用户权限级别将手动分配给库中创建的用户帐户。控制库中的访问权限和库中的操作保留了库及其数据的完整性。
创建了用户帐户后,管理员可以修改帐户设置,例如密码和角色。您无法修改用户名。相反,您需要删除用户帐户并创建一个新的。
图书馆定义了三种类型的角色:
可以访问所有库配置和操作功能,并可以设置用户和管理员帐户。图书馆使用默认管理员帐户船舶。
这user name for the default administrator account is行政密码是password。You cannot modify or delete the user name for the default administrator account, but you can modify the password.
Have access to one or more assigned partitions and can perform operations within a partition. A user cannot perform configuration changes and is restricted to operations only.
除用户访问配置外,还可以访问与管理员相同的功能。每个图书馆只有一个服务帐户。
A 15 minutes lockout occurs after a user fails to successfully log in 5 times within a 5 minutes period.
Note:在库循环或重新引导后,库不会跟踪计数和锁定时间的错误登录数和锁定时间。
显示为库创建的所有用户的列表。
Detail | 描述 |
---|---|
姓名 | 用户名。 |
角色 | 角色assigned to user (Admin, User, Service). |
会话 | Number of library sessions user is currently logged into. |
LDAP登录 | LDAP user (yes or no). |
列出在北面板中突出显示的用户的详细信息。
Information | |
---|---|
Detail | 描述 |
姓名 | 用户名。 |
角色 | 角色assigned to user (Admin, User, Service). |
会话 | Number of library sessions user is currently logged into. |
LDAP登录 | LDAP user (yes or no). |
Shows configuration details on the user, admin, and service user roles.
Access Configuration - User/Admin | |
---|---|
Detail | 描述 |
Lui访问 | Login status of the Local User Interface (LUI). Open access, password required, or PIN required. |
LDAP Support | LDAP启用或禁用。 |
Session Timeout | Amount of time a user must be inactive before the session is ended. |
Multi Factor Authentication | MFA enabled or disabled. |
访问配置 - 服务 | |
---|---|
Detail | 描述 |
执照 | Service license active or inactive. |
Remote Access | Service remote login access is enabled or disabled. |
Remote Access - Access Window | Time period a service user has to remotely login before access is disabled. |
Remote Access - Access Grant | 时间戳服务远程登录访问时赢了dow began. |
Local Access | Local service port login access is enabled or disabled. |
Local Access - Access Window | 时间段服务用户必须在禁用访问之前登录本地服务端口。 |
本地访问 - 访问授予 | 当本地服务端口访问窗口开始时的时间戳。 |
提供用户配置和操作的选项。
运营 | |
---|---|
配置 | |
添加 | 允许您设置用户。 |
Modify | Allows you modify a user. System configured users are not available for modification. |
删除 | Allows you to delete a user. System configured user are not available for deletion. |
LDAP | Allows you to set up Lightweight Directory Access Protocol (LDAP). LDAP can be used to authenticate user credentials and assign access levels to the system. |
权利 | Allows you to set up which partitions a user can access. |
设置 | 允许您配置系统范围的用户详细信息。这包括会话超时,服务访问和用户访问库的LUI。 |
MFA | 允许您设置多因素身份验证(MFA)。MFA要求用户输入密码和身份验证代码以访问系统。 |
行动 | |
End Session | Allows you to manually end a user session. |
You can add two types of users: user and administrator. Administrators have access to all features and functions, while users have some restrictions on what they can configure.
In the运营panel, clickModify。
物品 | 描述 | 行动 |
---|---|---|
User Name | 分配了管理角色的用户可以让用户名更改。 分配用户角色的用户无法编辑。如果要更改此字段,则必须删除用户配置文件并创建一个新的配置文件。 |
如果用户角色是管理员,请修改用户名。 |
角色 | 允许管理员选择角色的类型:
|
Select the desired role from the drop-down menu. |
密码 | Allows a user or admin to change a password. Passwords must be at least 8 characters and cannot use special characters. | 输入文本。 |
确认密码 | Re-enter text. |
点击申请to save your settings.
点击Close退出窗口。
轻量级目录访问协议(LDAP)是提供集中用户帐户管理的行业标准Internet协议。该库基于Microsoft Active Directory和Novell eDirectory支持LDAP目录服务器。您可以在初始库配置后的任何时间配置轻量级目录访问协议(LDAP)设置。启用和配置LDAP后,您可以使用LDAP菜单查看当前的LDAP设置。
Note:Active Directory no longer requires Windows Services for Unix 2.5.
LDAP和AD条款
常见名称(CN)
An attribute that is commonly used to identify the name of Organizational Unit (OU).
例子
这SysAdmin group would havecn = sysadmin。
Domain Component (DC)
这domain of the directory, which often identifies the organization or company.
例子
Mycompany.com would have a domain ofdc = 亚搏官网app登录入口mycompany,dc = com。
Distinguished Name (DN)
A pathway that tells LDAP where information is stored in its directory. LDAP reads the pathway from right to left, with the farthest right components providing the domain of the directory and the farthest left component providing the information for which LDAP is looking.
组织单位(OU)
A component used to organize information into a hierarchical structure. OUs can be used at multiple levels within the LDAP or AD directory, such as to act as a larger Group bucket that then holds individual group OUs.
Enabling LDAP allows existing user accounts residing on an LDAP server to be integrated into the library’s current user account management subsystem. User account information is centralized and shared by different applications, simplifying user account management tasks.
这remote client and operator panel do not allow you to create, modify, or delete user account information on an LDAP server. This must be done by the directory service provider.
For LDAP accounts with user privileges:
Note:Usernames and group objects must be in LDAP Distinguished Names formats.
对于OpenLDAP 2.4:
In the运营panel, clickLDAP。
物品 | 描述 | 行动 |
---|---|---|
启用LDAP. | Activates LDAP setting fields. Note:Disabling LDAP will not cause you to lose any entered and saved settings. If you need to change any settings prior to re-enabling LDAP, you will need to enter the necessary changes to each field. |
Select the check box to enable LDAP. Deselect the check box to disable LDAP. |
Primary Server | Allows you to enter the address to the server that is first accessed for user LDAP information. | 输入文本。 |
备用服务器 | 如果主服务器不可用,允许您将地址输入到服务器以访问用户LDAP信息。 | 输入文本。 |
LDAP Port | Basic connection type. Default port is 389. | 选择单选按钮。 |
LDAPS港口 | 安全连接类型。默认端口为636。 | 选择单选按钮。 |
StartTLS Port | Default port is 389. | 选择单选按钮。 |
Principal | 具有权限的用户的用户名,用于搜索尝试使用LDAP登录的用户。 | 输入文本。 |
密码 | 校长的密码。 | 输入文本。 |
确认密码 | Re-enter text. | |
用户DN. | 这是一个完全限定的LDAP DN(可分辨名称),用作搜索用户登录凭据的基础。您可以在指定的上下文中搜索用户和它下面的所有上下文。 | 点击the+to enter the user DN. |
Group DN | Use this field to search and discover what groups a user is a member of. Only groups which are in the group context are considered for library access. | 输入文本。 |
User Group | 与图书馆关联的组。属于库用户访问组的用户被授予访问库的用户级别权限。对于用户管理分区,该用户还必须是用户组的成员,其名称与有问题的库分区相同。 | 输入文本。 Note:You can provide the Common Name (CN) value only for this search value. |
管理组 | 这group associated with the library administrator, equivalent to the local administrative user privilege level. Any member of this group has administrative privileges. | 输入文本。 Note:You can provide the Common Name (CN) value only for this search value. |
Note:Non-admin library users also need to be members of the groups that match the partition names for which they are granted access. These group names do not need to be specifically listed anywhere in the LDAP setup on the library. When user logins are validated during login, their group memberships for partition access are validated automatically.
点击申请to save your settings.
点击Close退出窗口。
Because Since LDAP communications are not encrypted by default, you way want to use LDAPS for greater security. You can do this by using an SSL certificate to provide security for any LDAP data transfers.
Select the证书标签。
物品 | 描述 | 行动 |
---|---|---|
证书名称 | 显示LDAPS证书名称。 |
点击Browseto navigate to where the LDAPS certificate is located. |
点击申请to save your settings.
这证书安装摘要contains the following information regarding the loaded LDAP certificate:
物品 | 描述 |
---|---|
Type | Specifies the certificate type. Types include server, root, and client. |
Validity | Time period the certificate is valid for. |
Status | 有效或无效。 |
Details | Contains information regarding the certificate issuer, such as organization name, location, and contact information. |
点击Close退出窗口。
When setting up LDAP you may want to test your settings to ensure they work properly. On the测试选项卡,您可以测试特定用户或配置设置。
Note:这测试标签仅在此时可用启用LDAP.选择单选按钮。
此窗口允许管理员为每个用户配置特定于分区的访问限制。
In the运营panel, click权利。
物品 | 描述 | 行动 |
---|---|---|
分区访问 | Displays a list of available partitions. |
选中要启用媒体访问的分区旁边的复选框。取消选中要禁用媒体访问的分区旁边的复选框。 |
媒体限制 | Lists the five (5) types of access to media for the partition:
Note:分区访问的用户限制当前不是活动的。 |
选择要用户拥有的每种类型的媒体访问复选框。 |
点击申请to save your settings.
点击Close退出窗口。
This window allows you to set up specific access properties for the three different user roles that can access your library: user, administrator and service.
In the运营panel, click设置。
物品 | 描述 | 行动 |
---|---|---|
本地用户界面访问 | Allows you to decide how you want users to access the library:
|
选择所需的单选按钮。如果PIN Requiredis selected, enter the number you want to use. |
Session Timeout | Session Timeout- Allows you to set the amount of time a user must be inactive before the session is ended. This timeout applies to both admin and user accounts. | Select the desired value from the drop-down menu. |
Service Access - Enable Remote and Service Port Login | 服务用户具有不同的功能,可允许它们进行故障排除和修复库函数。此区域允许您设置您希望如何访问库的Quantum维修技术人员。 Enable Remote Login- allows a service user to access your library remotely. You can set the access window from Indefinite to 72 hours. A service user will automatically be logged out after 4 hours of inactivity. Note:默认情况下,禁用启用远程登录250库固件和上面。 启用本地服务端口登录- 允许服务用户仅访问库,如果它们是现存的,并通过库服务端口插入。您可以将访问窗口从无限期设置为72小时。服务用户将在不活动4小时后自动注销。 |
|
Service Access - Access Window | 这access window determines time period a service user has to successfully utilize an enabled remote login or service port before access is once again disabled. 这time period begins once the service enablement is applied. |
从下拉菜单中选择所需的服务访问时间。 |
点击申请to save your settings.
点击Close退出窗口。
多因素身份验证(MFA)是一种认证方法,其要求在允许访问库之前成功输入密码和身份验证码。
身份验证代码是由a生成的临时密码基于时间的一次性密码(TOTP)algorithm. A user generates authentication codes using an authenticator application on a client device.
Authentication Client Device
MFA requires an authenticator application be downloaded on a client device, such as your mobile phone. Once installed, the authenticator application is validated with a shared secret code generated by the library. The authenticator application will then generate authentication codes that allows a user to log into the library and administrators to enable and disable MFA.
身份验证代码是一次性使用和时间限制为90秒。
添加itional Information
Quantum strongly advises turning off remote service login. A service user is never required to use MFA. Leaving the remote service login enabled is a security risk. To disable remote service login, see用户访问设置。
如果新用户需要访问库,则库管理员会创建一个新用户(请参阅添加用户)。这new user will then log into the library using theUser Nameand default密码由管理员创建。
After the new user logs on, a dialog box will appear containing a shared secret code in numerical and QR code format:
这new user must do the following:
Using the authenticator application, the new user enters anAuthentication Codeand clicks申请。这密码Change Request出现对话框,提示新用户更改默认密码。
当前用户登录后,将出现一个对话框,其中包含数字和QR码格式的共享密码。
这current user must do the following:
Using the authenticator application, the new user enters anAuthentication Codeand clicks申请完成登录。
如果a user loses the client device (such as a mobile phone) with the authentication application installed, the administrator will need to delete the user and create a new user profile.
如果管理员使用已安装的身份验证应用程序丢失客户端设备(例如移动电话),则管理员可以使用本地用户界面(LUI)禁用MFA并获得对库的访问权限。禁用MFA功能位于管理员>维护>库>禁用MFA在LUI。
A service user does not require authentication. If MFA is enabled, there are two options for the service user to access the library:
In the Operations panel, clickMFA。
Select the启用多因素身份验证复选框。这基于时间的一次性密码(TOTP)选择和生成共享密钥代码by the library. The shared secret appears in theShared Secretbox in a numerical and QR code format.
如果you have not already done so, download an authenticator application to a client device.
在客户端设备上打开验证器应用程序。扫描QR码或在步骤3中输入库生成的共享密码代码。验证器应用程序现在将生成每30秒更改的6位身份验证代码。
输入由验证器应用程序生成的6位身份验证代码Authentication Codefield.
Note:这authentication code must be entered and applied 90 seconds after being generated by the authenticator application. If more than 90 seconds have passed, you must generate a new authentication code to successfully enable MFA.
点击申请。MFA is now enabled on the library. All subsequent login requests will be required to configure MFA and provide the additional authentication code during system login attempts.
To access the library, users will now have to enter an authentication code in addition to username and password
In the Operations panel, clickMFA。
禁用MFA需要从身份验证应用程序生成的身份验证代码。输入由验证器应用程序生成的6位身份验证代码Authentication Codefield.
Note:这authentication code must be entered and applied 90 seconds after being generated by the authenticator application. If more than 90 seconds has passed, you must generate a new authentication code to successfully disable MFA.
管理员可以使用此窗口结束用户会话。
6-68528-01| Initial publication date:Wednesday, November, 15, 2016| Last updated onThursday, September 10, 2020。