   • If you configure CA User Activity Reporting Module to use an external user store, you use an existing LDAP user to bind to the directory. Once you bind to an external directory, you retrieve from the external user store the account of the user to whom you want to assign a CA User Activity Reporting Module role. User accounts from external user stores are retrieved as global users. You cannot modify existing user account information, but you can add a new CAELM application user group, or role. For the first user, you assign the role, Administrator.

   Note: You cannot create new users from CA User Activity Reporting Module when you configure an external user store.

3. Log off the CA User Activity Reporting Module server
4. Log back on to the CA User Activity Reporting Module server with the new user account credentials.

   You are then ready to perform configuration tasks.

Create a New User Account

You can create a user account for each individual who is to use CA User Activity Reporting Module. You provide the credentials the user is to log on with for the first time and you specify their role. The three predefined roles include Administrator, Analyst, and Auditor. When a new user who is assigned the role of Analyst or Auditor logs on, CA User Activity Reporting Module authenticates the user with the saved credentials and authorizes usage to various functionality based on the role you assign.

To create a new user

1. Log into the CA User Activity Reporting Module server as the EiamAdmin default user.

   The Administration tab and User and Access Management subtab displays.

2. Click Users on the left pane.
3. Click New User to the left of the Users folder.

   The New User details screen appears on the right side of the window.

4. Type a user name in the Name field. User names are not case-sensitive.
5. Click Add Application User Details.
6. Select the role associated with tasks this user is to perform. Use the shuttle control to move it to the Selected User Groups list.
7. Provide values for the remaining fields in the screen as needed. You must provide a case-sensitive password with confirmation in the authentication group box.
8. Click Save, and then click Close.

More information:

Assign a Role to a Global User

Assign a Role to a Global User

You can search for an existing user account and assign the application user group for the role you want the individual to perform. If you reference an external user store, the search returns global records loaded from that user store. If your configured user store is the CA User Activity Reporting Module user store, the search returns records created for users in CA User Activity Reporting Module.

Only Administrators can edit user accounts.

To assign a role, or application user group, to an existing user

1. Click the Administration tab and the User and Access Management subtab.
2. Click Users on the left pane.

   The Search Users and Users panes appear.

3. Select Global Users, enter search criteria, and click Go.

   If the search is for loaded user accounts, the Users pane shows the path and the path labels reflect the referenced external directory.

   Important! Always enter criteria when searching to avoid displaying all entries in an external user store.

4. Select a Global User that has no membership in a CA User Activity Reporting Module application group.

   The User page displays with the folder name, global user details, and, if applicable, global group membership.

5. Click Add Application User Details.

   The "CAELM" User Details pane expands.

6. Select the desired group from Available User Groups and click the right arrow.

   The selected group appears in the Selected User Groups box.

7. Click Save.
8. Verify the addition.
   1. On the Search Users pane, click Application User Details and click Go.
   2. Verify that the name of the new application user appears in the displayed results.
9. Click Close.