Non-Administrative User Accounts
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
Non-Administrative Account Holders have LeasePak Security Records
This section discusses the LeasePak non-administrative accounts, which include:
-
LeasePak Supervisor – the supervisor can be likened to the "super-user" of LeasePak; this user has application host access, is empowered to perform all updates and perform all functions allowed by LeasePak, and to configure the following classes of users:
-
Regular Users – these are the primary back-office users; they use the LeasePak client, performing a mix of updates and reports as determined by the LeasePak Supervisor to match their roles. These users generally do not require application host access.
-
Restricted Users – there are two groups of Restricted Users: Report Users and Partial Update Users; they differ only slightly.
-
Report Users – this group of users is restricted to running only report functions in the LeasePak client. They also do not require application host access.
-
Partial Update Users – these users only have access to , , and to the menu. They do not require application host access, and may enter LeasePak through the LeasePak Client or through a separate origination tool.
-
The LeasePak Supervisor may further restrict the reports that these users have access to by using .
-
Proxy User – there needs to be only one proxy user per server. One proxy user can host for multiple LeasePak users, in multiple environments and multiple instances and multiple releases. The proxy user requires a Unix account (password should be blocked), and a DBMS account, with a password of the Administrator's choosing. This password will be needed to activate the shared port. See Shared User Overview.
-
Hosted User – a sub-class of users with LeasePak credentials but no dedicated Linux or DBMS accounts. Hosted users count against the Leasepak license file's user limits. Every Hosted User is a member of one of the license classes: Regular, Report, or Partial. See Shared User Overview. These are the users who access LeasePak on the server via the proxy user.
Non-Administrative User Types Compared
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
Table of User Features
| User Type |
OS Acct? |
DBMS Acct? |
Shell Access? |
Has RSC? |
Security Record Created By |
Range of available options |
License Class |
| LeasePak Supervisor |
yes |
yes |
yes |
yes |
Util 108 |
All Client and Server Functions |
User |
| Regular User |
yes |
yes |
no |
yes |
Updates and reports determined by Supervisor |
User |
| Report User |
yes |
yes |
no |
yes |
Restricted: Reports only |
Report |
| Partial Update User |
yes |
yes |
no |
yes |
Restricted: Reports and a few Updates only |
Partial |
| Proxy User |
yes |
yes |
yes |
no |
None |
None |
None |
-
User Type – one of the four types of non-administrative users described in this section.
-
OS Acct? – does this type of user require an OS user account?
-
DBMS Acct? – does this type of user require an account under the a database server?
-
Shell Access? – does this type of user require direct access to
a command shell running on the application host?
-
Has RSC? – does this type of user have an RSC (Security) record? All users who will use the LeasePak Client must have RSC records.
-
Security Record Created By – which utility is used to create the security record for this type of user?
Util 108 or .
-
Range of Available Options – which LeasePak menu options are available to this type of user?
-
License Class – The LeasePak license authorizes certain numbers of security records to be created. There are three classes of users involved in this authorization; this column specifies which class each of the user types is authorized by:
User, Report or Partial.
LeasePak Supervisor
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
About the LeasePak Supervisor or LpAdmin
-
For each environment created within a LeasePak installation, NetSol recommends that the system administrator create a separate LeasePak supervisor. At least one user of this type is required, even if it is shared among environments.
-
This is a user who can log on the LeasePak client, the application host, and the database server to perform advanced LeasePak operational tasks such as End of Period administration, submission of LeasePak batch jobs, tasks within the Leasepak /util menu, and user security through . The LeasePak supervisor counts as a regular user for license purposes.
-
NetSol refers to this user as the LeasePak supervisor or LPAdmin, and recommends the name
lpsup76a or env-name76a, where env-name is the name of the environment. Some systems restrict the length of a user name to 8 characters, so the System Administrator may have to be clever in the construction of useful names.
-
If the Shared User module is active, the LeasePak Supervisor can switch between the dedicated port and the shared port. However, the Supervisor must be aware that the update behaves differently according to which port the client is running on. If the Supervisor is running on the dedicated port, then U0706 works with RSC records belonging only to dedicated users. If the Supervisor is running on the shared port, then U0706 works with RSC records belonging only to hosted users.
-
The basic steps for setting up this kind of user can be found below with the
Non-Administrative User Worksheet.
Regular LeasePak Users
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
About Regular LeasePak Users
-
Each dedicated user assigned to work with the LeasePak client updates should have his or her own regular accounts, that is, an OS user account on the application host, and an account under the database server on the database host.
-
The System Administrator or LeasePak Supervisor should insure that the user names for the regular users conform to site policies, and are in accordance with the appropriate OS and database system guidelines.
-
The System Administrator will assign initial passwords to the dedicated regular users; the system administrator and the LeasePak Supervisor have the ability to change the user's password at a later time. Site policies regarding password formulation and changes should be estabished and followed. See for information on how to use LeasePak to help implement site password policies.
-
The LeasePak Supervisor can handle the passwords for the hosted users without System Admin asssistance.
-
The basic steps for setting up this kind of user can be found below after the Non-Administrative User Worksheet.
Restricted Users
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
LeasePak Report Users and Partial Update Users
-
There are two types of restricted users: Report users and Partial Update users. The feature they have in common is that they both have access to the entire menu. Where they differ is that the Partial Update user also has access to a handful of .
-
These are specialized users that log on the LeasePak client, do not have direct application host logon privileges, and have restricted menu access as described above. The LeasePak Supervisor can further restrict which reports these users have access to by using .
-
The administrator or Supervisor should insure that the user names for these users conform to site policies, and are in accordance with the appropriate OS and database system guidelines.
-
The administrator or the Supervisor will assign the initial password to these users; the System Administrator and the LeasePak Supervisor have the ability to change their passwords at a later time. Site policies regarding password formulation and changes should be estabished and followed. See for information on how to use LeasePak to help implement site password policies.
-
The basic steps for setting up these users can be found below with the Non-Administrative User Worksheet.
Note that users can be barred from accessing the application host via the OS shell by simply not providing them with the translated OS passwords.
A more certain and secure way of disabling the shell account of a dedicated user is by using /usr/bin/false (HP-UX and Solaris) or /sbin/nologin (Linux) as the user's shell (set by the administrator in /etc/passwd). The LeasePak internet services, leasepakd and mpowerd, can still access the stored passwords for proper authentication for the LeasePak client for dedicated users. Passwords stored on the RSC table are validated during hosted access to the server. Because these users cannot log onto the application host, they cannot each maintain their respective home directories; the administrator should make arrangements for this maintenance.
Proxy User
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
LeasePak Proxy User provides a channel for Hosted Users
Typically there will be only one Proxy User per server. The Proxy User's purpose is to provide a UID for client connections made from users who are unknown on the server. A secondary
leasepakd or
mpowerd internet service accepts connections from clients who know the protocol of
leasepakd, and spawn
drivers that authenticate the connections using the
RSC string password.
The Proxy User caches the proxy database user's password, which may be, but is not required to be, the product of . It is cached in an encrypted file in the proxy user's
home directory, written by .
Besides keeping the key to the database for the
hosted users and providing a
UID for the processes created by the hosted users, it also provides them each with a
home directory where various reports and other LeasePak files are written. This home directory is a subdirectory of the proxy user's home directory, created by the
administrator or by the
LeasePak Supervisor when running .
Even though the proxy user is not a real person, and even though it is not directly involved with the connections that are made in its name, it must remain in the
/etc/passwd file so that its
UID is kept reserved and in use.
Non-Administrative User Worksheet
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
Note the following values for setting up Dedicated Non-Administrative Users
| Type |
Name |
OS Acct? |
DBMS Acct? |
UID |
Password |
Notes |
| $NSTGROUP |
nst |
no |
no |
GID |
none |
Every user has the same group name/GID |
| LeasePak Supervisor |
env-name+"76a" or
lpsup76a
|
yes |
yes |
UID |
client string password
SQL Server string password
Unix string password
|
Add LeasePak Security Record in Utility 108 |
| Regular User |
|
yes |
yes |
UID |
client string password
SQL Server string password
Unix string password
|
Add LeasePak Security Record in
Set Account Type to Regular User
|
| Report User |
|
yes |
yes |
UID |
client string password
SQL Server string password
Unix string password
|
Add LeasePak Security Record in
Set Account Type to Report User
|
| Partial Update User |
|
yes |
yes |
UID |
client string password
SQL Server string password
Unix string password
|
Add LeasePak Security Record in
Set Account Type to Partial Upd. User
|
| Proxy User |
|
yes |
yes |
UID |
Do not set the Proxy user's Unix Password.
SQL Server string password
|
Do not assign the proxy user a LeasePak Security Record.
|
Note the following values for setting up Hosted Non-Administrative Users
| Type |
Name |
OS Acct? |
DBMS Acct? |
UID |
Password |
Notes |
| Regular User |
|
no |
no |
none |
RSC string password
|
Add LeasePak Security Record in
Set Account Type to Regular User
|
| Report User |
|
no |
no |
none |
RSC string password
|
Add LeasePak Security Record in
Set Account Type to Report User
|
| Partial Update User |
|
no |
no |
none |
RSC string password
|
Add LeasePak Security Record in
Set Account Type to Partial Upd. User
|
Creating Non-Administrative Users
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
Overview of New Account Setup Process
Topics
- Environments
- production environment
- test environment
- visitor environment
- setup_new_env
- Hosts
- dbms host
- application host
- LLDB
- LLDB properties
- database type
- database owner
- database system
- database server
- LeasePak
- LeasePak instance
- SETUP
- Dedicated Port
- Shared Port
- General
- Users & Roles
- LeasePak administrative users
- LeasePak Supervisor
- $NSTADMIN
- LeasePak release administrator
- $NSTDBA
- LeasePak database administrator
- $SRVADM
- Database Server Administrator
- DBO
- LeasePak non-administrative users
- Regular user
- Restricted user
- Report user
- Partial update user
- Proxy User
- Hosted User
- Naming convention
- Loose convention
- Strict convention
Understanding and properly managing LeasePak's user accounts is an essential part of successfully implementing LeasePak.
The process for creating non-administrative users is straightforward, and very similar from one user-type to another. This section explains the common process, and also covers the places where the processes for the different user-types diverge.
Where the differences show up is between Dedicated Users and Hosted Users. The dedicated user has his or her own Unix UID, Unix password, DBMS account, and DBMS password, plus a security record in the LLDB. The hosted user has only a security record in the LLDB. The other features just listed are provided by the Proxy User and shared among all hosted users. This eliminates the need for several of the below commands in a shared user implementation.
The commands marked with a dagger (†) are not needed for hosted user administration.
The various commands cited below are explained in some detail in User Administration Commands.
The LeasePak user account user name is used in all LeasePak contexts without variation, therefore the name must be a legal user name in each of those contexts. The single client string password is used (sometimes in hashed, or "translated", form) in all of those contexts, which are:
-
Select a LeasePak user name and an initial client string password for the user. The string must be between 6 and 8 characters in length and conform to site password policies. The System Administrator or the LeasePak Supervisor can change this client string (and the translated passwords with it) later through the LeasePak client function.
-
Use to determine the translated passwords based on the client string password. For dedicated users, note the Unix string password for the application host and the DBMS host, and note the SQL server string password for the DBMS. For hosted users, note the RSC string password. (lease /util 112)
-
† Create an application host account for the dedicated user using a command like
useradd. Use the selected user name and the $NSTGROUP, and set the password to the Unix string password obtained from Utility 112. (useradd, passwd)
-
† The Unix string password must be used on every OS user account for that user regardless of host.
-
† Create a DBMS user for the dedicated user under each installed database system. Use the selected user name, the DBMS group
msi, and set the password to the SQL server string password obtained from Utility 112. (db_add_login)
-
† Add the dedicated user to the LeasePak Logical Database associated with the desired environment. (db_add_user)
-
† If the dedicated user is to have shell access, modify the user's
.login and .profile files to read the .lplogin and .lpprofile, or use the sample.login and sample.profile files copied over from the $live/lib directory. (LeasePak startup files)
-
† Copy the
.lplogin and .lpprofile files from the appropriate environment's $top/env/env-name/etc directory to the dedicated user's home directory. (change_env)
-
† Find out relevant LeasePak information about the current shell session. (whatami)
-
Add a LeasePak security record to the LLDB:
IMPORTANT NOTE
LeasePak Security Records
vs. lease /util 108
It is very important to understand the difference between the "mainstream" user security record maintenance update, and the non-graphical lease /util 108 utility. The utility option creates a user security record with all LeasePak options that are available under the site's license enabled for that user. The user then is essentially omnipotent, which is usually undesirable. offers much finer control over user capabilities.
The user security record created by has typically no menu options enabled, default values everywhere else, and is not a user who can actually perform any business functions until the LeasePak supervisor sets up his or her privileges.
Over the history of LeasePak, many sites have used lease /util 108 improperly to set up regular users, and found themselves with over-enabled users in possession of too much access, leading to errors and audit issues.
It is for this reason that access to lease /util 108 requires an additional Password of the Day that can be obtained by contacting the NetSol Help Desk. The user is advised to use lease /util 108 only once to set up a template LeasePak Supervisor. The supervisor can then clone his or her own record and use it as a means of producing additional templates of users to be themselves cloned to provide security records for staff. This results in a major improvement in uniformity of user capabilities and IT accountability for the LeasePak-enabled enterprise.
Top
Overview
Non-Admin User Comparison
LeasePak Supervisor
Regular User
Restricted User
Proxy User
WorkSheet
How to Create
