Orchestrator Users

Orchestrator > Orchestrator Server > Users & Authentication > Orchestrator Users

Use the Orchestrator Users dialog box to:

• Manage who has Read-Write or Read-Only access to Orchestrator.

• Select whether to enforce enhanced password criteria for all users.

  You can enforce enhanced password criteria for all users and select the password properties you want to enforce. New password criteria were added, and existing criteria were enhanced to comply with enterprise security standards. The following graphic highlights new features including the link to enforce enhanced password requirements and the Last Login Time and Password Expire Time columns.

Enforce Password Criteria and Set Password Requirements

To enforce the enhanced password criteria and set password requirements, you must modify the Orchestrator Advanced Properties. The ability to modify Orchestrator Advanced Properties depends on your Orchestrator deployment.

• Self-hosted/on-prem Orchestrator users can edit the Orchestrator Advanced Properties using the following instructions. You must restart Orchestrator to activate certain Orchestrator Advanced Properties changes.

• Orchestrator-as-a-Service (OaaS) users must open a TAC case to request changes to the Orchestrator Advanced Properties. TAC must also restart OaaS to activate Orchestrator Advanced Properties changes.

To enforce enhanced password criteria for all users and set password requirements:

1. Click Click Here (to enforce password security) at the top of the Orchestrator Users dialog box.

   The Orchestrator Advanced Properties dialog box opens.

   WARNING: Use caution when modifying Orchestrator Advanced Properties. Verify your changes before applying them.

2. Set the following password property values as necessary:

   TIP: Enter “password” in the search field and press Enter to display the password properties.

   Password Property	Description	enforcePasswordCriteria required
   user.passwordMinLen	Minimum number of characters for the password. Allowable range: 8-64. The default setting is 8.	No
   useLowercaseLetterInPassword	Indicates whether a lowercase letter is required in the password. Enter true or false. The default setting is true.	Yes*
   enforcePasswordCriteria	Indicates whether to enforce password criteria for Orchestrator users. Enter true or false. The default setting is false for both upgraded and new Orchestrators. IMPORTANT: If enforcePasswordCriteria is set to true, you cannot revert to false.	NA**
   useSpecialSymbolInPassword	Indicates whether a special character is required in the password. Enter true or false. The default setting is true.	Yes*
   user.passwordFailedThreshold	Number of failed login attempts allowed from a given source IP address. The default is 4 attempts. When this threshold is exceeded, Orchestrator locks out the source IP address from further login attempts for the lockout duration, which is 5 minutes by default. You can modify the lockout duration by changing the resetTimerForFailedLoginAttempts(mins) login property in step 4 below.	No
   passwordHistoryCount	Number of previous passwords to store for the user to ensure passwords are not repeated. Allowable range: 4-8. The default setting is 8.	Yes
   passwordExpireDays	Number of days before the password expires. Allowable range: 30-360. The default setting is 90. If enforcePasswordCriteria is set to true, the user’s password will expire based on the value configured for passwordExpireDays, otherwise the password will not expire.	Yes
   notifyPasswordExpiryDays	Number of days before a password expires to notify the user of the upcoming expiration. Allowable range: 5-30. The default setting is 7. Orchestrator will display a popup when the user logs in within the configured number of days.	Yes
   useUppercaseLetterInPassword	Indicates whether an uppercase letter is required in the password. Enter true or false. The default setting is true.	Yes*
   useDigitInPassword	Indicates whether a number is required in the password. Enter true or false. The default setting is true.	Yes*
   userInactiveDays	Indicates whether to delete the user after a specified number of inactive days. Enter a value of 0 or a number in the range of 30-360. A value of 0 indicates that the user deletion setting is not activated. The default value is 0.	Yes

   * If enforcePasswordCriteria is set to false, passwords require at least one uppercase letter, one lowercase letter, a number, and a special character.

   ** Enforcement of the Password Settings template is dependent on the enforcePasswordCriteria property. If the enforcePasswordCriteria field on the Orchestrator Advanced Properties is set to false, the Password Settings template will not be applied. See Password Settings Template for more information.

3. Click Apply.

4. Set the following login property values as necessary.

   TIP: Enter “login” in the search field and press Enter to display the login properties.

   Login Property	Description	enforcePasswordCriteria required
   failedLoginAttemptThreshold	Orchestrator issues an alarm when the number of unsuccessful login attempts from any IP address reaches this threshold within the number of minutes set by the resetTimerForFailedLoginAttempts(mins) login property. The threshold counter resets when a successful login occurs or when no login attempts occur within the lockout duration, which is set using resetTimerForFailedLoginAttempts(mins).	No
   resetTimerForFailedLoginAttempts(mins)	Lockout duration in minutes for a given source IP address. The default is 5 minutes.	No

5. Click Apply.

6. Click Close.

7. If you are using on-prem Orchestrator, you can activate Orchestrator Advanced Properties changes. Open an SSH session and use the following CLI command to restart Orchestrator:

   systemctl restart gms

Add a User

• Users can have either Read-Write or Read-Only privileges.

• Multi-Factor Authentication (MFA) is mandatory for OaaS Orchestrator users. For on-premises Orchestrator users, MFA is optional but strongly recommended.

• A username cannot be more than 512 characters long.

  NOTE: You cannot modify a Username. You must delete it and create a new user.

1. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > Orchestrator Users.

2. Click Add.

   The Add User dialog box opens.

3. Complete the fields and click Add.

4. Navigate to Orchestrator > Orchestrator and Server > Users & Authentication > Role Based Access Control and grant the user the proper authorization. See Role Based Access Control.

Multi-Factor Authentication

Orchestrators support Multi-Factor Authentication (MFA) on all platforms, including cloud and on-premise versions. For cloud versions of Orchestrator, MFA is required. For on-premise deployments, MFA is available but not required.

The first step in authentication is always username/password. For added security, users can choose between application- or email-based authentication, as described below.

NOTE: Only users whose role is assigned Read-Write privilege for Orchestrator Users can enable or disable MFA for any user.

Configuring Multi-Factor Authentication Through an Application

Orchestrator supports applications that provide time-based keys for two-factor authentication and are compliant with RFC 4226 / RFC 6238. Google Authenticator is one such app. The example below uses Google Authenticator on a mobile phone. You can also use a desktop version.

To enable MFA through an application:

1. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > Orchestrator Users, and then click your username.

2. In the Two Factor field, select Application. Orchestrator generates a time-limited QR code.

   

3. In the Google Authenticator app, use the Scan barcode function to read the QR code. You will be prompted to enter your Orchestrator username and password.

   Here you can see Google Authenticator with the new account added for the Orchestrator.

   

Configuring Multi-Factor Authentication Through Email

To enable MFA through email:

1. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > Orchestrator Users, and then click your username.

2. In the Two Factor field, select Email, and then enter your email address.

   If an invalid email address is entered, the account could be locked out and would require password reset procedures.

3. Click Add. Orchestrator sends a time-limited authentication code to your email address. To verify your email address, click that link.

   Orchestrator then opens a browser window telling you that your email address has been verified.

Using Multi-Factor Authentication

After MFA is configured, every login requires two steps: entering the username/password and entering the current token.

Based on the authentication method you choose, do one of the following:

• Use the current token from the Google Authenticator (or other) app.

• Use the code you receive in email.

In both cases, the codes have a specific expiration time.

Modify a User

1. Navigate to Orchestrator > Orchestrator Server > Users & Authentication > Orchestrator Users.

2. Click the edit icon for the user you want to modify.

   The Modify User dialog box opens.

   

3. You can modify the following user fields:

   • User Name is the identifier the user uses to log in, and it cannot be more than 512 characters long.

   • First Name, Last Name, and Phone Number are optional information.

   • Email is required if two-factor authentication is enabled.

   • Two-Factor Authentication is a second step in the login process that requires an authentication code. The code can be obtained in two ways:

     • Using an authentication application that generates time-based authentication codes. If this is activated, Orchestrator generates a barcode that can be scanned to set up an authentication app like Google Authenticator for your mobile device.

     • Using your email to receive authentication codes every time you log in. This requires access to your email every time you log in.

   • Password is used at login.

   • Status determines whether the user can log in.

   • Role determines the user’s permissions.