Neoview User Management and Security Administration Guide (R2.5)
password and keep it under break-glass control for emergency use in troubleshooting LDAP
server configuration problems.
If you create additional users with the role ROLE.SECMGR, you need not apply such stringent
restrictions to those users.
Because only a user in the role ROLE.SECMGR can assign this role to database users, the initial
assignment of this role to another user must be performed by a person logged on as
SECURITYMGR.
When setting the password for the ROLE.SECMGR role (as distinct from the password assigned
to any ROLE.SECMGR user), specify that the password never expires, and keep that password
under break-glass control.
ROLE.MGR and Its Individual Accounts
USERMGR is the predefined platform-level user name for ROLE.MGR. You can create additional
accounts to allow multiple users to perform initial role definition and user management tasks.
However, some such tasks require the LDAP server to be available: for example, you cannot
register a remotely authenticated database user on Neoview unless the LDAP server confirms
that the user exists there.
USERMGR and other locally authenticated users with the role ROLE.MGR can log on even when
a remote LDAP server is unavailable. By contrast, remotely authenticated database users in the
ROLE.MGR role cannot log on unless the remote LDAP server is available.
Because only a user in the role ROLE.MGR can assign this role to database users, the initial
assignment of this role to another user must be performed by a person logged on as USERMGR.
When setting the password for the ROLE.MGR role (as distinct from the password assigned to
any ROLE.MGR user), specify that the password never expires, and keep the password under
break-glass control.
Conventions for User Names
The Neoview user management tools, HPDM and NCI, enforce the uniqueness of user names
across the Neoview platform; furthermore, because usernames are case-insensitive on all generally
available Neoview interfaces, there can be no two usernames identical except with regard to
case. For example, if you have defined a user with the name “PhilipPerkins” and then attempt
to define a user named “PHILIPperkins”, the request will fail.
Some customers find it convenient to define user names that indicate the user's privileges. For
example, the following conventions could be used:
• Personal accounts on the SUPER.SERVICES role are created using the HP support person’s
email address without the ‘.com’ on the end. Also note that the ‘@’ character is not a valid
character in Neoview system account names, so replace this character with a dash. An
example of a name following this convention is 'maggie.cannon-hp'.
• Personal accounts on HP.SDI role include the suffix ‘-hpserv’.
• Personal accounts on the SUPER.SUPER role include ‘-su’ at the end of the account name
and also distinguish between HP support users and customer employees who are assigned
such accounts. Thus a super.super account for an HP support person could be named
'sharon.riley-hp-su'. A SUPER.SUPER account for a customer employee called ‘Vaughn
Chong’ could be named 'vaughn.chong-su'.
• Personal accounts on the ROLE.SECMGR role, it is recommended that you add ‘-neosec’ to
the end of the account name. An example of a name following this convention is
'vaughn.chong-neosec'. Note that the use of suffixes allows the same individual to have
accounts as SUPER.SUPER and ROLE.SECMGR.
Other customers might find it useful to include, in a database user's name, some indication of
whether the database user is locally or remotely authenticated. This practice has the benefit of
38 Post-installation Security Setup Tasks