From the CommCell Browser, click the Security icon, right-click the CommCell Users icon, and then
click New User.
From the
General tab of the User Properties dialog box type the User Name
and Password. Then confirm the Password.
Optionally you can enter a full Name, description, and e-mail or pager address.
If you want to enable the user account immediately, select the Enabled
check box. If you want to create the account but leave it inactive until some
later time, then clear the Enabled option (this option is selected by default).
If you want the user's password to expire on a periodic basis, select the
Age Password check box and then select the number of days for
which the password is to remain valid.
To assign the new user to a user group, from the
User Groups
tab select a user group from the Available Groups pane and then move
the group to the Member Groups pane. Note that unless you assign the user account to a user group,
the user will not have any capabilities after logging on.
Click Create New User Group to create a user group to which this
user can be associated. For more information, see
Create a User Group.
You cannot delete the user that you defined as the CommCell administrator
user during the installation of software. This user remains enabled at all times.
Deletions are effective immediately, and once a user is deleted, the user
will immediately not be able to perform functions within the CommCell Console.
From the CommCell Browser, click the Security icon and then the
CommCell Users icon.
From the right pane of the CommCell Browser, right-click the user you want
to delete, and then click Delete from the short-cut menu.
Click Yes to the confirmation prompt that appears delete
the user.
If this user account was used to create a schedule policy or schedule a
report, upon deletion of the account, you will be prompted to transfer
ownership of the schedule policy or report schedule to another user.
If you disable an existing user account, this user will immediately not
be able to create or receive scheduled reports or alerts. However, this disabled
user will retain all assigned rights within the CommCell until the user has
logged off. Once this disabled user has logged off, the user cannot log on to
the CommCell.
From the CommCell Browser, click the Security icon, right-click the CommCell User Groups icon, and
then click New User Group.
From the
General
tab of the User Group Properties dialog box, type the name you want to assign
to the user group (up to 32 characters; do not include trailing spaces) and
some descriptive information that characterizes the user group.
If you want this user group to be disabled, de-select the Enabled
check box (this option is selected by default).
If you want the user group to possess all capabilities select All
Capabilities. If you want this user to posses only certain capabilities,
click the
Capabilities tab, and the perform the following:
Assign capabilities to a user group by moving capabilities from the
Available Capabilities pane to the Assigned Capabilities pane.
Do not select the All Capabilities and All
Associations check boxes if you do not want to risk exposing all
CommCell features and resources to users that may not have adequate
training or knowledge. For this reason, these options are cleared by
default.
To assign users to a users group, click the
Users
tab, and then assign users to the group, as necessary.
Click Create New User to create a user to be associated with this
user group. For more information, see
Create a User Account.
From the CommCell Browser, click the Security icon and then the
CommCell User Groups icon.
From the right-hand pane of the CommCell Browser, right-click the user group
whose capabilities you want to re-assign, then click Properties
from the short-cut menu.
From the
Capabilities
tab of the User Group Properties dialog box, re-assign the capabilities
to the user group, as necessary.
To
associate or disassociate a user group to a CommCell entity:
From the CommCell Browser, click the CommServe, client computer group, client computer, agent, MediaAgent, Library, Storage Policy, backup set, subclient, or Shelf media, and then select Properties.
From the Security tab, select the appropriate user groups to which
you want to associate to the CommCell object from the Available Groups
pane, and then move the user group to the Associated Groups pane.
Enabling this feature will prevent any unauthorized users from
installing agents on the CommCell. Authorized users include those with
Installation or Administrative Management capabilities.
Make sure that Web Access is enabled for the Domino Server and the users
have an Internet Password set from the Domino Server.
When adding domain controllers, note that no two domain controllers can have
the same domain name. In other words, you cannot register duplicate domain
controllers with the CommServe.
Whenever you register a new domain controller with the CommServe, make sure
to restart the IIS services on the Web Search Server in order to enable logging
to the Search Console using the new domain.
To
add a new domain controller for Domino Directory Services:
From the CommCell Browser, expand the Security icon, and right-click on
the Name Servers icon. From the popup menu, select Add New Domain.
Enable the secure Lightweight Directory Access Protocol (LDAP) for
additional network security with the external domain. Remember that this can
only be enabled when the external domain has been configured to use the
secure LDAP (with the proper SSL certificate). If this protocol is enabled from the
Add New
Domain Controller dialog box, but not configured from the external
domain; the feature is not enabled. To verify whether the external domain
client has been configured for LDAP, see
Verify LDAP
configuration on External Domain.
Note that setting up the secure LDAP
environment is required for the feature to work properly. It involves
the following steps:
setting up certificate servers
importing of the same SSL certificates on both the CommServe and the
external domain
setting up the proper DNS (very important especially when the
external domain client and the CommServe computer are in two different
domains, etc.).
After completing these steps, you can verify if your environment is set
up correctly by checking if the external domain is accessible. This ensures
the DNS is set up properly. Then follow the steps in the
Verify LDAP
configuration on External Domain to see if the certificates are set up
properly for secure communication to take place.
From the Add a New Domain Controller dialog, enter the following
information:
Domino Organization - Specifies the top most level in the
domino server hierarchy.
Domino Server Host Name - Client name in which the Domino
Server resides.
Domino LDAP Port - port used by Lightweight Directory Access
Protocol (LDAP) to communicate to the Domino Server. The default value
is 389.
User Account - Domino administrator user account used to
connect to the Domino Server. Click Edit to enter the user
account information.
When adding domain controllers, note that no two domain controllers can have
the same domain name. In other words, you cannot register duplicate domain
controllers with the CommServe.
Whenever you register a new domain controller with the CommServe, make sure
to restart the IIS services on the Web Search Server in order to enable logging
to the Search Console using the new domain.
To add
a new domain controller:
From the CommCell Browser, click the Security icon, and
right-click on the Name Servers icon. From the popup menu, select
Add New Domain.
Enable the secure Lightweight Directory Access Protocol (LDAP) for
additional network security with the external domain. Remember that this can
only be enabled when the external domain has been configured to use the
secure LDAP (with the proper SSL certificate). If this protocol is enabled from the
Add New
Domain Controller dialog box, but not configured from the external
domain; the feature is not enabled. To verify whether the external domain
client has been configured for LDAP, see
Verify LDAP
configuration on External Domain.
Note that setting up the secure LDAP
environment is required for the feature to work properly. It involves
the following steps:
setting up certificate servers
importing of the same SSL certificates on both the CommServe and the
external domain
setting up the proper DNS (very important especially when the
external domain client and the CommServe computer are in two different
domains, etc.).
After completing these steps, you can verify if your environment is set
up correctly by checking if the external domain is accessible. This ensures
the DNS is set up properly. Then follow the steps in the
Verify LDAP
configuration on External Domain to see if the certificates are set up
properly for secure communication to take place.
Enter the appropriate information in the
Add New
Domain Controller dialog box. You will need to enter the following
information:
NetBIOS Name: Enter the NetBIOS name (IP address) of the external domain.
Note that different domains
have different NetBIOS names. If you do not know the NetBIOS name of your
domain, you can retrieve it using the LDP utility and searching the sub-tree of
configuration naming context for the NetBIOS name attribute using the following filter:
From the CommCell Browser, click the Security icon and expand all
the nodes.
Click on the external domain for which you want to add an external user
group, and right click on the External Group icon.
From the
Add
New External Group dialog box, select the external user group for which
you want to associate the CommCell user groups. Note that the external user
group that you select must have their Group Scope defined as
Global. This can be verified in the external
domain’s interface; check the external user group’s properties. This will
prevent any conflicts that may arise during Single Sign On login for an
external domain user when this user and corresponding external domain user
groups reside in child and parent domains.
Select the CommCell user groups to associate with the specified external
user group.
Right-click on the application icon, and select Properties.
From the Console Properties dialog box, select the Shortcut
tab.
In the Target field, add the following command
-sso=disabled, and click OK. When
launching the application from this application icon, the Single Sign On
feature will be disabled, and users can enter alternate login information.
This method disables the Single Sign On feature for this application
shortcut. To re-enable the feature, simply remove the
-sso=disabled command.
To
temporarily disable Single Sign On:
Launch the application using the application icon.
When prompted with the Connect to CommCell login box, click
Cancel. This will allow users to enter different login credentials.
This method allows the user to enter alternate login information once. The
next time a user launches the application using the same application shortcut; it will once
again use the single sign on feature.
To add
another target CommCell for Single Sign On:
Create another application shortcut.
Right-click on current application icon.
Select Create Shortcut.
Right-click on the new application shortcut, and select Properties.
From the Console Properties dialog box, select the Shortcut
tab.
In the Target field, change the name of the CommServe, and click
OK. This method adds another shortcut with a different target CommCell
This method adds another application shortcut with a different target
CommCell. When this new application shortcut is used to launch application, it
will automatically access the new CommCell.
To
change the target CommCell for Single Sign On:
Right-click on the application shortcut, and select Properties.
From the Console Properties dialog box, select the Shortcut
tab.
In the Target field, change the name of the CommServe, and click
OK.
This method changes the target CommCell for the Single Sign On feature. When
this application shortcut is used to launch application, it will automatically
access the new CommCell.
The following sections describe the steps to manage users from
the command line.
Before running command line operations, you must first login to the
CommServe. From the Command prompt, navigate to <Software_Installation_Directory>/Base
and run the following command:
Download the
create_user_template.xml
file and save it on the computer from where the command will be executed.
Execute the following command from the
<Software_Installation_Directory>/Base folder after substituting the
parameter values below using the Available
Command Parameters table for reference.
Download the
modify_user_template.xml
file and save it on the computer from where the command will be executed.
Execute the following command from the
<Software_Installation_Directory>/Base folder after substituting the
parameter values below using the Available
Command Parameters table for reference.
The following table displays all the parameters you can use with the commands mentioned in the sections above.
Parameter
Description and Parameter
Values
agePassword
Number of days to keep the password active
associatedUserGroupsOperationType
Modification type. Valid values are:
ADD, to associate new user groups.
OVERWRITE, to overwrite the existing user groups with new
use groups.
DELETE, to delete one or more user groups.
description
A general description of the user account
email
Email of the user
enableUser
Option to enable/disable the user.
Valid values are True/False.
fullName
Full name of the user
password
A plain text password to access the user account
userGroupName
Name of the user group to be associated. If you plan
to associate more than one user group, add the following line in the XML
file to specify each user group:
The following sections describe the steps to manage user groups from
the command line.
Before running command line operations, you must first login to the
CommServe. From the Command prompt, navigate to <Software_Installation_Directory>/Base
and run the following command:
Download the
modify_usergroup.xml
file and save it on the computer from where the command will be executed.
Open the .xml file and update the XML parameters using the Available
Command Parameters table for reference. You can remove XML parameters
such as users,
capabilities or associations from the .xml file if you
do not plan to modify them.
Execute the following command from the
<Software_Installation_Directory>/Base folder after updating the XML
parameters.
If you
want to adjust the amount of property information being displayed, use the
'level' parameter to specify the property level (see Available
Command Parameters table for reference). For example, if you want to
list only basic properties, execute the following command:
If you also want to list the user
group properties, use the 'level' parameter to specify the property level
(see Available
Command Parameters table for reference). For example, if you want to
list all properties, execute the following command:
Open the .xml file and specify the capabilities that you want to
add. Refer to the Available
Command Parameters table for a list of valid capability values.
Execute the following command from the
<Software_Installation_Directory>/Base folder after updating the XML
parameters.
Open the .xml file and specify the user that you want to associate. Refer to the Available
Command Parameters table for information on adding multiple users.
Execute the following command from the
<Software_Installation_Directory>/Base folder after updating the XML
parameters.
Open the .xml file and specify the CommCell entity that you want to associate. Refer to the Available
Command Parameters table for information on the entities that you can
add.
Execute the following command from the
<Software_Installation_Directory>/Base folder after updating the XML
parameters.
The following table displays all the
parameters you can use with the commands mentioned in the sections above.
Parameter
Description
allCapabilities
Option to assign all capabilities to the user group.
Valid values are True/False.
allAssociations
Option to associate all CommCell objects (such as
clients, libraries, storage policies, etc) to the user group.
Valid values are True/False.
associations/<entity>
Name of the CommCell entity to be associated with the
user group.
The XML files in the above sections define the client
computer association. If you want to associate a different entity, add
the following lines for the entity you want to associate:
For MediaAgents
<associations mediaAgentName="name" />
For Libraries
<associations libraryName="name" />
For Storage Policies
<associations storagePolicyName="name" />
For Client Groups
<associations clientGroupName="name" />
associationsOperationType
Modification type. Valid values are:
ADD, to associate new CommCell entities.
OVERWRITE, to overwrite the existing CommCell entities with
the new CommCell entities.
DELETE, to delete one or more CommCell entities.
capability
Name of the function which the users will be
performing within the CommCell. To add more than one capability, add the
following line in the XML file to specify each capability:
OVERWRITE, to overwrite the existing capabilities with the
new capabilities.
DELETE, to delete one or more capabilities.
description
A general description of the user group
enabled
Option to enable/disable the user group.
Valid values are True/False.
level
The property level information that you want to
display when listing user groups. Valid values are:
ListOnly, to list the user group name without its property
information.
BasicProperties, to list the user group name along with its
basic properties.
ExtendedProperties, to list the user group name along with its
basic and extended properties.
AllProperties, to list the user group name along with all its
properties.
userGroupName
Name of the user group
userName
Name of the user to be associated with the user
group. If you plan to associate more than one user, add the following
line in the XML file to specify each user:
<users
userName="user x"></users>
usersOperationType
Modification type. Valid values are:
ADD, to associate new users.
OVERWRITE, to overwrite the existing users with the new
users.
DELETE, to delete one or more users.
Examples
Delete a Specific Capability
To delete a specific capability for a user group, execute the following
command after substituting the parameter below with the correct values.
To add a storage policy to a user group, open the .xml file and remove
the client association line. Then, execute the following command
after substituting the parameters below with the correct values.