Neoview User Management and Security Administration Guide (R2.5)
making it quickly evident to users and administrative personnel why a given user is unable to
log on or to change his or her own password.
It may be that corporate policy prohibits user names that in any way indicate the user's privileges
or status, and an LDAP server environment, if configured, might impose its own conventions.
Retaining Predefined Users
You are prohibited from deleting any of the predefined users SUPERUSER, HPSUPPORT,
USERMGR, or SECURITYMGR, because doing so would create a potential security weakness.
These users are automatically recreated, if not present, during every system upgrade. In addition,
to address problems during system upgrade, HP Support has a facility for recreating the users.
Likewise, the predefined roles ROLE.MGR, ROLE.SECMGR, and ROLE.DBA cannot be deleted.
Protecting the SUPER.SUPER and ROLE.SECMGR Passwords
It is a common practice to create SUPER.SUPER and ROLE.SECMGR accounts for use in
emergencies but to withhold the SUPER.SUPER or ROLE.SECMGR password from the appointed
users until an emergency actually arises. The effect of this approach is to prevent such a user
from logging on in the interim, even to change his or her own password.
This protocol requires that you use HPDM to implement a security policy that requires these
users to provide both a personal password and a role password in order to log on. For information
about setting the security policy, see “Managing Security Policies” (page 39).
Managing Security Policies
Various crucial behaviors related to user management and security depend on policies that the
Security Administrator can configure. These policies fall into four categories:
• Password encryption policies apply to all users connecting to the Neoview platform through
ODBC or JDBC. They include controls over whether encryption is required at all, whether
certificates can be downloaded automatically to a workstation, and whether certificates can
expire. For more information, see “Viewing and Updating the Password Encryption Policies”
(page 41).
• Password quality and control policies apply only to platform users and locally authenticated
database users. (LDAP user passwords are managed on the external directory server.)
Password quality policies include limits on password length, rules pertaining the kinds of
characters passwords may or must contain, password expiration defaults, and a variety of
other parameters. For more information, see “Viewing and Updating the Password Quality
and Control Policies” (page 44).
• User management and authentication logging policies determine which user management actions
are logged, whether platform or database user login attempts are logged, and how long
logfile content is maintained. For more information, see “Viewing and Updating the User
Management and Authentication Logging Policies” (page 46).
• Power role management policies can be used to impose an extra level of security on the use and
management of power roles. For more information, see “Viewing and Updating the Power
Role Management Policies” (page 48).
You can use either HPDM or NCI to view and set policies.
Restarting NDCS Services After Policy Changes
In order for certain policy changes to take effect, you must stop and restart all NDCS services.
These services are usually named $MXOAS and $MXAS2, but you can use either HPDM or NCI
to display the names of services configured on your Neoview platform.
When you stop a service, be sure to specify options that result in a graceful stop, so as not to
interrupt connectivity services for running applications. This action does not affect the data
source required to maintain the HPDM or NCI connection.
Managing Security Policies 39