Manualshelf

Neoview User Management and Security Administration Guide (R2.5)

ManualsBrandsHP ManualsSoftwareHP Neoview Release 2.5 Software
919293949596979899100
5 User and Role Management
This chapter describes the tasks involved in defining and managing users and roles on the
Neoview platform, including the registration of users who log on to the database using corporate
names and passwords authenticated on an external LDAP server.
Before performing the tasks described in this chapter, you or some other user must already have
completed the post-installation setup and, if the configuration includes a remote directory server,
the LDAP server integration tasks indicated in the “Security Administration Task Map” (page 29).
Database and Platform Users and Roles
This section reviews the types of users and roles available on Neoview. For more background,
consult the “Introduction to Security on the Neoview Platform” (page 17).
The great majority of Neoview users are database users. A database user is a person or an
application that uses a Neoview client such as ODBC, NCI, or HPDM to log on to the Neoview
database and operate on database objects. A database user can have one or more database roles
(each having a name of the form ROLE.name), which determine the objects to which the user
has access and the privileges the user has in relation to those objects.
A locally authenticated database user is a database user whose credentials (name and password) are
maintained and validated on the Neoview platform. Such a user can log on even if no external
directory server is running.
A remotely authenticated database user is a database user whose credentials (name and password)
are maintained and validated on an external LDAP or Active Directory server. Such a user can
log on only if the external directory server is running. Remotely authenticated database users
must be registered on the Neoview platform and assigned Neoview database roles.
A platform user is a person or program that has access to special tools used primarily for Neoview
maintenance and troubleshooting. A platform user has exactly one platform role (with a name of
the form HP.name or SUPER.name), which determines the privileges that pertain to the user.
Platform users can also log on to database interfaces but have little or no access to data. For
example, users in the role SUPER.SERVICES have no access to customer data, and HP.VTS can
be used only by the Virtual Tape Subsystem.
Notice that there can be no ambiguity in the users mind as to whether he or she is a database
user or a platform user: all database users have roles beginning with the prefix ROLE, and all
platform users have roles beginning with prefixes other than ROLE. By contrast, it is not
necessarily clear to the user whether he or she is locally or remotely authenticated, and for the
most part the user doesn’t have to know. There are only a few differences that could become
apparent to the user:
If the external LDAP server is unavailable, locally authenticated database users will still be
able to log on, whereas remotely authenticated database users will not. This difference makes
it wise to define at least certain power database users (i.e., users with the role ROLE.MGR,
ROLE.SECMGR, or ROLE.DBA) as locally authenticated database users, whether or not the
configuration includes an LDAP server.
Locally authenticated users can change their passwords by using tools on the Neoview
platform, whereas remotely authenticated users cannot.
Locally authenticated database users can have passwords no longer than 64 bytes long,
whereas remotely authenticated database users can have passwords up to 128 bytes long,
but given that passwords are generally typed in by users, it is difficult to imagine that any
actual user will ever encounter this difference.
Database and Platform Users and Roles 95