Describes the various types of LeasePak and mPower users and how to set up their accounts and passwords.
mPower Users
Default oracle or sybase. Performs installation and configuration functions for the database server software. You must create a separate Unix/Linux group to go with this user. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
Default srvadm. Performs the functions of either sysdba (for Oracle) or sa (for Sybase) to administrate the database server, individual databases/schemas, and users. Refer to the remainder of this document for instructions on creating accounts for LeasePak users./dd>
Although you can assign this role to the LeasePak release administrator (msiadmin), msiadmin can no longer change its own environment (or the environment of msidba) by using change_env, so NetSol recommends creating a separate user, such as lpsuper. This user performs software administration tasks such as adding new LeasePak users into the Security [U0706] update, submitting batch files, running End of Period, and using programs from $uexe/lpautil.exe.exe. Set up the lpsuper user as part of the initial installation and configuration of LeasePak. You can also create a separate LeasePak administrative user for each environment, thereby avoiding the need for change_env. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
Default msidba. Performs tasks and runs scripts related to the configuration and administration of LeasePak databases, including db_create, db_add_login, and db_add_user. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
Default msiadmin. Performs tasks and runs scripts related to the configuration and administration of the LeasePak server software, including LeasePak queue manager configuration and setup_new_env. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
Also known as LeasePak client users. These are LeasePak users with client string passwords allowing them to log on the LeasePak client, but, in most cases, no access to the server or DBMS. They may have access to both LeasePak updates and reports, or LeasePak reports only. Level and type of privileges will depend on the individual user's assigned tasks and responsibilities. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
Like general users, these have client string passwords for logging on the LeasePak client without having direct access to the server or DBMS. Unlike general users, their update capabilities are confined to Application Tracking and a few other related updates by marking the LeasePak Account Status as 'Partial Upd. User' on the Portfolio Security Tab of the Security [U0706] update. Refer to the remainder of this document for instructions on creating accounts for LeasePak users.
All mPower applications--ChannelIT, DocIT, LinkIT, and ServIT--require you to first set up the Web Services API (LinkIT) user.
This is the account the Web Services API uses to log on LeasePak. Set up one API account, separate from any other users you set up for ChannelIT or ServIT, for use with all your mPower applications. You can also use the LeasePak Supervisor User (lpsuper) for this purpose if you add access to Application Tracking to the lpsuper account (see step 2 below).
A LinkIT user cannot also be a ChannelIT or ServIT user.
To set up a LinkIT user:
You cannot use the LinkIT user for a ChannelIT or ServIT user.
Typically a member of the lessor's dealer network authorized to begin the origination of new business in LeasePak. To set up a ChannelIT dealer user:
You cannot use the LinkIT user for a ChannelIT or ServIT user.
These are Application Tracking users who may be logging on remotely or using ChannelIT as their interface to LeasePak. To set up a ChannelIT salesperson user:
DocIT users are actually ChannelIT users, since DocIT is always used in conjunction with ChannelIT. Follow the instructions above for setting up ChannelIT users.
ServIT Users
You cannot use the LinkIT user for a ChannelIT or ServIT user.
These are customer end-users with authorization to view limited account and payment information in LeasePak and possibly make updates to address or other personal information. To set up a ServIT user:
The following table illustrates which accounts you will need to set up for the various types of users.
| User | Default | Default Group | Unix/Linux | Account DBMS | Account LeasePak |
| database software administrator | (oracle or sybase) | (oracle or sybase) | yes | ||
| DBMS server administrator | srvadm | N/A | (see below) | ||
| LeasePak administrative user | lpadmin | msi | yes | yes | yes |
| LeasePak client user(s) | (various) | msi | yes | yes | yes |
| MSI database administrator | msidba | msi | yes | ||
| MSI release administrator | msiadmin | msi | yes |
Do not create a Unix/Linux or DBMS account for this user. The LeasePak server setup program prompts for a new user name (default is srvadm) and password, then uses these to create either a login in Sybase and grant it sa privileges, or create an Oracle schema (using a default tablespace) and grant it sysdba privileges. Normally only the msiadmin and msidba users know the srvadm password.
The LeasePak environment files .lplogin and .lpprofile only need to be incorporated into the startup files of users who perform LeasePak-related tasks requiring direct access to the LeasePak server. These users typically include msiadmin and msidba, whose startup files should always point them to the administrative environment (adm_*), and lpsuper, but can also include other users as needed.
When Leasepak administrative, updates, or reports users log on the LeasePak client, the password (called the client string) they use is passed through and translated into the actual three passwords required to connect to the LeasePak server--a network password, a server OS password, and a password for the DBMS. The algorithm translating the client string always produces the same output--that is, "string" always translates to "yihnx8" and "tjgui3." NetSol does not recommend using the word "string" for an actual client string.
Users logging on the LeasePak Client only know their client string unless they are explicitly given the server or DBMS password separately. Normally, only LeasePak supervisor users (such as lpsuper) know their passwords for logging on the LeasePak server and DBMS server.
This password system depends on setting up the users' LeasePak server and DBMS accounts using passwords that match the translations of the client string. The following is an overview of the steps for adding a new LeasePak client user
Do not use $uexe/lpautil.exe 108 to add any user to the LeasePak security table other than the LeasePak administrative user. The $uexe/lpautil.exe 108 function provides no control in how the user is added to LeasePak security, and the LeasePak administrative user must still log on the LeasePak client in order to correctly configure a user's security.
Create user names in compliance with your company's security guidelines. Use the same user name when setting up the server and DBMS accounts.
Create client strings in compliance with your company's security guidelines. Client strings must be 6 to 8 characters in length.
Use $uexe/lpautil.exe 112 to translate the client string
1. Log on the LeasePak server as msiadmin or lpsuper
Terminal emulation: you must use one of the supported terminal types. Refer to System Requirements for more information.
2. Type $uexe/lpautil.exe 112 and press Enter The terminal will prompt
This Utility option may be used to translate a Client password
into the equivalent Unix and SQL Server passwords.
Do you wish to continue (Y/N)?
Type y and press Enter.
3. The utility will prompt for the client string
Unix and SQL Server password translation utility
Instructions: Enter the Client password. The equivalent Unix and SQL Server passwords will be displayed.
Enter the Client string, <RETURN> to exit:
Type the selected client string and press Enter. If type password as the client string, the terminal will display
Client string: password
SQL Server string: rkqcguh4
Unix string: rrchglt1
NetSol does not recommend using the word "password" as an actual client string.
4. The utility will prompt for another client string
Enter the Client string, <RETURN> to exit:
Press Enterto exit the utility.
You can create a text file to translate several client strings at once
1. Log on the LeasePak server as msiadmin or lpsuper.
2. In your home directory, use cat, vi, or other means to create a text file password.in
y
passwd1
passwd2
passwd3
passwd4
The last line of the file must be a blank line (newline character).
3. Run $uexe/lpautil.exe 112 with input and output files
$uexe/lpautil.exe 112 < password.in > password.out
4. Use cat, vi, or other means to view the file
This Utility option may be used to translate a Client password
into the equivalent Unix and SQL Server passwords.
Do you wish to continue (Y/N)? y
Unix and SQL Server password translation utility
Instructions: Enter the Client password. The equivalent Unix and SQL Server passwords will be displayed.
Enter the Client string, <RETURN> to exit:
Client string: passwd1
SQL Server string: kudejz2
Unix string: stpjvq0
Enter the Client string, <RETURN> to exit:
Client string: passwd2
SQL Server string: aodmbd9
Unix string: drczoy0
Enter the Client string, <RETURN> to exit:
Client string: passwd3
SQL Server string: qiduth2
Unix string: cjpvty4
Enter the Client string, <RETURN> to exit:
Client string: passwd4
SQL Server string: kedahf9
Unix string: bfcfsq2
(etc.)
NetSol does not recommend using any of the above client string examples as actual client strings.
Follow the appropriate instructions for your OS platform to add a LeasePak user account with the translated password. Make the LeasePak group msi the primary group for the user, and ensure that the user can write to the $HOME directory. If you assign a user's UID number manually, do not use a number greater than 32757. Contact your NetSol representative for more information.
Adding LeasePak users: make msi the group for all LeasePak users, but do not add users to the msi line of the /etc/group file. Having all LeasePak users listed on this line will cause fatal errors during the LeasePak installation.
Multiple concurrent versions:if you are running more than one version of LeasePak on the same server, be sure to use the appropriate startup files (such as .lplogin and .lpprofile) with the LeasePak release administrator for the version you are working in. NetSol strongly recommends that you set up separate, version-specific LeasePak release administrator users for this situation.
Use the LeasePak script db_add_login to create an account on your DBMS server
1. Log on the server as msidba
Terminal emulation: you must use one of the supported terminal types. Refer to System Requirements for more information.
2. Run the db_add_login script
db_add_login dbms-type new-login-name [new-login-password [srvadm-password]]
where dbms-type is either ora for Oracle or syb for Sybase, new-login-name is the same user name as the server account, new-login password is the corresponding translated password, and srvadm-password is the password for the srvadm user.
You can create a script to add several DBMS users at once
1. Log on the LeasePak server as msiadmin or lpsuper.
2. In your home directory, use cat, vi, or other means to create the file my_add_login
db_add_login dbms-type msitest1 kudejz2 srvadm-password
db_add_login dbms-type msitest2 aodmbd9 srvadm-password
db_add_login dbms-type msitest3 qiduth2 srvadm-password
db_add_login dbms-type msitest4 kedahf9 srvadm-password
3. Run the script
1. for Korn/Bourne/HP-UX Posix shell (sh) users, type sh my_add_login and press Enter
2. for C shell (csh) users, type csh -c my_add_login and press Enter
NetSol does not recommend using any of the above user names or passwords as actual user names and passwords.
Use the LeasePak script db_add_user to grant permissions to a specific LeasePak environment and database
1. Log on the server as msidba
Terminal emulation: you must use one of the supported terminal types. Refer to System Requirements for more information.
2. Run the db_add_user script
db_add_user environment-name legal-DBMS-user msi-access-group dbo-password
where environment-name is the specific LeasePak environment, legal-DBMS-user is the user's DBMS account user name, msi-access-group is either msi for normal read/write permissions or msir for read-only permissions, and dbo-password is the password for the dbo of the specific database (as specified during db_create.
You can create a script to add several DBMS users at once
1. Log on the LeasePak server as msiadmin or lpsuper.
2. In your home directory, use cat, vi, or other means to create the file my_add_user
db_add_user environment-name msitest1 msi dbo-password
db_add_user environment-name msitest2 msi dbo-password
db_add_user environment-name msitest3 msir dbo-password
db_add_user environment-name msitest4 msi dbo-password
The user msitest3 is a reports user and will have read-only permissions for this database.
3. Run the script
1. for Korn/Bourne/HP-UX Posix shell (sh) users, type sh my_add_user and press Enter
2. for C shell (csh) users, type csh -c my_add_user and press Enter
NetSol does not recommend using any of the above user names as actual user names.
Do not use $uexe/lpautil.exe 108 to add any user to the LeasePak security table other than the LeasePak administrative user. The $uexe/lpautil.exe 108 function provides no control in how the user is added to LeasePak security, and the LeasePak administrative user must still log on the LeasePak client in order to correctly configure a user's security.
On the LeasePak server, the root user controls security by determining
* which users have server (OS) accounts
* which users are members of the LeasePak user group (msi).
The users msiadmin and msidba control security by determining
* which users have DBMS accounts
* which environments/databases users have permissions for
* what type of database permissions users have (read/write msi or read-only msir)
* which LeasePak client users have explicit access to their server and DBMS account passwords, as well as the various dbo passwords and the password for srvadm (root may also control this).
The following table illustrates typical password access for the various types of users:
| Explicit Password Access by Account or Type | |||||
| Client String | Server | DBMS | srvadm | dbo | |
| msiadmin | yes | ||||
| msidba | yes | yes | yes | yes | |
| lpsuper | yes | yes | yes | yes | |
| LP client user | yes | ||||
On the LeasePak client, The lpsuper user or other supervisor controls the privileges of other users through the Security [U0706] update. This update configures the security records for users within a specific LeasePak environment/database--that is, each database in LeasePak contains its own distinct security table and set of records. An administrative user for one LeasePak environment/database will not have access to any other unless msiadmin gives them access to the environment and msidba grants them access to the database.
Once lpsuper sets a LeasePak client user up with an initial client string password, the user can change the client string (and the corresponding translated passwords) by using Change Password in the LeasePak Options menu. Using Change Password does not reveal the server or DBMS password to the LeasePak client user.
For more information about changing passwords on the LeasePak client, refer to the document LeasePak Basics in the LeasePak Reference Guide. For more information about LeasePak client security, refer to the document Security [U0706] in the LeasePak Reference Guide..