Maintenance
You can manage all accounts that can log in to the imRAD management. It also has audit logs that are a sequence of activities.
Accounts
The Maintenance Accounts are divided into two types which are either "Administrator" or "Operator". The Administrator is a super-user or privileged user and the Operator is a non-privileged user which means only have READ privilege.
You can create an account by clicking the "Create New Account" button at the top right on the list.
| Item | Required | Description |
|---|---|---|
| Accounts Type | Yes | Choose one type. |
| Login ID | Yes | The multibyte or Non-ASCII characters(e.g, Korean, Japanese) are not allowed and the maximum length is 64 characters. |
| Login authentication Type | Yes | The imRAD supports three authentication types that are
Note that you must define an Authentication Entity before creating an account that is validating via either the RADIUS or LDAP. |
| Temporary Password | Yes | Temporary Password means that the password of an account is short random text. If a user logs in with an account whose password is Temporary, The user must change its password before login. If not, he can't log in. You may create an account for a new user to enable to change its password before login. |
| No | Email address of a user. | |
| Description | No | Description of a user. |
Temporary Password
As described in the above table, Temporary Password makes it possible to change its password before login. When a user tries to log in with an account that was set a Temporary Password, the system moves a page in which a user can change its password.
All saved passwords in the local imRAD Database are not decrypted as plaintext because all passwords are encrypted by secured cryptographic hash functions (CHF).[1] Although a user wants to know his/her password because a user forgot it, you can't provide the password as plaintext. Instead, you can generate the Temporary Password for an account.
The Temporary Password is only available for accounts whose authentication type is "LOCAL". If you set The Temporary Password to an account, a user MUST change the password within 3 days. If not, the account will be locked.
Lock/Unlock
The account may change to a locked state and a user can't log in with the account. There are three types of "LOCK" state.
- auto-lock: If a login failure exceeds the specified number of login failures, we automatically lock the account for specified minutes. In this case, we change the locked state to "auto-lock". The "auto-lock" will be unlocked after elapsing the specified minutes. The specified number of login failures and minutes are defined in the "Maintenance > Settings > Security".
- dormant-lock: It indicates that the account was not log in for the specified number of days that are defined in the "Maintenance > Settings > Accounts".
- lock: it indicates that an administrator locks the account.
Note that an administrator can unlock all locked accounts from the details of an account by clicking the icon(
) in front of each row on the list.
Audit Log
An audit log(also called audit trail) is a record of events and changes, typically regarding a sequence of activities or a specific activity[2].
Activities of all the Maintenance users and internal events of the system are recorded as audit logs. All Maintenance users can search and see all audit logs but not change or delete them.
You can see the details of each log by clicking the icon() in front of each row on the list.
Settings
Accounts
This setting contains the values to lock the maintenance user accounts that were not logged in for a long time. If a maintenance user account does not log in while the specified days, the status of the account is changed to "dormant-lock".
Security
This setting defines the login and sessions to have you securely access the management interface.
Password Settings of Maintenance account
You can define the minimum length and complexity of a password. Password Aging makes it possible to have users forcibly change his/her password periodically. Lockout is used to prevent a brute-force attack[3] by locking an account for a while when a user failed its login several times.
Maintenance account Session
If you want to allow multiple sessions of the same account from different hosts or browsers, switch on the "Allow Multiple Sessions". Regardless of this setting, Multiple sessions for the same account are allowed when users log in from one host through one kind of browser.
You can also configure the session timeout.
Note that the dashboard page is not affected by the Session Termination. In other words, Even if the dashboard page is open for a long time without any interaction, the session never expires.
Authentication Entity
If you want to validate some maintenance accounts through other systems, you must define these entities before adding accounts. You can define either the Remote Authentication Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP), or Windows Active Directory.
You can add a new entity by clicking the "Add" button in the bottom right below the list. You can change or delete an entity by clicking the icon() in front of each row.
The interface for configuring Authentication Entity has fields that are
- Auth Entity Name: is a name to distinguish from others.
- Authentication Type: RADIUS or LDAP(or Windows Active Directory)
- Host: It is the IP Address of an authentication server.
- Port: It is the port number of an authentication service.
- Secret or Bind DN: If you configure a RADIUS, you must input the "Shared secret" into the "Secret" field. If you configure an LDAP server, you must input the Bind DN(e.g. CN=Users,CN=basein-adtest,DC=vsc).
If you click the "Connect" button on the rear of the list, you can confirm the connection status with an entity and can try to validate an account.
References
- ↑ Cryptographic hash function
- ↑ https://en.wikipedia.org/wiki/Audit_trail
- ↑ https://en.wikipedia.org/wiki/Brute-force_attack