Manualshelf

Neoview User Management and Security Administration Guide (R2.5)

ManualsBrandsHP ManualsSoftwareHP Neoview Release 2.5 Software
31323334353637383940
Note that you can define ROLE.SECMGR, ROLE.MGR, and ROLE.DBA users as either a locally
authenticated or remotely authenticated database users, as described in “User and Role
Management” (page 95). A remotely authenticated user in any of these roles has most of the
same capabilities as the corresponding locally authenticated user but can log on to the Neoview
platform only when a remote LDAP server is available. Thus it is usual to create at least some
such users as locally authenticated—especially ROLE.SECMGR users who might need to
troubleshoot LDAP server connection problems.
Best Practices for Platform and Power User Management
HP recommends the following guidelines as best practices for managing platform and power
users.
SUPER.SUPER and Its Individual Accounts
The super ID (SUPER.SUPER) has unrestricted access to system resources. It is completely
controlled by you, the customer, and must be carefully managed. Any use of the super ID should
be under very tight control.
HP recommends that you keep the passwords associated with the SUPER.SUPER platform role
and the SUPERUSER account under break-glass control.
When setting the password for the SUPER.SUPER role or SUPERUSER account (as distinct from
the password assigned to any other SUPER.SUPER account that you define), specify that the
password never expires.
SUPER.SERVICES and Its Individual Accounts
The SUPER.SERVICES password is controlled and maintained by HP. However, you can create
individual SUPER.SERVICES accounts and assign passwords to them. A user who has an account
with the role SUPER.SERVICES can change the password associated with that account. In addition,
a user who has ROLE.SECMGR privileges can change the password of a SUPER.SERVICES
account without knowing the existing password.
The password for the SUPER.SERVICES role is configured so that it never expires. Only HP
Support can change the SUPER.SERVICES password.
HP.SDI and Its Individual Accounts
The HP.SDI password is controlled and maintained by HP. However, you can create individual
HP.SDI accounts and assign passwords to them. A user who has an account with the role HP.SDI
can change the password associated with that account. In addition, a user who has ROLE.SECMGR
privileges can change the password for an HP.SDI account without knowing the current password.
HP.VTS and Its Individual Accounts
The passwords for HP.VTS and its predefined account, “VTS”, are controlled and maintained
by HP. You have no responsibilities with respect to these accounts.
ROLE.SECMGR and Its Individual Accounts
SECURITYMGR is the predefined user name for ROLE.SECMGR. You can define additional
accounts to allow multiple users to perform initial security configuration tasks. SECURITYMGR
and other locally authenticated database users with the ROLE.SECMGR role can log on even
when a remote LDAP server is unavailable. By contrast, remotely authenticated database users
to whom you grant the ROLE.SECMGR role cannot log on unless the remote LDAP server is
available.
HP recommends that, after using SECURITYMGR to define the initial LDAP configuration, you
assign the role ROLE.SECMGR to at least one other user, then change the SECURITYMGR
Best Practices for Platform and Power User Management 37