Difference between revisions of "Maintenance"

Latest revision as of 18:15, 9 August 2023

Maintenance

In this menu, You can manage accounts that can access the imRAD management interface. It also has audit logs that are a sequence of activities.

Accounts

The Maintenance Accounts are divided into two types. The first type is "Administrator" which is a privileged user. The second type is "Operator" which is a non-privileged user which means only having READ privilege.

You can create an account by clicking the "Create New Account" button at the top right of the list.

Item	Required	Description
Accounts Type	Yes	Choose one type.
Login ID	Yes	The multibyte or Non-ASCII characters(e.g, Korean, Japanese) are not allowed and the maximum length is 64 characters.
Login authentication Type	Yes	The imRAD supports three login authentication methods that are Local: The credentials are validated from the local imRAD Database. RADIUS: The credentials are validated via a remote RADIUS server. LDAP: The credentials are validated via an LDAP server. Note that you must define an Authentication Entity before creating an account that is validating via either the RADIUS or LDAP.
Temporary Password	Yes	Temporary Password means that the password of an account is short random text. If a user logs in with an account whose password is Temporary, The user must change its password before login. If not, he can't log in. You may create an account for a new user to enable to change its password before login.
Email	No	Email address of a user.
Description	No	Description of a user.

Temporary Password

As described in the above table, Temporary Password makes it possible to change its password before login. When a user tries to log in with an account that was set a Temporary Password, the system moves a page in which a user can change its password.

All saved passwords in the local imRAD Database are not decrypted as plaintext because all passwords are encrypted by secured cryptographic hash functions (CHF).^[1] Although a user wants to know his/her password because a user forgot it, you can't provide the password as plaintext. Instead, you can generate the Temporary Password for an account.

The Temporary Password is only available for accounts whose authentication type is "LOCAL". If you set The Temporary Password to an account, a user MUST change the password within 3 days. If not, the account will be locked.

Lock/Unlock

The account may change to a locked state and a user can't log in with the account. There are three types of "LOCK" states.

'auto-lock: If a login failure exceeds the specified number of login failures, we automatically lock the account for specified minutes. In this case, we change the locked state to "auto-lock". The "auto-lock" will be unlocked after elapsing the specified minutes. The specified number of login failures and minutes are defined in the "Managemnet> Settings > Security".
dormant-lock: It indicates that the account was not logged in for the specified number of days that are defined in the "Managemnet> Settings > Accounts".
lock: it indicates that an administrator locks the account.

Note that an administrator can unlock all locked accounts from the details of an account by clicking the icon() in front of each row on the list.

Audit Log

An audit log(also called audit trail) is a record of events and changes, typically regarding a sequence of activities or a specific activity^[2].

Activities of all the managers(administrator and operator) users and internal events of the system are recorded as audit logs. All users can search and see all audit logs but not change or delete them.
You can see the details of each log by clicking the icon() in front of each row on the list.

Settings

Accounts

This setting contains the values to lock the account that were not logged in for a long time. If a manager does not log in while the specified days, the status of the account is changed to "dormant-lock".

The locked accounts are not allowed to log in before unlocking them.

Security

This setting defines the authentication and session policies to have you securely access the management interface.

Password Policy

Minimum Length: The minimum length of a password.
Mix of Characters: If you want a strong password, select all items.
Password Aging: It makes possible to have users forcibly change his/her password periodically.

Maintenance account Session

If you want to allow multiple sessions of the same account from different hosts or browsers, switch on the "Allow Multiple Sessions".

Even if multiple sessions are not allowed, duplicate logins through multiple browsers on a single computer are permitted.

You can also configure the session timeout and the Lockout is used to prevent a brute-force attack^[3] by locking an account for a while when a user failed its login several times.

Note that the dashboard page is not affected by the Session Termination. In other words, Even if the dashboard page is open for a long time without any interaction, the session never expires.

References

↑ Cryptographic hash function
↑ https://en.wikipedia.org/wiki/Audit_trail
↑ https://en.wikipedia.org/wiki/Brute-force_attack

[1] Cryptographic hash function

[2] ttps://en.wikipedia.org/wiki/Audit_trail

[3] ttps://en.wikipedia.org/wiki/Brute-force_attack

[1]

[2]

[3]

@@ Line 1: / Line 1: @@
 __FORCETOC__
 === Maintenance ===
-You can manage all accounts that can log in to the imRAD management. It also has audit logs that are a sequence of activities.
+In this menu, You can manage accounts that can access the imRAD management interface. It also has audit logs that are a sequence of activities.
 ==== Accounts ====
-The Maintenance Accounts are divided into two types which are either "Administrator" or "Operator".
+The Maintenance Accounts are divided into two types.
-The Administrator is a super-user or privileged user and the Operator is a non-privileged user which means only have READ privilege.
+The first type is "Administrator" which is a privileged user. The second type is "Operator" which is a non-privileged user which means only having READ privilege.
-You can create an account by clicking the "Create New Account" button at the top right on the list.
+You can create an account by clicking the "Create New Account" button at the top right of the list.
 {| class="wikitable"
@@ Line 16: / Line 16: @@
 | Login ID || Yes || The multibyte or Non-ASCII characters(e.g, Korean, Japanese) are not allowed and the maximum length is 64 characters.
 |-
-| Login authentication Type || Yes || The imRAD supports three authentication types that are
+| Login authentication Type || Yes || The imRAD supports three login authentication methods that are
 * Local: The credentials are validated from the local imRAD Database.
 * RADIUS: The credentials are validated via a remote RADIUS server.
 * LDAP: The credentials are validated via an LDAP server.
-Note that you must define an Authentication Entity before creating an account that is validating via either the RADIUS or LDAP, The below explains how to create an Authentication Entity.
+{{note|Note that you must define an Authentication Entity before creating an account that is validating via either the RADIUS or LDAP.}}
 |-
 | Temporary Password || Yes|| Temporary Password means that the password of an account is short random text. If a user logs in with an account whose password is Temporary, The user must change its password before login. If not, he can't log in.<br>
@@ Line 41: / Line 41: @@
 ===== Lock/Unlock =====
-The account may change to a locked state and a user can't log in with the account. There are three types of "LOCK" state.
+The account may change to a locked state and a user can't log in with the account. There are three types of "LOCK" states.
-*  auto-lock: If a login failure exceeds the specified number of login failures, we automatically lock the account for specified minutes. In this case, we change the locked state to "auto-lock". The "auto-lock" will be unlocked after elapsing the specified minutes. The specified number of login failures and minutes are defined in the "Maintenance > Settings > Security".
+*  '''auto-lock'': If a login failure exceeds the specified number of login failures, we automatically lock the account for specified minutes. In this case, we change the locked state to "auto-lock". The "auto-lock" will be unlocked after elapsing the specified minutes. The specified number of login failures and minutes are defined in the "Managemnet> Settings > Security".
-* dormant-lock: It indicates that the account was not log in for the specified number of days that are defined in the "Maintenance > Settings >  Accounts".
+* '''dormant-lock''': It indicates that the account was not logged in for the specified number of days that are defined in the "Managemnet> Settings >  Accounts".
-* lock: it indicates that an administrator locks the account.
+* '''lock''': it indicates that an administrator locks the account.
-Note that an administrator can unlock all locked accounts from the details of an account by clicking the icon([[File:popup.png|23x]]) in front of each row on the list.
+{{note|Note that an administrator can unlock all locked accounts from the details of an account by clicking the icon([[File:popup.png|23x]]) in front of each row on the list.}}
 ==== Audit Log ====
 An audit log(also called audit trail) is a record of events and changes, typically regarding a sequence of activities or a specific activity<ref>https://en.wikipedia.org/wiki/Audit_trail</ref>.
-Activities of all the Maintenance users and internal events of the system are recorded as audit logs. All Maintenance users can search and see all audit logs but not change or them.<br>
+Activities of all the managers(administrator and operator) users and internal events of the system are recorded as audit logs. All users can search and see all audit logs but not change or delete them.<br>
-You can see the details by clicking the icon([[File:popup.png|23x]]) in front of each row on the list.
+You can see the details of each log by clicking the icon([[File:popup.png|23x]]) in front of each row on the list.
 ==== Settings ====
 ===== Accounts =====
-This setting contains the values to lock accounts that were not using for a long time. If an account does not log in while the specified days, the account changes to "dormant-lock".
+This setting contains the values to lock the account that were not logged in for a long time. If a manager does not log in while the specified days, the status of the account is changed to "dormant-lock".
+The locked accounts are not allowed to log in before unlocking them.
 ===== Security =====
-This setting defines the login and sessions to have you securely access the management interface.
+This setting defines the authentication and session policies to have you securely access the management interface.
-====== Password Settings of Maintenance account ======
+====== Password Policy ======
-You can define the minimum length and complexity of a password. Password Aging makes it possible to have users forcibly change his/her password periodically. Lockout is used to prevent a brute-force attack<ref>https://en.wikipedia.org/wiki/Brute-force_attack</ref> by locking an account for a while when a user failed its login several times.
+* Minimum Length: The minimum length of a password.
-====== Maintenance account Session ======
+* Mix of Characters: If you want a strong password, select all items.
-If you want to allow multiple sessions of the same account from different hosts or browsers, switch on the "Allow Multiple Sessions". Note that regardless of this setting, Multiple sessions for the same account are allowed when users log in from one host through one kind of browser.<br>
+* Password Aging: It makes possible to have users forcibly change his/her password periodically.
-You can also configure the session timeout. Note that the '''dashboard''' page is not affected by the Session Termination.
-In other words, Even if the dashboard page is open for a long time without any interaction, the session never expires.
-===== Authentication Entity =====
-You must define entities that can validate credentials through a remote server before login into the imRAD. You can define either the Remote Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP), or Windows Active Directory.
-You can add a new entity by clicking the "Add" button in the bottom right below the list. You can change or delete an entity by clicking the icon in front of each row.
+====== Maintenance account Session ======
+If you want to allow multiple sessions of the same account from different hosts or browsers, switch on the "Allow Multiple Sessions".
+{{note|Even if multiple sessions are not allowed, duplicate logins through multiple browsers on a single computer are permitted.}}
+You can also configure the '''session timeout''' and the '''Lockout''' is used to prevent a brute-force attack<ref>https://en.wikipedia.org/wiki/Brute-force_attack</ref> by locking an account for a while when a user failed its login several times.
-====== Configuring Authentication Entity ======
+{{note|Note that the '''dashboard''' page is not affected by the Session Termination.
-* Auth Entity Name: is a name to distinguish from others.
+In other words, Even if the dashboard page is open for a long time without any interaction, the session never expires.}}
-* Authentication Type: RADIUS or LDAP(or Windows Active Directory)
-* Host: It is the IP Address of an authentication server.
-* Port: It is the port number of an authentication service.
-* Secret or Bind DN: If you configure a RADIUS, you must input the "Shared secret" into the "Secret" field. If you configure an LDAP server, you must input the Bind DN(e.g. CN=Users,CN=basein-adtest,DC=vsc).
-If you click the "Connect" button on the rear of the list, you can confirm the connection status with an entity and can try to validate an account.
 === References ===