Skip to content

Local Directory Users Management

The software features a built-in Local User Directory for managing users, groups, and group memberships to define permissions and roles for objects.

Furthermore, besides the default "local" local user directory, the software supports the creation of additional local user directories. This functionality enables the delegation of security management to regional or departmental divisions.

Create new Local User Accounts

Local User Accounts allow for user authentication from the built-in local directory. To create new Local User accounts:

  1. Log in with an Administrator or Directory Manager account.
  2. Navigate to Management > Users and click the Add button.
  3. Populate the fields for the new local user account as required:
    • Login: Enter a unique login name for the account.
    • First Name: Enter the first name for the account.
    • Last Name: Enter the last name for the account.
    • Mail: Enter a valid and unique email address for this account.
    • Password: Enter a password for the account.
    • Locked: By default, the account is unlocked, but you may click this option to create the account from a locked state.
  4. Click the Save button to complete the user creation operation.

Manage Local User Accounts

Administrator or Directory Manager accounts can also manage Local User accounts. To manage a local user account:

  1. Log in with an Administrator or Directory Manager account.
  2. Navigate to Management > Users, locate the user account to manage and use the Actions menu on the right side:
    • Edit: Use the Edit option to update this local user account, including Name, Email and Password attributes.
    • Delete: Use the Delete option to delete this local user account. This is a permanent operation that cannot be undone. We recommend using the Lock option to disable login while preserving the account.
  3. After your edit is complete, click the Save button to save the update.

Local User accounts can, in bulk, be Locked or Unlocked by:

  1. Selecting each checkbox of the account to be updated.
  2. Open the Mass Actions menu and choose:
    • Unlock Selected: This action will unlock all the selected accounts.
    • Lock Selected: This action will lock all the selected accounts.

Tip

Locked accounts are shown with a check-mark in their Locked column while unlocked accounts are shown with a cross-mark.

Local Users Locked Column Status

Password Requirements

The Password Requirements option allows Space Role: Administrator or Space Role: Directory Manager users to define a custom password complexity policy ensuring that Local User accounts can only have strong passwords.

This policy includes the option to:

  • define a minimum and maximum Length,
  • include a minimum and maximum number of Upper Case Characters,
  • include a minimum and maximum number of Numeric Characters,
  • include a minimum and maximum number of Special Characters,
  • define the list of these Special characters (overwriting the default list),
  • and an example password based on the presently configured password requirements.

Local User Accounts Password Requirements

Tip

  • When a maximum parameter is set to a zero value then the password might not use any of these characters.
  • When a parameter is not set to a value (empty) then the password could use any of these characters but they are not required.

Note

There is also an option to change the password Type from a random string to XKCD. XKCD passwords are generated based on the popular XKCD comics advocating for the selection of a password that are easy for people to remember and hard for machines to break (https://xkcd.com/936/). The strategy is based on creating a password using several dictionary words connected by known separators.

Password Requirements policies are inherited from parent to children Spaces, with the option on individual child Spaces to break this inheritance, and thus create their own unique requirements through the use of the Make Unique option.

Local Directory User Usage

The Local User Directory is utilized across various components of the system.

  • Authentication - When the Login button is pressed on the software's authentication screen, it tries to authenticate the user account using the provided account and password information across each enabled Local User Directory marked with the "Direct Login" flag. This process occurs sequentially, following alphabetical order.
    Users have the option to specify a particular Local User Directory for authentication by entering its name before the account name in the user field, separated by a backslash. For instance, in the format "dir-name\account", or "local\account" for accounts in the default embedded local user directory.

  • Authorization - The software utilizes account and group membership data obtained from the configured Local User Directory to verify permissions set for objects and roles. Groups in the Local User Directory may encompass users and group members sourced from other directories such as LDAP Servers, Entra ID tenants, and additional local user directories.

  • Permissions - System owners can search for user accounts and groups in the configured Local User Directory to use in object and role permissions.

  • Metadata - The software might use account metadata obtained from the configured Local User Directory to improve the visual presentation for different system functionalities. Examples of LDAP metadata include an account's Thumbnail or Display Name.

Note

By allowing users and groups from other directories to be members of local user directory groups presents an opportunity to define system object permissions and roles using the generic terms of local groups. This architecture separates the maintenance of local groups from the security architecture.