|
Dorian Identity Provider Account Administration
Dorian: Administrators Guide | Developers Guide | Users Guide | caGrid: Documentation Guides
Overview
The GAARDS Administrative UI provides a mechanism for viewing and updating Dorian IdP user accounts. To manage an individual grid user account perform a user search, selecting the account you wish to manage. This should bring up the User Management Window for the user you selected. The User Management Window will be entitled with the user's user id and has five tabs: (1) User Information, (2) Account Information, (3)Change Password, (3)Password Security, and (5) Auditing. In the remainder of this page we will provide documentation on each of the tabs.
User Information
|
The User Information tab contains attributes describing the identity of the user. These attributes are listed in the table below:
Attribute
|
Description |
| Username |
The unique identifier for the account within the Dorian IdP.
|
First Name
|
The first name of the user whom owns the account.
|
Last Name
|
The last name of the user whom owns the account.
|
| Organization |
The organization that the user belongs to.
|
| Address |
The street address of the user.
|
| Address2 |
Second line of the user's street address.
|
| City |
The city the user resides in.
|
State
|
The state the user resides in.
|
Zip Code
|
The zip code of the area the user resides in.
|
Country
|
The country the user resides in.
|
Email
|
The user's email address.
|
Phone Number
|
The user's phone number.
|
With the exception of Username, any of the attributes listed in the above table can be updated by Dorian IdP administrators (Dorian IdP users with a role of administrator). These attributes can be updated using the GAARDS UI by making the desired changes and then clicking the Update button.
|
User Information
|
|
|
|
|
Account Information
|
The Account Information tab contains user's Status and Role attributes. The account status specifies the status of the user's account, the table below specifies the possible account statuses:
Status
|
Description
|
Active
|
The user's account is active and they may authenticate.
|
Pending
|
The user has requested an account but the account needs to be approved by an administrator.
|
Rejected
|
The user has requested an account, however the account was rejected by an administrator.
|
Suspended
|
The user account has been de-activated, the user cannot authenticate until an administrator has re-activated the user's account.
|
The account role specifies whether or not the user is a Dorian Identity Provider administrator. Users that are Dorian IdP administrators may administrate accounts on the Dorian IdP, they may not administrate Grid user accounts. The table below lists all the possible values for the account role attribute:
Role
|
Description |
Administrator
|
The user is administrator of the Dorian Identity Provider.
|
Non_Administrator
|
The user is NOT an administrator of the Dorian Identity Provider.
|
Both the Role and Status attributes can be updated using the GAARDS UI, by selecting the desired values and by clicking the Update button. |
Account Information
|
|
|
|
|
Change Password
|
The Change Password tab allows Dorian IdP administrators to reset or change a user's password. This is useful when a users forget their password or if their account becomes locked because they have exceeded the number of total invalid logins allowed by the system.
To change a user's password enter the new password into the Password text box, then enter the new password again into the Verify Password text box, this is used for confirming that that password you entered is what you desired, finally click the Update button. This will immediately change the users password.
(NOTE: Using the default configuration for Dorian, the password must contain at least 10 and at most 20 characters, as well as contain at least one capital letter, one number, one non-alphanumeric symbol, and not contain any dictionary words. The default password security configuration was chosen in order to meet the federal e-authentication guidelines for Level of Assurance 1 and Level of Assurance 2) |
Change Password
|
|
|
|
|
Password Security
|
By default Dorian is configured with a password security policy that meets the federal e-authentication guidelines for Level of Assurance 1 and Level of Assurance 2. Specifically the password must contain at least 10 and at most 20 characters, as well as contain at least one capital letter, one number, one non-alphanumeric symbol, and not contain any dictionary words. In addition when a user fails to authenticate five consecutive times, their account is locked for four hours. Over the lifetime of a password, if a user fails to authenticate more than 500 times, the account is locked until a Dorian Identity Provider administrator resets their password.
The Password Security tab contains information that give Dorian IdP administrators insight to the security of a user's password. This information is described in the table below:
Property
|
Description
|
Digest Algorithm
|
Algorithm used for encrypting and storing the password.
|
Password Status
|
Whether or not the password is valid, that is whether or not the total number of invalid logins has been exceeded.
|
Consecutive Invalid Logins
|
The number of time the user has consecutively failed to login.
|
Total Invalid Logins
|
The number of time the user has failed to login over the lifetime of the password.
|
Lockout Expiration
|
The expiration of a temporary lockout due to exceeding the allowed number of consecutive invalid logins.
|
(The information in the table below is read-only and cannot be updated!!!)
|
Password Security
|
|
|
|
|
Auditing
For security purposes and to give administrators insight on a user's account, Dorian maintains a list of auditing information for each user account. The following is a list of auditing information maintained for each user account:
Audit Information
|
Description
|
Registration
|
Documents when the user registered for the account.
|
LocalAccountUpdated
|
Documents when the account was updated.
|
LocalAccountRemoved
|
Documents when the account was removed.
|
LocalAccountLocked
|
Documents when the account was locked because of invalid logins.
|
PasswordChanged
|
Documents when the password for an account is changed.
|
SuccessfulLogin
|
Documents when the user successfully logs in.
|
InvalidLogin
|
Documents when a user fails to log in.
|
LocalAccessDenied
|
Documents when a user attempts to access functions of the Dorian IdP that they don't have permission to access.
|
|
The Audit tab allows Dorian IdP administrators to search the auditing information for a given user based the following search criteria:
| Criteria |
Description |
| Reporting Party |
The identity of the party that performed or reported the action. |
Audit Type
|
The type of auditing information, please consult the table above for different types.
|
Start Date
|
The start of a date/time range of when the even occurred.
|
End Date
|
The end of a date/time range of when the even occurred. |
Message
|
Search the content of the Audit Message.
|
Using the GAARDS Administrative UI, administrators can search the auditing information by completing the following steps:
- Select the "Audit" tab.
- Enter you search criteria, please consult the table above. If no search criteria is specified all audit records for the user will be returned.
- Click the "Search" button.
When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button. To view the complete details of a specifc audit record, select that record in the table and click the "View" button. This will launch a window containing the complete details of the audit record you selected.
|
Auditing
|
|
|
|
Audit Record
|
|
|
|
|
|
|
|
Administration
