Nevepoint Access Manager 1.2 BETA Documentation

Similar documents
OneLogin Integration User Guide

Active Directory Self-Service FAQ

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Table of Contents INTRODUCTION... 2 HOME PAGE Announcements... 7 Personalize & Change Password... 8 Reminders... 9 SERVICE CATALOG...

Plesk 11 Manual. Fasthosts Customer Support

NotifyMDM Device Application User Guide Installation and Configuration for Windows Mobile 6 Devices

NSi Mobile Installation Guide. Version 6.2

Advanced Configuration Steps

Installing and Configuring vcloud Connector

qliqdirect Active Directory Guide

User Guide. Version R91. English

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios with TouchDown

Delegated Administration Quick Start

ManageEngine ADSelfService Plus. Evaluator s Guide

PORTAL ADMINISTRATION

NovaBACKUP. Storage Server. NovaStor / May 2011

Configuration Guide. BES12 Cloud

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

Employee Active Directory Self-Service Quick Setup Guide

Creating Home Directories for Windows and Macintosh Computers

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Discovery Guide. Secret Server. Table of Contents

AVG Business SSO Connecting to Active Directory

User's Guide. Product Version: Publication Date: 7/25/2011

Dell KACE K1000 Management Appliance. Service Desk Administrator Guide. Release 5.3. Revision Date: May 13, 2011

Android App User Guide

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

Password Manager. Version Password Manager Quick Guide

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Integrating LANGuardian with Active Directory

VMware Identity Manager Administration

Introduction to Directory Services

Installing and Configuring vcloud Connector

HDAccess Administrators User Manual. Help Desk Authority 9.0

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

User Guide. Cloud Gateway Software Device

Certificate Management

Administration Guide BES12. Version 12.3

System Administration Training Guide. S100 Installation and Site Management

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

NS DISCOVER 4.0 ADMINISTRATOR S GUIDE. July, Version 4.0

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

MadCap Software. Upgrading Guide. Pulse

RoomWizard Synchronization Software Manual Installation Instructions

Kaseya 2. User Guide. Version 1.1

AXIGEN Mail Server. Quick Installation and Configuration Guide. Product version: 6.1 Document version: 1.0


Livezilla How to Install on Shared Hosting By: Jon Manning

Secure Messaging Server Console... 2

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

PowerShell Configuration Guide

VPS Hosting User Guide

Sage 200 Web Time & Expenses Guide

WHM Administrator s Guide

Fus - Exchange ControlPanel Admin Guide Feb V1.0. Exchange ControlPanel Administration Guide

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Configuring Avaya Aura Communication Manager and Avaya Call Management System Release 16.3 with Avaya Contact Center Control Manager Issue 1.

MailEnable Connector for Microsoft Outlook

Sophos Mobile Control Installation guide. Product version: 3

GO!Enterprise MDM Device Application User Guide Installation and Configuration for BlackBerry

Sophos Mobile Control Installation guide. Product version: 3.5

SOA Software API Gateway Appliance 7.1.x Administration Guide

Professional Mailbox Software Setup Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Kaseya 2. Installation guide. Version 7.0. English

Using LDAP Authentication in a PowerCenter Domain

F-Secure Messaging Security Gateway. Deployment Guide

Configuring Sponsor Authentication

Integrating idrac7 With Microsoft Active Directory

Integrating idrac 7 with Microsoft Active Directory

Installing and Configuring Login PI

Fax User Guide 07/31/2014 USER GUIDE

Rev 7 06-OCT Site Manager Installation Guide

Citrix Systems, Inc.

Cox Business Premium Online Backup USER'S GUIDE. Cox Business VERSION 1.0

NETASQ ACTIVE DIRECTORY INTEGRATION

Active Directory 2008 Implementation. Version 6.410

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Using Virtual Machines

Evoko Room Manager. System Administrator s Guide and Manual

CYAN SECURE WEB HOWTO. NTLM Authentication

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

APNS Certificate generating and installation

Mobile Device Management Solution Hexnode MDM

vcloud Director User's Guide

Admin Guide Virtual Private Server (VPS) MailStreet Hosting Control Panel (CP)

Configuration Guide. Follow the simple steps given in this document when you are going to run Lepide Active Directory Cleaner for the first time.

Table of Contents INTRODUCTION...2 HOME PAGE...3. Announcements... 6 Personalize... 7 Reminders... 9 Recent Items SERVICE CATALOG...

Administration Guide for the System Center Cloud Services Process Pack

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Virtual Appliance Setup Guide

What s New in Propalms VPN 3.5?

Customer admin guide. UC Management Centre

Transcription:

Nevepoint Access Manager 1.2 BETA Documentation

Table of Contents Installation...3 Locating the Installation Wizard URL...3 Step 1: Configure the Administrator...4 Step 2: Connecting to Primary Connector...4 Step 3: Configure Primary Connector...5 Step 4: Testing AD Settings...6 Step 5: Self Service Questions...6 Step 6: Mail Server and Enrolment Email Configuration...7 Step 7: Setting a Self Signed Certificate...8 Complete Installation...8 Account Provisioning...10 Create Additional Connectors: SSH Connector...11 Locate Connector...11 Configure Connector...12 Finish Installation...13 Configure Account Provisioning...15 Creating a Department...15 Configuring Attributes...16 Attribute Types...16 Visibility...16 Default Values...17 Read-only by Approving Manager...17 Read-only Expression...17 End User Editing...17 Creating a new Account...19 Setting Password...20 Approving a New Account Request...21 Completing Registration...21 Approval/Rejection...21 Managing Identities...23 Configuring Connector for Self Service Linking...24 Configure Self Service Linking...24 Create a new Connector...24 Self Service Account Linking...26 Multiple Account Password Changes...27 Multiple Password Resets...27 Multiple Account Unlocks...27 Configuring Admin Account Linking...28 Disable self service linking...28 Link the Primary Account...28 Find the Secondary Account...28 End User Contact Details...29 Themes...30

Installation Nervepoint Access Manager uses a wizard process to guide you quickly and easily through the installation process, these steps are covered in this article. Locating the Installation Wizard URL The first thing you notice when installing 1.2 Beta is the addition of a root password this allows you to lockdown your underlying operating system completely and uniquely and only and you alone can actually go in and access the root account. After hitting OK the main VM console will be visible. So the first thing to do is set a memorable but sufficiently complex password you will rarely need this but we do now provide the ability for you to easily access the underlying VM. VM console provides all the required functions for managing the VM itself details of which can be found here, VM Console UI.

The installation wizard is accessible on https:<server-ip> which is shown in the VM console when the VM is started in the above example it is shown by the line: To access the Nervepoint application, use a browser to connect to http://192.168.0.20 Simply go to the URL to step through the Installation Wizard. Step 1: Configure the Administrator The next step requires a secure password for the administrator account. This is the sole identity that will be allowed access to the Nervepoint Access Manager administration console to manage and configure the server from setting up authentication factors, settings security options, updating email notifications and keeping an eye on the system through the Dashboard and Idetntities as well as setting up and updating the backend connectors such as Active Directory. The required security rules are visible to the right and any password must conform to this. The password can be changed later from within the admin console. Step 2: Connecting to Primary Connector Nervepoint Access Manager requires that at least one primary connector is available to connect to in the 1.2 release Access Manager now supports AD and any SSH based connector: Linux, Ubuntu, Solaris and other Linux variants. In 1.2 Access Manager now supports multiple primary and secondary accounts. A basic description of these is as follows: Primary: users can login to Access Manager with an account on this directory but cannot link accounts in a primary directory to an account in another primary connector. Secondary: users can not login to Access Manager with an account in this directory but a primary connector can be linked with accounts in secondary directories allowing you to manage multiple accounts with just a primary account. Nervepoint Access Manager will try to auto-discover any SSH or AD servers but if

you wish to configure it manually simply select the Configure Manually option. NOTE: Active Directory must be configured for SSL communication Step 3: Configure Primary Connector Once discovered Nervepoint Access Manager will pre-populate the settings for your Active Directory these should be reviewed and any remaining un-configured items set. Settings: Name a name for the directory this will also be used as part of the logon process if more than one connector is configured using the syntax username@name or name\username Allow service-service Linking enable this to allow end users to link their account in secondary directories to this account. Disable this so its only admin can link an account. Domain controller - name of AD domain controller Backup Controller list of any replica Active Directories that can take the place of the main domain controller if there are communication problems Domain - domain of AD Service Account Name - name of service account. Account must have administrator permissions on the AD. Nervepoint Access Manager will use this account to communicate and run any required commands against your AD. Service Account Password - password associated with Service Account Name. Additional items can be configured for your AD a basic overview is below but for more details refer to the administration article, Directory Settings and Reconciliation: Advanced: add or remove OUs Global Catalog: settings required for using AD forests Synchronization: settings for reconciliation

Step 4: Testing AD Settings Nervepoint Access Manager tests the settings you configured to verify permissions and account details are correct. If this step fails you can re-enter the settings. Step 5: Self Service Questions Nervepoint Access Manager requires an initial set of Questions for Q&A authentication configuring. A number of defaults are provided and can be changed. These questions can be amended later and additional questions added from the administration portal after installation, refer to this article for more information, Authentication Basics.

Step 6: Mail Server and Enrolment Email Configuration Nervepoint Access Manager can email all your users automatically right after installation informing them to configure their QA authentication profile. Since QA authentication is the default authentication factor this means your end users can start using the system right away. Selecting the Send mail at end of installation will send these emails. Enabling this checkbox opens up the email template editor allowing you to configure the email that gets sent. For more information on email templates refer to this article, Email Configuration. Nervepoint Access Manager uses simple mode during the installation process which configures a basic postfix email server. Another email server can be configured once installation is complete from the administration console, refer to this article for more on configuring an email server, Email Configuration.

Step 7: Setting a Self Signed Certificate The final step allows you to configure a self signed certificate as halfway point to setting up a secure SSL connection using certificates. Once installed and running in 1.2 beta you can now install a secure SSL certificate from within Access Manager itself. Complete Installation The final step is verifying the details you have configured hitting Back allows you to re-configure any step. Hitting Finish will result in the server being install as per your configuration. Nervepoint Access Manager provides a progress report as below.

Once complete hitting Close results in being redirected to the main Nervepoint Access Manager portal. You are now ready to start using Nervepoint Access Manager.

Account Provisioning The current 1.2 BETA release introduces the core concept of account provisioning in this initial release this covers the provisioning of a new account in a chosen user directory whether this is the main AD, another AD or even a Linux or Solaris user directory. Before we delve into this a little more the below diagram shows the basic flow of interaction between each type of user in an organization and what each is responsible for in regards to account provisioning. Flow of Interaction Responsibility Administrator End User Approving Manager Create additional primary connector Select Create New Account Review new account request and alter any attributes Create department for primary connector Select department Approve or reject new account Select approving manager for department Complete required attributes Configure attributes for department System Create new account

Create Additional Connectors: SSH Connector Directories page is where you can add any additional primary or secondary connectors. From the main page select Add new Connector. In this section we'r going to show how to install a Linux directory server. To add any SSH based connector you must have SSH running on the server and root account must be able to SSH just as with Active Directory Access Manager requires admin/root access to the directory server. Locate Connector From the discovery wizard Access Manager should be able to locate your server if not simply select Configure Manually then select the SSH Scripts Connector from the Connector Type dropdown and press Next.

Configure Connector Settings: Name: a reference name for the new connector this will be used as part of the username when a user is logging in with the format username@name / Name\username so make sure this is something your end users are comfortable with Usage: whether this is a primary or secondary connector. Primary connector can be used to login with but cannot be linked to whereas secondary connectors can be linked with accounts in a primary connector allowing for central Identity management. By default this will be secondary. NOTE: This value cannot be changed later Hostname: hostname of server Port: this is defaulted to port 22 as the SSH port if yours differs then set it here Password or private key: authentication is required for the root user either via a password or private key Proxy server: if you have a proxy server in between then OS: this defines which operating system your end directory server is running currently supported versions are: Generic: Linux suitable for most Linux distributions Solaris: for Solaris server SoalrisNIS: for Solaris running NIS SolarosKerberosNIS: for Solaris running Kerberos and NIS to manage user account administration Custom Script: if your version is not supported you can create your own custom script for it

SolarisKerberosNIS The ideal setup for this connector is that your host Solaris machine has both the NIS master and Kerberos master/slave on, you will get the full feature set this way. If that is not possible you can run a NIS slave and Kerberos master/slave but account creation is not supported in this setup. An additional tab becomes available as shown below allowing you to setup Kerberos: Kerberos realm: this is only needed if the kerberos realm is not the same as the NIS domain in upper case Kerberos admin: this is required for setting passwords and retrieving account details. The account can be one of the following: if from a normal ssh client upon logging to ssh as root you can run "kadmin" without providing any password, then you do not need to provide anything here. if it does ask for a password and the principal it chooses exists then you can enter that principal name and password in the NAM configuration if there is no admin kerberos principal set up then you can set one up specifically for NAM. call this something like nam/admin@your.domain.com and configure the connector to use this. The admin principal can be restricted to a user in the kerberos ACL list. Finish Installation Once the connector has been setup Access Manager will attempt to connect to the server if everything went ok you will get a successful message and your directory will be visible from the Directories page again as shown below.

A primary connector is denoted by the * icon against it. The connector settings can be changed as before by expanding the Configuration section.

Configure Account Provisioning In this initial release of 1.2 BETA provisioning covers the idea of creating a user within a primary directory. Everything is managed through the concept of Departments. A department is a logical division that groups users together and is lead or managed by a single manager. In Access Manager every user belongs to a department either a newly defined department or the default department associated with each primary connector. When upgrading from a 1.1 build all users will fall into the default department. The basic steps to provision a user are as follows: 1. create a department 2. define connector attribute visibility Creating a Department From the Provisioning page the first tab Departments is where a department is created and configured. The top half of this page shows all the currently active departments by default each new primary connector has a 'Default' department associated with it. To create a department select the New Department button. A new department editor pane is shown. The following information is required: Directory: the primary connector an account will be created in Name: the name of the department this will be visible when a user goes through the account creation request wizard Notifications: how the end user creating the account will be notified of the creation request and any status updates Manager: user responsible for approving or rejecting account creation request if omitted this will be the admin only. Adding a user will open an Approval tab in the end user's My Account page. Once done hit Save to save the department.

Configuring Attributes Depending on which connector type has been associated with the department a set of attributes will be listed running down the left of the attribute editor screen. With the new department selected you can now begin configuring attributes for the department: 1. Select an attribute from the attribute list 2. The properties of the selected attribute will be shown in the adjacent attribute editor 3. Simply configure the attribute settings to suit your business requirements details on attribute settings are detailed below. Attribute Types There are two types of attributes in Access Manager: 1. Global Attributes: these are attributes defined under the category Global Attributes and are required by Access Manager to administer a user. These cannot be altered other than label and tooltips. 2. Connector specific attributes: these are attributes can be edited and are saved on the actual directory when creating the user account Visibility As can be seen below each configurable attribute has a number of visibility settings these affect how the attribute is seen by different class of users. 1. Provisioning/Creation: this controls how an attribute is shown or not during the account provisioning/creation process 2. Approval: this controls how an attribute is shown or not during the approving manager during the approval or rejection process 3. Self service editing: this controls how an attribute is shown or not by the end user themselves from their My Account page after there account has been created.

Default Values The image in the previous section showed 3 visibility settings in addition there is a source setting which is used to define the default value for an attribute this can either be generated by combining other attributes by referencing an attributes Id or a hardcoded value set. For example under the AD connector the OU attribute has an Expression for its default value which is, ' "CN=Users," + dcfromdn(configurationparameters.getbasedn())' and with the attribute visibility set to Hidden when an account is created the OU field for a user will be set to cn=<user-name>,cn=users,dc=exampledomain,dc=com By default Access Manager will set common defaults for each Attribute. The best way to understand attribute settings is by example: Read-only by Approving Manager Category Attribute Provision Visibility Approval Visibility SelfService Visibility Default Value Account Firstname Hidden Read only Hidden creategivenname In the above table the Account->Firstname attribute will be hidden during account creation, only read only to the approving manager and will be hidden from the end user's My Account page. So this is set automatically with a default value that is an expression that happens to be an attributeid of 'User name' located under the Global Attribute category. So whatever is set on the global attribute 'User name' will be copied into this field and eventually into AD as the Firstname. Read-only Expression Category Attribute Provision Visibility Approval Visibility SelfService Visibility Default Value Account User logon name Hidden Read only Hidden givenname + initials + sn The user logon name that will be set within AD will be made up of several attributes, the attribute with the Id's of givenname + initials + sn. These happen to be the Account 'firstname', 'initials' and 'surname' attributes. This attribute will not be visible during creation, nor to the approving manager and nor will it be editable by the end user later from their My Account page. End User Editing Below several General attributes have been set to optional for end user editing. Category Attribute Provision Visibility Approval Visibility SelfService Visibility General Office Hidden Hidden Optional General Description Hidden Hidden Optional General Telephone Hidden Hidden Optional General Email Hidden Hidden Optional Default Value

You can see on the My Account page these properties are available for editing by any user in that department.

Creating a new Account New accounts can be ordered by the end user through the account creation wizard which is initiated by pressing the Account Creation button from the main portal page as shown below. This allows an end user to make the request, providing their own data and then allowing a manager to review before approving and creating the requested account. Approving an account can be found in the Approval section. This will open the account creation wizard. Settings: Department: choose the department you are requesting an account in Email: provide a contact email address so you can be informed of approval status Global Attributes (Basic Requirements): attributes under this tab are required on all connectors further details on attributes can be found under the Provisioning section The remaining tabs hold further attributes as defined by the admin during creation of the Department. In the below image you can see an additional General tab which has been configured under the provisioning page to be shown. More info can be found in the section titled, Provisioning.

Setting Password The final step in the request is setting an initial password that will be assigned to the account. The password rules are shown to the right and are based on the connector this department is linked to. Once done you will receive a notification informing you of the status of your request. The request will be sent to the appropriate manager for approval. Once approved or rejected the end user will again be informed via email.

Approving a New Account Request Account creation requests appear in the Approvals tab under Provisioning as shown below. If a manager has been assigned as an approver of a department then he will have an additional tab as shown below. Completing Registration If the administrator has configured the Department to allow editing of user attributes then the attributes will be editable. If the admin has set the Provision Visibility on an attribute to Required then these attributes will need populating before the account can be created. As you can see in the image the Telephone number is a required field but not setting this the account cannot be provisioned. Approval/Rejection To approve the account or reject simply press the appropriate button. When rejecting an account you will be requested to provide rejection details which will be sent to the end user.

If Delete approval is not selected as part of the notification to the awaiting end user a unique URL is provided where they can edit and resubmit their request.

Managing Identities Access Manager now supports Identity management through the use of account linking. Since 1.2 is capable of supporting multiple user databases accounts between Primary and Secondary directories can be joined together. With an account linked an end user can manage passwords for multiple accounts from a single identity. The diagram below shows the basic steps needed to set up self service Identity management in Access Manager by each type of user. Flow of Interaction Responsibility Administrator End User System Create additional secondary connector Login to primary account Link primary account to secondary accounts Enable account linking on connector Select secondary connector Enable self service of all linked accounts Select username and validate ownership

Configuring Connector for Self Service Linking Accounts can only be linked from a primary account to a secondary. To configure an account as secondary follow the steps below. Configure Self Service Linking On the primary connector enable self service account linking Create a new Connector 1. Select Add New Connector from the Directories page 2. Locate the new directory and configure its settings 3. Set usage to secondary

With a secondary connector created it's now up to the end user to link their account.

Self Service Account Linking Accounts can be linked together by either the Admin user or the users themselves. To link accounts from the My Account page first go to Account > Other Accounts, from the dropdown list select the secondary directory that the user you will link belongs to. You will need to enter the username and password of the user on the secondary directory. If the details are entered correctly and the connection to the secondary directory is clear then the two accounts will now be linked you can see all linked accounts from the Other Accounts page as you can see below this account has another linked account. Linking accounts allows the user to manage the password for all linked accounts by using only the account details of the primary user.

Multiple Account Password Changes With a linked account you can reset passwords for any one of your accounts. Multiple Password Resets With linked accounts you can also perform password resets for one or all accounts only having authenticated with the primary user. Multiple Account Unlocks With linked accounts Access Manager will attempt to unlock all accounts at the same time.

Configuring Admin Account Linking If you do not want to allow end users to link their own account then the admin can perform the link instead by following the steps below. Disable self service linking Select the primary connector from the Directories page and disable the self service account linking checkbox. Link the Primary Account Select the user's primary account to link too from the Identities page. Select the secondary connector to link to and press the Link button Find the Secondary Account From the popup that appears enter the username to link. The account is now linked and the end user can manage passwords for both accounts.

End User Contact Details The redesigned Contact Details page allows the user to set multiple email address and contact numbers to be used for different purposes. After adding an email address or phone number it is shown in the list, next to each entry is a dropdown list with four options: None, Account Only, OTP Only, All Notifications These options will determine the type of messages that are sent to each address or number, for example you have 2 email addresses set, one is for All notifications, the other is for OTP messages only Any message that Nervepoint sends which is not an OTP message will be an Account Notification of some kind, the most common of these would be messages regarding the Account status and the amount of time until the account password expires.

Themes Nervepoint Access Manager 1.2 adds some new features to the appearance options that allow you to customise the look and feel the user interface. One of these features is the ability to create and upload your own themes to change the appearance of the Nervepoint user interface. The Themes section provides links to JQuery ThemeRoller. Using ThemeRoller it is possible to create themes that can be imported to Nervepoint Access Manager. Once a theme has been imported it can be set as the default for its type through the Theme table (either Site or Mobile) and can be selected from the theme changer in the page footer.

When a theme is uploaded or set as the new default you only need to change or refresh the page in order for the new theme to take effect.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information