Login Accounts
The Administration > Login Accounts page is used to manage the various login accounts which are permitted access to the system.
-
The first login account available in every system is the account which was configured in the Setup Wizard during the installation process. This account is given the "Administrator" role.
-
Credentials can be stored in a local database for each login account or a login can be linked to an external Microsoft Active Directory domain user account if an external Login Provider has been configured
- If a login is linked to an external domain account then it will be listed in the Linked Domain Account column and any credentials previously stored in the local database will be treated as invalid
- Login Accounts can be configured for Multi-Factor Authentication (MFA) using a time-based, one-time password authenticator app. If enabled, you can reset the MFA for logins from the list on this page.
Password Policy
The following password policy applies to UIP login accounts that are not linked to an external domain account.
- Passwords must meet the minimum length of 9 characters
- Passwords must contain at least one upper case, one lower case, one digit, and one special character
- Passwords for newly created login accounts must be changed the first time they sign in
- New password cannot match the previous 5 passwords of login account
- Passwords expire every 90 days; a warning message is displayed when you select your account name in the upper-right corner of the page starting 15 days before your password is due to expire
- Password expiration can be disabled for specific accounts
Add or Edit Login
Login accounts can be created and modified using the Administration > Login Accounts page.
- Each login must have a unique Username
- To access UIP, a login must be assigned a UIP Role
- A selection of None means that the login will not have access to UIP services
- To access applications defined in Administration > Client Applications, select a role of that application for the login
- A selection of None means that the login will not have access to that client application
- Each login may optionally Enable MFA
Configure External Login Provider
To reduce the number of logins that must be maintained by system administrators, it is possible to link each login to an account within a Microsoft Active Directory server.
To configure an external login provider, browse to the Administration > Login Provider page and then choose to Enable Sign In with Domain Account.
- Enable Sign In with Domain Account cannot be disabled when there are login accounts configured to use domain authentication.
- When enabled, an additional option will be available for every login account to Sign In with Domain Account.
- Only secure (LDAPS) connections are supported to prevent transmitting unencrypted credentials over the network. Ensure that the port assigned has TLS configured.
- The Administration > Login Accounts page cannot be used to modify information stored in the external directory.
- Deleting a login in UIP has no effect on the Linked Domain Account in its external login provider.
UIP Roles
Every Login Account may have one of three UIP roles: Administrator, Manager, or User. This role determines to which pages and features of UIP a Login Account has access. If a Login Account is assigned a role of None, they will have no access to UIP.
The following table summarizes the pages and functionality each UIP Role has access to:
| Page / Functionality | Administrator | Manager | User |
|---|---|---|---|
| Workflows | Yes | Yes | Yes |
| Workflow History | Yes | Yes | Yes |
| Triggers | Yes | Yes | Yes |
| Adapters | Yes | Yes | Yes |
| Adapter Hubs & Hub Services | Yes | Yes | Yes |
| Adapter Types | Yes | Yes | Yes |
| Export Configuration | Yes | Yes | Yes |
| Import Configuration | Yes | Yes | Yes |
| Administration > About | Yes | Yes | Yes |
| Administration > About > Upgrade | Yes | No | No |
| Administration > About > Configure Registries | Yes | Yes | No |
| Administration > Backup and Restore | Yes | Yes | No |
| Administration > Login Accounts | Yes | No | No |
| Administration > Login Provider | Yes | No | No |
| Administration > Logging Events | Yes | Yes | Yes |
| Administration > Logging Packages | Yes | Yes | Yes |
| Administration > Client Applications | Yes | No | No |
| Administration > Client Access | Yes | No | No |
| Administration > Trusted CA | Yes | Yes | Yes |
| Administration > Workflow Admin | Yes | Yes | Yes |
| Administration > License | Yes | Yes | Yes |
| Administration > License > Import | Yes | No | No |
| Administration > Services | Yes | Yes | Yes |
Reset Lost UIP Login Account Password or Disable MFA
If for any reason the password(s) or MFA of all UIP Administrator login accounts are lost, there are password reset and disable MFA utilities which can be used to regain access to UIP. To access these utilities you must have root/sudo access to the UIP host machine.
The password reset utility can only reset passwords that are stored in the UIP Identity Server. It cannot reset the password of a login which is linked to an external domain account. After being reset, a password change will be required the next time the account is signed in.
The disable MFA utility can be used to reset the multi-factor authentication key for login accounts or linked domain accounts that are stored in the UIP Identity Server.
-
Connect a terminal to the UIP host machine and login using an account with root or sudo access.
-
Execute the following command to open a command shell into the NEC Identity Server container.
sudo docker exec -it $(sudo docker ps --filter name=nap-apps_identity_server -q) ash -
Execute the NEC Identity Server container's List-Users command to list Login Accounts or Link Domain Accounts.
dotnet Host.dll list-users -
Execute the NEC Identity Server container's Reset-Password command to reset a password for a local login account.
dotnet Host.dll reset-password <username> <password> -
Execute the NEC Identity Server container's Disable-MFA command to disable MFA for a user.
dotnet Host.dll disable-mfa <username>