The GAARDS Administrative UI provides a mechanism for viewing and updating Dorian IdP user accounts. To manage an individual grid user account perform a user search, selecting the account you wish to manage. This should bring up the User Management Window for the user you selected. The User Management Window will be entitled with the user's user id and has five tabs: (1) User Information, (2) Account Information, (3)Change Password, (3)Password Security, and (5) Auditing. In the remainder of this page we will provide documentation on each of the tabs.
User Information
The User Information tab contains attributes describing the identity of the user. These attributes are listed in the table below:
Attribute
Description
Username
The unique identifier for the account within the Dorian IdP.
First Name
The first name of the user whom owns the account.
Last Name
The last name of the user whom owns the account.
Organization
The organization that the user belongs to.
Address
The street address of the user.
Address2
Second line of the user's street address.
City
The city the user resides in.
State
The state the user resides in.
Zip Code
The zip code of the area the user resides in.
Country
The country the user resides in.
Email
The user's email address.
Phone Number
The user's phone number.
With the exception of Username, any of the attributes listed in the above table can be updated by Dorian IdP administrators (Dorian IdP users with a role of administrator). These attributes can be updated using the GAARDS UI by making the desired changes and then clicking the Update button.
User Information
Account Information
The Account Information tab contains user's Status and Role attributes. The account status specifies the status of the user's account, the table below specifies the possible account statuses:
Status
Description
Active
The user's account is active and they may authenticate.
Pending
The user has requested an account but the account needs to be approved by an administrator.
Rejected
The user has requested an account, however the account was rejected by an administrator.
Suspended
The user account has been de-activated, the user cannot authenticate until an administrator has re-activated the user's account.
The account role specifies whether or not the user is a Dorian Identity Provider administrator. Users that are Dorian IdP administrators may administrate accounts on the Dorian IdP, they may not administrate Grid user accounts. The table below lists all the possible values for the account role attribute:
Role
Description
Administrator
The user is administrator of the Dorian Identity Provider.
Non_Administrator
The user is NOT an administrator of the Dorian Identity Provider.
Both the Role and Status attributes can be updated using the GAARDS UI, by selecting the desired values and by clicking the Update button.
Account Information
Change Password
The Change Password tab allows Dorian IdP administrators to reset or change a user's password. This is useful when a users forget their password or if their account becomes locked because they have exceeded the number of total invalid logins allowed by the system.
To change a user's password enter the new password into the Password text box, then enter the new password again into the Verify Password text box, this is used for confirming that that password you entered is what you desired, finally click the Update button. This will immediately change the users password.
(NOTE: Using the defaultconfigurationfor Dorian, the password must contain at least 10 and at most 20 characters, as well as contain at least one capital letter, one number, one non-alphanumeric symbol, and not contain any dictionary words. The default password security configuration was chosen in order to meet thefederal e-authentication guidelinesfor Level of Assurance 1 and Level of Assurance 2)
Change Password
Password Security
By default Dorian is configured with a password security policy that meets the federal e-authentication guidelines for Level of Assurance 1 and Level of Assurance 2. Specifically the password must contain at least 10 and at most 20 characters, as well as contain at least one capital letter, one number, one non-alphanumeric symbol, and not contain any dictionary words. In addition when a user fails to authenticate five consecutive times, their account is locked for four hours. Over the lifetime of a password, if a user fails to authenticate more than 500 times, the account is locked until a Dorian Identity Provider administrator resets their password.
The Password Security tab contains information that give Dorian IdP administrators insight to the security of a user's password. This information is described in the table below:
Property
Description
Digest Algorithm
Algorithm used for encrypting and storing the password.
Password Status
Whether or not the password is valid, that is whether or not the total number of invalid logins has been exceeded.
Consecutive Invalid Logins
The number of time the user has consecutively failed to login.
Total Invalid Logins
The number of time the user has failed to login over the lifetime of the password.
Lockout Expiration
The expiration of a temporary lockout due to exceeding the allowed number of consecutive invalid logins.
(The information in the table above is read-only and cannot be updated!!!)
Password Security
Auditing
For security purposes and to give administrators insight on a user's account, Dorian maintains a list of auditing information for each user account. The following is a list of auditing information maintained for each user account:
Audit Information
Description
Registration
Documents when the user registered for the account.
LocalAccountUpdated
Documents when the account was updated.
LocalAccountRemoved
Documents when the account was removed.
LocalAccountLocked
Documents when the account was locked because of invalid logins.
PasswordChanged
Documents when the password for an account is changed.
SuccessfulLogin
Documents when the user successfully logs in.
InvalidLogin
Documents when a user fails to log in.
LocalAccessDenied
Documents when a user attempts to access functions of the Dorian IdP that they don't have permission to access.
The Audit tab allows Dorian IdP administrators to search the auditing information for a given user based the following search criteria:
Criteria
Description
Reporting Party
The identity of the party that performed or reported the action.
Audit Type
The type of auditing information, please consult the table above for different types.
Start Date
The start of a date/time range of when the even occurred.
End Date
The end of a date/time range of when the even occurred.
Message
Search the content of the Audit Message.
Using the GAARDS Administrative UI, administrators can search the auditing information by completing the following steps:
Select the "Audit" tab.
Enter you search criteria, please consult the table above. If no search criteria is specified all audit records for the user will be returned.
Click the "Search" button.
When the search has completed, the audit records meeting your search criteria will be displayed in the table below the Search button. To view the complete details of a specifc audit record, select that record in the table and click the "View" button. This will launch a window containing the complete details of the audit record you selected.
Administration
