Set up and organize Noetix users.
Overview
In most businesses, access to data is granted to groups of individuals because of their department or job. For instance, the entire sales department may have access to some pieces of data, but only the sales managers can access other pieces of data. Generally, the number of individuals who need special access to data is limited.
Noetix QueryServer (NQS) provides additional security objects beyond simple user accounts, called organizations and roles. Providing an easy way to grant permissions to large numbers of users greatly simplifies security administration.
Unless otherwise specified, the tasks in this chapter are performed using NQS Administrator.
Supporting Concepts
The supporting concepts associated with users and organizations of NQS Administrator are defined in the following sections:
Users
Users of Noetix Platform are set up with a user name and password in NQS Administrator. User accounts can be quickly imported from existing database or directory sources, like an email server, or new accounts can be created manually. The user name (what the user types into the logon window) must be unique within all of NQS; the full name (first and last name) must be unique within a particular organization.
When an end user attempts to log on to NQS, or to access NQS data through Noetix WebQuery (NWQ) or a reporting tool, he or she must know a user name and password combination that is valid for that particular NQS. Once logged on, the end user can access virtual tables (VTables) on that NQS based on the permissions that has been explicitly or implicitly granted to this user.
For more information about creating user accounts, see Manage User Accounts.
Create a user to:
Create logons for end users who will access data through NQS or NWQ.
Set up additional user accounts for specific administrative tasks.
External Authentication
The “External Authentication” feature can be enabled to help manage the passwords associated with NQS users. When this feature is enabled for a user, NQS does not store the password for the user account. Instead, it stores the path back to the authority from which the user account was imported. Then, when the user logs on to NQS, the password he or she enters is passed on to the directory or database for authentication. Based on the return from the authority, NQS either accepts or denies the user’s logon.
Organizations
An organization is a group of users, usually arranged by department or job functions (Sales, Development, Finance, and so on). Since individuals in a specific department or function usually have similar data access needs, organizations can make it easy to grant permissions to groups of users at a time.
Each user account must belong to one and only one organization, either the default Users root or a custom organization you create.
An organization is hierarchical, and there is no limit to the number of levels you can create in your hierarchy. A user account always belongs to one and only one organization. This, again, reflects back to the model of a business organization chart: Typically, an employee does not belong to multiple organizations in a business.
For more information about creating organizations, see Group Users into Organizations.
Create an organization to:
Organize your users into a logical, manageable structure (for example, departments or job duties).
Be able to grant permissions to a group of users instead of manually to each individual user.
Reduce the administrative tasks involved in tracking users’ access to data.
The SysAdmin User
The SysAdmin user is created automatically during the NQS installation and has full permission to all objects in NQS. This user is the all-powerful user within NQS, equivalent to the Administrator user in Microsoft Windows or the Root user in UNIX. This user account cannot be deleted.
The SysAdmin user account should not be used to log on to NWQ or other query tools because some user options (such as sharing queries) will not be available. Magnitude recommends that you create new users for both administrative purposes and end-user tasks.
After installing NQS, Magnitude recommends that you change the SysAdmin’s password to something very difficult to decipher, then keep this information safe and secure. For information about changing SysAdmin’s password, see Group Users into Organizations.
For more information about roles and role types, see Manage Roles in “Security.”
Administrative Users and Roles
Users within NQS can be given administrative privileges by granting them administrative roles and permissions. If you have more than one person who will be functioning as an administrator, Magnitude Software, Inc. recommends that you create unique user accounts for each individual and then grant each the appropriate administrative roles, instead of performing all administrative tasks by logging on as SysAdmin. This will provide an accurate paper trail in your tracking logs and ensure everyone’s activities will not show up as being performed by a single user.
You may grant other administrative users the same permissions as the default SysAdmin user by granting them the N$SysAdmin role. You may also want to grant NQS administrators the N$BackupOperators and/or N$QueryAnalyzers roles, and NWQ administrators the N$WebQueryAdmin and N$WebQueryProfileAdmin roles. These administrative roles are found under the N$System folder in NQS Administrator.
The administrative roles below are created automatically during installation.
N$SysAdmin: Most of the SysAdmin user’s power comes from the fact that it has been granted the N$SysAdmin role. This role has been granted full permission to all objects in the system, excluding those within the N$System server group and folder. A user must be granted the N$SysAdmin role to run the Setup Wizards.
N$BackupOperators: A user must be granted this role to back up or restore the repository.
N$QueryAnalyzers: A user must be granted this role to select from the VTables in the N$System.Monitor subfolder. Without this, a user cannot effectively use the NQS Monitor application (that is, they will not see any data). In addition, a user with this role has been granted all NQS Monitor permissions and can further grant these permissions as well.
To grant these permissions, on the Tools menu, click Monitor Permissions. The NQS Monitor permissions are:
Flush cache/Change monitor settings: Users with this permission can flush the NQS Monitor cache from the Monitor Control dialog box. Also, they can change the NQS Monitor settings through the Monitor Settings dialog box.
Start/Stop the monitor: Users with this permission can start or stop NQS Monitor from the Monitor Control dialog box. When NQS Monitor is stopped, all query monitoring is stopped, but any changes to the NQS metadata using NQS Administrator or DDL will be logged.
Purge the monitor log: Users with this permission can purge the NQS Monitor log using the Purge Log dialog box. Once the log has been purged, the data cannot be retrieved.
Query monitor status: Users with this permission can use the Monitor Control dialog box to view the current status of NQS Monitor.
N$AgentOperators: Users with this role can schedule back-end jobs using the Noetix agent tools and manage these jobs and operators.
N$WebQueryAdmin: Users with this role can fully administer the Public folder structure in NWQ. Users must have this role to create new folders in the Public folder area of NWQ.
N$WebQueryProfileAdmin: Users with this role can create NWQ profiles through the NWQ Administrator application and then grant them to users through NQS Administrator.
N$CategoryAdmin: A user must be granted this role to create a category or add, modify, or delete a category in a VTable. The SysAdmin user is initially granted this role; however, the N$SysAdmin role does not automatically grant a user this role.
To add, modify, or delete a category from a VTable, a user must also be granted Alter permission on the category and all of the objects that currently have the selected category.
Process of Setting Up Noetix Users
This section provides information about how to set up users and organizations in NQS Administrator. Employees within your enterprise will access NQS and NWQ using accounts you set up and permissions you grant them.
Before You Begin
Gather user information: Decide which users should have access to NQS. In NQS Administrator, users can be set up individually or they can be imported in bulk from an external directory or from a database (for example, Microsoft SQL Server or Oracle Database). If required, users can be placed into an organizational hierarchy.
Most businesses have many directories already in their enterprise, found in their email system, network operating system (NOS), website, databases, and so on. Most of the time, the NOS has the most comprehensive directory and is the best candidate to be used with the Users and Roles Wizard. Importing from an NOS has an added advantage in that it is generic and not tied to any specific resource. You can configure NQS so that the same logon that gives users access to the network gives them access to their data.
Steps for Setting Up Noetix Users
Follow these steps to set up users and organizations.
Create and/or import organizations/groups.
Create and/or import user accounts.
Place your users into meaningful organizations based on your organization chart.
Create roles that map closely to job functions.
Grant these roles permission to the necessary servers, connections, VTables, and mappings.
Assign organizations and/or users to these roles.
Grant or revoke permissions at a user level (if any exceptions to inherited permissions are needed). To minimize maintenance tasks, limit the number of exceptions whenever possible.
Import Users
Users can be imported from databases, email servers, or other data sources in your enterprise. By importing users from existing sources, you can allow them to use the same user names and passwords they are accustomed to.
You can import users using the Users and Roles Wizard as described in the following procedure.
In NQS Administrator, click on the toolbar.
The Administrator Wizards dialog box appears.
On the Basic Setup tab, double-click Setup Users and Roles.
The Users and Roles Wizard begins, and the welcome page appears. Click Next.
The Definitions page appears with definitions of NQS users, organizations, roles, and role types. Click Next to continue.
You have two import options:
If importing from a directory, select a Directory Type. If required, select a Host Name. Click Next.
If you select as directory type a generic LDAP provider, Microsoft Exchange Server, or Active Directory, you must specify a host name.
-OR-
If importing from a database, select a server and connection. The connection you select needs to be based on a database user with administrative rights. (You can create this server and/or connection now if you haven't already.) Click Next.
Select the NQS password options for these users. The Use External Authentication option will allow users to log on with the passwords used in this source, and NQS will pass the logon credentials entered to this source for authentication. Click Next.
NQS will load the users it has found in the selected source. Select which user accounts to import by checking the boxes next to each account or group. Click Next.
Select an organization in which to put the users you import. You may selectively move users or groups from the left-hand pane into organizations you select in the right-hand pane. The default option is to put the users in the Users root organization. To select a different organization or create a new one, click the ellipses button [...]. Browse to an existing organization or click the New button to add an organization.
Click the Preview button to see an overview of your organization structure, then click Next.
For more information about organizations, see Group Users into Organizations.
Select any default subfolders you want to grant these users. Click Next to continue.
For more information about default subfolders, see Granting a Default Subfolder in “VTables and Mappings.”
Since granting default subfolders to organizations or roles is more efficient than granting them directly to users, you may want to accept the defaults on this page and grant default subfolders later.
Select how NQS should handle any duplicate role names that may be found when importing new users, if you have existing roles. Click Next.
Select how NQS should handle any duplicate user names that may be found when importing new users, if you have existing users. Click Next.
Select a log file for errors to be written to. Click Next.
The last page shows you an overview of what you are importing. Click Finish to import the user accounts.
Create Users
User accounts can also be set up manually in NQS. These user accounts can be externally authenticated just as imported user accounts, if required.
To create new users
Right-click on the organization to which you will add this user (or the Users root item if required) and click New > User. The User property sheet will display.
On the General tab, enter the new user’s full name (for example, “Jack Jones”) and user name (for example “jjones”). Select one of the following authentication types:
Password: If you choose this option, the password for the user will be stored in NQS. In the Password box, enter the password the user should use when logging on, then type it again in the Confirm box.
If the password complexity feature is enabled, make sure that the password meets the complexity requirements. For information about the complexity requirements, see Enabling Password Complexity.
Select one of the following options:
Password never expires: The password will stay in effect until an administrator or the user changes it.
User must change password at first logon: When this is checked, the user is prompted to change their password the next time they log on to NQS or NWQ.
Password expires on: This allows you to select the date and time that the password will expire. The user will be prompted to change their password the first time they log on to NQS or NWQ after this date and time. You can type in the new date and/or time, or use the arrows next to each box.
External Directory: If you choose this option, you must map this NQS user to a user in a directory. When the user logs on, NQS will use external authentication to validate the user’s credentials.
In the Auth Path field, enter the path to the authority or click the ellipses [ ... ] to browse to the authority. Select a Directory Type. If required, select a Host Name.
If you select as directory type a generic LDAP provider, Microsoft Exchange Server, or Active Directory, you must specify a host name.
External Database: If you choose this option, you must map this NQS user to a database user account. When the user logs on, NQS will use external authentication to validate the user’s credentials.
In the Ext. User field, type the name of the database user you will authenticate against. Select the button in front of RDBMS to authenticate against a database or Oracle Apps to authenticate against Oracle E-Business Suite.
Click the ellipses [ ... ] on the connection field to browse to the authority you will use. The database must already be set up as a server in NQS, with the connection you want to use.
You may also limit the number of rows this user can retrieve in a single query to prevent runaway queries (long-running queries that tax the database).
On the Default Subfolders tab, select which subfolders this user needs to access through NWQ. This should only be done on a user-level if not inheriting these from a granted role or parent organization.
For more information about default subfolders, see Granting a Default Subfolder in “VTables and Mappings.”
On the Roles tab, specify any roles you want to assign this user, unless they will be inherited from the parent organization. You may also do this later when setting up your roles.
On the Permissions tab, if necessary, specify any permissions this user should or should not have. Click Save to finish.
It is more manageable to grant permissions through roles than directly through the Permissions tab. However, if you want to bar this user from accessing certain objects they may otherwise inherit from a role or organization, you may want to revoke their permissions to those items.
When configuring NQS, you will also need to decide whether you have a need for separate users within NQS than in NoetixViews. If the same set of users will be using each product, you will want to set up users within Magnitude NoetixViews (NoetixViews) and then run Noetix Generator for Noetix Platform—Oracle E-Business Suite Edition (Noetix Generator) to generate the users into NQS.
Users set up or modified directly in NQS will not be exported back to the original source. Magnitude Software, Inc. recommends that you use the source of these users as the “master,” and make any key changes there, then synchronize or regenerate the users into NQS.
Determine security needs: Security issues can be dealt with either during or after importing users. For example, permissions on various objects within NQS can be granted to organizations and/or users explicitly or through the creation and assignment of roles. Permissions flow down an organizational hierarchy.
For an overview of Noetix Platform security, see Noetix Platform Administrator Guide.
Manage User Accounts
This section explains the various features that you can use to manage your NQS account.
Enabling Account Lockout
The account lockout feature allows you to secure NQS authenticated users. You can enable the feature to limit the number of invalid logon attempts on the NQS Administrator, NQS Monitor, NQS Query, NWQ, NWQ Administrator, and NWQ Printer Utility and then lock the NQS user account for a period of time. After you enable the feature, if the user exceeds three invalid logon attempts within a minute, the account will be locked for 30 minutes and the user cannot log on to these Noetix Platform applications. By default, this feature is not enabled.
To enable the feature, in the Windows Registry, locate HKEY_LOCAL_MACHINE > SOFTWARE > Noetix > Query Server > CurrentVersion > AccountLockout. For Enabled, modify Value data from 0 to 1. Then, restart the Noetix QueryServer service.
IMPORTANT: The Noetix QueryServer service must not be restarted when a report is running. Magnitude recommends that you do not modify other registry settings of the feature. If you need to modify a setting, contact Magnitude Support.
Enabling Password Complexity
The password complexity feature allows you to apply complexity rules to the password for NQS authenticated users, who log on to the NQS Administrator, NQS Monitor, NQS Query, NWQ, NWQ Administrator, and NWQ Printer Utility. By default, the feature is not enabled. When you enable the feature, the user will be prompted to change the password if the password does not meet the following complexity requirements:
The password must contain a minimum of 8 characters and can contain a maximum of 32 characters.
The password must be a combination of three or more of the following characters: lower case letters (a-z), upper case letters (A-Z), numbers (0-9), and special characters (including white spaces).
If the feature is enabled, make sure that these requirements are met when you create or change the password. For information about setting the password for new users, see Create Users, and for information about changing passwords, see Changing Passwords.
To enable the feature, in the Windows Registry, locate HKEY_LOCAL_MACHINE > SOFTWARE > Noetix > Query Server > CurrentVersion > PasswordComplexity. For Enabled, modify Value data from 0 to 1. Then, restart the Noetix QueryServer service.
IMPORTANT: The Noetix QueryServer service must not be restarted when a report is running. Magnitude recommends that you do not modify other registry settings of the feature. If you need to modify a setting, contact Magnitude Support.
Changing Passwords
COPIED SECTION TO NQS ADMIN HELPUsers and administrators can change their passwords in either NQS Administrator or in NWQ.
The SysAdmin user in NQS and the NQS administrative users in Microsoft SQL Server require special steps to change their passwords.
To change the SysAdmin user’s password
Log on to the NQS Administrator as SysAdmin.
Change the SysAdmin user’s password:
Select the Users node in the tree, then select the SysAdmin user in the list in the upper right.
Select the General tab.
Type the new password twice in the provided boxes.
Click the Save button.
If the LoopBack Server connection’s user is SysAdmin, you will want to change the password there as well. To update the LoopBack Server Connection:
Expand the Servers object in the tree and select the LoopBackServer.
Select the LoopBackServer_conn1 connection in the list to the right.
Select the Type tab.
Re-type the SysAdmin’s new password in the Password text box.
Click the Save button. The connection should still be in a validated state. (If the connection is not valid, it will have a red “X” through it in the left-hand navigator pane. If this happens, try re-typing the password and saving again.)
Update the Agent connection.
Select the Agent object in the tree.
Re-type the SysAdmin's new password in the Password text box.
Click the Recreate Agent Connection button.
To change passwords for the NQS administrative users in SQL Server:
If you want to change the passwords of the NQS administrative users in Microsoft SQL Server, you must use Noetix Platform Change Repository Password Wizard. For information about changing the NQS administrative users, see “Changing Database Users’ Passwords” in the section “Working with Users” in the NQS Help.
If the password complexity feature is enabled, make sure that the password meets the complexity requirements. For information about the complexity requirements, see Enabling Password Complexity.
Group Users into Organizations
An organization is a group of users, usually arranged by department or job functions (Sales, Development, Finance, and so on). Since individuals in a specific department or function usually have similar data access needs, organizations can make it easy to grant roles and permissions to groups of users at a time.
Each user must be in one and only one organization, either the default Users root or a custom organization you create.
TIP: To avoid confusing organizations and roles, think of an organization as the office an employee works in and roles as keys to the building. Each employee works in one and only one building at a time (since you can’t be in two places at once). But employees may have a number of different keys to use within that building—the front door, their office, the supply closet, and so on—depending on the permissions the employee has been given.
Right-click on the Users root item and click New > Organization. The Organization property sheet will display.
On the General tab, enter the new organization name and a description. You may also limit the number of rows users in this organization can retrieve in a single query to prevent runaway queries (long-running queries that tax the database).
Click the Default Subfolders tab. Add any default subfolders you want to grant to all members of this organization. You may grant these later if required.
For more information about default subfolders, see Granting a Default Subfolder in “VTables and Mappings.”
On the Roles tab, assign any roles you want members of this organization to inherit. You may also do this later when setting up your roles.
(Optional) Use the Notes tab to add notes about this organization, if required. (You will need to click Save before adding a note.)
On the Permissions tab, if necessary, grant any permissions members of this organization should or should not have. Click Save to finish.
It is more manageable to grant permissions through roles than directly through the Permissions tab. However, if you want to bar this organization from accessing certain items members may otherwise inherit, you may want to revoke their permissions to those items here. For more information about permissions, see in Manage Permissions in Noetix Platform Security Set Up.
To move users into an organization
When creating a new user, the user is added to the organization you specified in the Users and Roles Wizard, or the organization you right-clicked when clicking New > User. You may move users from one organization to another by selecting the user and dragging and dropping into the required organization.
Note that the user will now implicitly inherit all permissions granted to the new organization and will lose any permissions inherited implicitly from the old organization. After this move, you should inspect the user’s effective permissions to ensure they are correct. To do this, browse to the user and double-click the user’s name. Then, on the Permissions tab of the property sheet, click the Show Effective button and examine the user's effective permission to servers, VTables, and other objects.