Managing console users is an important aspect of console security. Successful management of console users includes the following activities:
Creating the appropriate number of console user accounts
Maintaining complex passwords
Assigning the appropriate roles and permissions
Deleting unused console user accounts
When you create a console user, you are creating an account in the Secure Configuration Manager database. For each console user, you can specify the following attributes:
General properties, such as user name and email address
Type of authentication you want Secure Configuration Manager to enforce when this user logs on to the console
Role assignments
By default, Secure Configuration Manager uses console authentication to validate this account. However, you can configure Secure Configuration Manager to use an external authentication source, such as Active Directory, to validate this account upon logon. When creating a console user account that requires external authentication, ensure that the specified user name matches the logon name of the corresponding account in the external authentication source. For more information, see Section 3.3.1, Implementing External Authentication.
You can grant permissions to use a set of Secure Configuration Manager features by assigning roles to a console user. Each role contains the appropriate permissions for a particular task. You can create roles that fit your specific needs or assign one of the provided NetIQ roles. For more information about creating roles, see Section 3.5.2, Creating, Modifying, and Deleting Roles.
You can assign permissions based on the type of task you want the console user to perform. You can allow or deny platform-specific permissions for each endpoint or group in your asset map. For example, you can allow one set of permissions, such as User/Groups permissions, and deny another set of permissions, such as System permissions. For more information about assigning permission, see Section 3.6, Managing Permissions.
NOTE:You must assign console permissions to all endpoints at once. You cannot assign console permissions to specific endpoints.
When working with console user accounts, you may need to unlock an account that is locked out of the Secure Configuration Manager console. Secure Configuration Manager provides a real-time status that indicates whether a console user account is locked. Use this information to diagnose logon issues.
NOTE:A locked console user is not locked by the external authentication source. For example, if a console user account requires Active Directory authentication, Secure Configuration Manager can lock the user out of the Secure Configuration Manager console, but not out of Active Directory.
You can reset the password for any console user’s account, if Secure Configuration Manager uses console credentials to authenticate your console user account. If an account is configured for external authentication, use other solutions, such as NetIQ Secure Password Administrator, to reset the account password.
You can also delete a console user account to prevent the console user from logging on to Secure Configuration Manager. Regularly delete user accounts to prevent security risks and groom the Secure Configuration Manager database of inactive or old accounts. When you delete a console user account, Secure Configuration Manager transfers ownership of task suites, custom tasks, security checks, and policy templates to the default console administrator. The default console administrator is the administrator you specified during installation. To prevent a user from accessing specific Secure Configuration Manager features, remove permissions from the user account. For more information, see Section 3.6.2, Modifying Permission Assignments.