We are creating users on UMP (Portal) to allow access to the Dashboards, and also creating users on IM (Infrastructure Manager). We had some trouble understanding how users could access the Admin Console/IM and the portlets (on UMP).
We were following the guidelines given by these articles:
However this does not seem to be quite right...
If we create a user at the IM interface (Infrastructure Manager), we usually aren't able to login to UMP with it.
However, if we create a profile and assign it to the username, we are able to login to UMP using that username.
Why does this happen? Is it supposed to?
This is what we expected:
However, even this way, we cannot login to UMP with a user created on IM (unless it is a LDAP user).
Only by adding a "profile" are we able to do it.
What is the purpose of the profile?
Note: We're using UIM 8.5
Is this what you are talking about ?
> Everytime I create an user via IM, the user is unable to log on to UMP until the user log on to IM at least one time.
Your understanding is not quite right. Let me explain...
Users created on IM (or Admin Console) are not seen on UMP (Configuration->Accounts)
This is correct
Users created on IM (or Admin Console) shouldn't be able to login to UMP (only to Admin Console), unless a checkbox is selected on the "manage ACL" (IM) to "Make ACL Permissions available for Account/Contacts".
This is NOT correct. IM users will be able to login to UMP (in the same way as the Administrator user can)
Users created on IM could be linked to Accounts (defined on UMP), by using the "Set Account Link" button
This is not correct. IM users cannot be linked to accounts, but they can share ACL's used by accounts (for testing). The Set Account Link is for the LDAP integration.....
The Account Link field associates an LDAP group with a specific account. If the Account Link field is left blank, members of the LDAP group can view data according to their permissions for all accounts. If an account is specified in the Account Link field, LDAP group members will only have permissions to view data for their specific account.
If you have configured the LDAP configuration, maybe your LDAP users are of the format "firstname.lastname@example.org" and you may have changed the accepted format. In which case your IM users will need to be the same format to login to UMP ie with an "@" sign in the username.
hope this helps
As Rowan said, any bus user - if the ACL assigned to it has enough permissions - should be able to log in UMP without any additional action; and regardless the "Make ACL Permissions available for Account/Contacts" option.
If a newly create bus user cannot log in UMP you have something going on.
A part from checking if you have changed the login format, as Rowan suggests, check this: once you have created a bus user, are you closing the User administration IM window before testing the log in? If you don't close it, the security.cfg -where the user is stored - is not updated until then and UMP does not find your user when you try to log in.
We are currently not using LDAP users - we plan to use them in the near future.
After doing some tests we were able to login to UMP with users created on IM. We had to close the User Administration window (IM) before attempting. However, it only worked for users with lower-case letters.
Users with uppercase letters (username) failed to authenticate on UMP (but not on IM).
Is this standard behaviour as well?
By the way, Rowan said that Account Link could only be used for LDAP users. Does this mean that local IM users have no restrictions when loggin in to the UMP, since they are not linked to a UMP Account?
Thank you all for your help
Hope it helps. UMP doc says that uppercase does not work.
https://docops.ca.com/ca-unified-infrastructure-management/8-5-1/en/troubleshooting/troubleshooting-umpTroubleshooting UMP - CA Unified Infrastructure Management - 8.5.1 - CA Technologies Documentation
Note - IM users have all account (origin) access.
In CA UIM world, account is created based on origin, which is a term of tag for data which can be used for data visibility partitioning. This is used to prohibiting an user in tenant A unable to see data in tenant B.