Neoview User Management and Security Administration Guide (R2.5)
Any user with ROLE.MGR privileges can define additional roles, up to a maximum of 255 roles.
A natural scheme for defining roles is to align them with groups in your LDAP directory. For
more information about LDAP groups, see “LDAP Integration Overview” (page 63).
The same user can have multiple roles, of which one is the primary (or default) role. When the
user logs on to Neoview, he or she optionally specifies the role that will apply to the session. If
no role is specified, that user's primary role is used. You can also assign the same role to any
number of users.
You can use either HPDM dialogs, described in the HPDM Online Help, or Neoview Command
Interface (NCI) commands, described in “Managing Database Users and Roles” (page 96), to
create additional roles and assign roles to users. The following characteristics apply to roles that
you define:
• The part of the role name that follows the prefix consists of up to 8 alphanumeric characters,
the first of which may not be a number. Role names are case-insensitive.
• You cannot grant more privileges to a user than the user inherits from the role.
• A Neoview database USER function reports the user name, not the role name.
• ODBC uses aliases in tracing and logging, so an ODBC trace will indicate which user, not
just which role, took the action. Thus, the following views in the Neoview Manageability
Repository include the name of the user associated with a query or a session:
ODBC_QUERY_STATS_V1
ODBC_QUERY_STATS_V2
QUERY_STATS_VW2
QUERY_RUNTIME_STATS_V1
ODBC_SESSION_STATS_V1
ODBC_SESSION_STATS_V2
For detailed descriptions of these views, see the Neoview Repository User Guide. Note that the
USER_NAME field now accommodates a database user name of up to 128 characters.
• The maximum number of roles is 255. Four roles—ROLE.MGR, ROLE.DBA, ROLE.SECMGR,
and ROLE.NULL—are reserved, so you can create a maximum of 251 roles. (ROLE.NULL
has no external significance but is reserved for system use.)
NOTE: It is permissible to assign the role ROLE.SECMGR or ROLE.MGR to a remotely
authenticated database user, using either the HPDM user-management dialogs or the NCI
user-management commands described in “User and Role Management” (page 95) . However,
to ensure that users with these important roles can log on even if an external LDAP server is
unavailable, HP recommends that you create at least certain ROLE.SECMGR and ROLE.MGR
users as locally authenticated database users, as discussed in “Best Practices for Platform and
Power User Management” (page 37).
Password Security
All Neoview clients require the user to present a password in order to log on. In fact, certain
users must present two passwords—one for the user and one for the role—in order to log on.
(The set of users who must present two passwords is configurable, as described in “Viewing and
Updating the Power Role Management Policies” (page 48).) Passwords are encrypted by the
Neoview ODBC and JDBC drivers, using industry standard asymmetric key cryptography.
Encryption features include:
• 1024-bit or 2048-bit RSA public key encryption of the login password
• Support for a self-signed certificate or a certificate signed by a Certificate Authority (CA)
To ensure that even the first contact from a workstation is secure, a self-signed server certificate
and associated private key are generated during software upgrade, and this server certificate is
automatically downloaded from the Neoview platform to the client workstation when a user
first connects to the platform from that workstation, . (You might notice a delay of a few seconds
Password Security 23