Access to the Legacy Orchestrator web user interface and web services is controlled by means of user accounts and user roles. System administrators manage user accounts and must assign a user role to each account. Each role has a predefined set of permissions.

Legacy Orchestrator users can be authenticated by a RADIUS system. To learn how RADIUS authentication can be used with Legacy Orchestrator, see "Configuring User Authentication".

Viewing User Accounts

Administrators can view and manage web user accounts in the Admin ▶ Users page. This page displays a list of all users with access to the Legacy Orchestrator web interface.

Users page
24.09_Managing User Accounts_1.png

Note: Legacy Orchestrator includes a default user (called admin) with ADMIN permissions. For more information about the default admin user, see "About the Default Admin User".

The following table explains the information displayed for each account in the Users page.

User Account Information (Admin ▶ Users)

NameUser name associated with the account.
TypeUser roles assigned to the user account. Each user role has a predefined set of permissions. These roles are called "Local roles" because they are defined in Legacy Orchestrator. A Legacy Orchestrator user can have multiple roles. For example, this is necessary for a user that will use the REST API. These are the user roles available for local Legacy Orchestrator accounts:
  • ROLE_ADMIN: Has all permissions except for access to the Web Services interface (which requires the ROLE_WS).
  • ROLE_OPERATOR: Has the same permissions as ROLE_ADMIN except for the functions in the Administration page, the Configuration Flow Profiles page, and the Network Partition page.
  • ROLE_VIEWER: Can only view configuration information. Cannot configure anything. Cannot view the Administration page or the Configuration Flow Profiles page.
  • ROLE_FW_MGMT: Can only access the Backup & Restore and Firmware pages.
  • ROLE_WS: Required to use the REST API or the XML Export Interface. Can only connect to Legacy Orchestrator via its Web Services (WS) interface. Allows another system, such as an Operations Support System (OSS), to connect directly to Legacy Orchestrator. Does not have access to the Legacy Orchestrator web user interface.

    Note: Legacy Orchestrator allows users to be authenticated by a RADIUS system. To learn more about how user roles are handled when RADIUS authentication is used, see "Configuring RADIUS to Send User Roles"

Lock stateIndicates whether or not the user is currently locked out of Legacy Orchestrator. Possible values:
  • false: The user is not locked out.
  • true: The user is locked out.

You can unlock a user by double-clicking the user in the list and checking the Unlock user box in the User configuration dialog. For more information about password policy and user lockout,see "Editing Security Settings Related to User Accounts".

User TypeIndicates the authentication system in which the user account is defined. Possible values:
  • LOCAL: A user account that is defined locally in Legacy Orchestrator.
  • RADIUS: A user account that is defined in a RADIUS system.

    Note: The local roles of a RADIUS user are always blank. These users obtain their roles from RADIUS.

Last loginIndicates the authentication method, Role and IP address that was used the last time the user logged in successfully.
Last login timeTimestamp of the user's last successful login.

Adding and Editing User Accounts

System administrators (user accounts with ROLE_ADMIN) can add and edit user accounts for Legacy Orchestrator.

To set up a user account

  1. Select Admin ▶ Users to view the list of all user accounts for Legacy Orchestrator.

  2. Click the Button_Add_New_User_Account.png button (above the list) to add an account or double-click an existing account to edit it.
    The User configuration dialog is displayed.

  3. Complete or update the user settings as required.

  4. Click Apply.

For more information on specific parameters, see the following table.

User Configuration dialog (Admin ▶ Users)

UsernameName of the user account.
New passwordThe user password. Passwords can be up to 64 characters long. For information about password policies, see: "Editing Security Settings Related to User Accounts"; "About Password Policies".
Confirm passwordConfirmation of the user password.
Change password at next loginCheck this box to force users to change their password the next time they log in to Legacy Orchestrator.
Unlock userCheck this box to unlock the user if they were locked out because of a password policy issue. For more information about password policy, see "Editing Security Settings Related to User Accounts".
RoleThe role assigned to this user. The following user roles are available:
  • ROLE_ADMIN: Has all permissions except for access to the Web Services interface (which requires the ROLE_WS).
  • ROLE_OPERATOR: Has the same permissions as ROLE_ADMIN except for the functions in the Administration page, the Configuration Flow Profiles page, and the Network Partition page.
  • ROLE_VIEWER: Can only view configuration information. Cannot configure anything. Cannot view the Administration page or the Configuration Flow Profiles page.
  • ROLE_FW_MGMT: Can only access the Backup & Restore and Firmware pages.
  • ROLE_WS: Required to use the REST API or the XML Export Interface. Can only connect to Legacy Orchestrator via its Web Services (WS) interface. Allows another system, such as an Operations Support System (OSS), to connect directly to Legacy Orchestrator. Does not have access to the Legacy Orchestrator web user interface.
Manager RoleNote: Not supported in this release.
User typeIndicates the type of authentication used to verify a user's credentials when they attempt to log in to the Legacy Orchestrator web interface. The possible values are:
  • LOCAL: Authentication is performed against user accounts defined and stored locally in Legacy Orchestrator.
  • RADIUS: Authentication is based on the RADIUS protocol. It is performed against user accounts stored on one or two remote RADIUS servers. These users are created automatically by Legacy Orchestrator, when configured to use RADIUS authentication. You can create a local user account with the same name by changing the type to LOCAL. For more information, see "Configuring User Authentication".

Resetting a User Password

System administrators (user accounts with ROLE_ADMIN) can reset the password for a user account.

To reset a user password

  1. Select Admin ▶ Users to view the list of all user accounts defined on Legacy Orchestrator.
  2. Double-click the account whose password you want to reset.
    The User configuration dialog for the selected user is displayed.
  3. Enter the new password in the Password and Confirm Password fields.
  4. To force the user to enter a new password the next time they log in, check the Change password at next login checkbox.
  5. Click Apply. The new password is effective immediately.

Deleting a User Account

System administrators (user accounts with ROLE_ADMIN) can delete user accounts for the Legacy Orchestrator web interface.

To delete a user account

  1. Select Admin ▶ Users to view the list of all user accounts defined on Legacy Orchestrator.
  2. Select the user account that you want to delete.
  3. Click the Button_Remove_Generic.png button (above the list) to remove the account.
  4. Click Ok in the confirmation dialog to delete the account permanently.

System administrators (user accounts with ROLE_ADMIN) can configure these security features related to user accounts:

  • Password policy
  • User session timeout
  • User lockout after failed login attempts.

To edit the security settings

  1. Select Admin ▶ Users to view the list of all user accounts defined on Legacy Orchestrator.

  2. Select the Button_Gear_Settings.png icon (above the list) to open the Security settings dialog.

  3. Change the settings as required. For more information about the settings, see the table below this procedure.

  4. Click Apply to confirm your settings, then click Close.

Users - Security settings dialog (Admin ▶ Users)
Password policy settings

Maximum changes per dayThe number of times a user can change their password in one 24-hour period.

Possible values: 1, 2, 3

Password minimum lengthThe password must contain this number of characters or more.

Possible values: 4, 5, 6, 7, 8

Upper and lower caseThe password must include at least one upper case character and one lower case character.
Digit requiredThe password must contain at least one character that is a digit.
Leading digitThe first character in the password must be a number.
Special charactersThe password must contain at least one of the following special characters:

! " # $ % & ' ( ) * + , - . / {

Require 3 out of 4 typesIf you check this checkbox, the password that the user enters will have to pass three of the four character policies in order to be accepted:
  • At least one upper case character and one lower case character.
  • First character must be a digit.
  • At least one character is a digit.
  • At least one character must be a special character (listed above in this table).

If you check this box, the checkboxes for the four character policies will become unavailable and any checkboxes that are checked will be ignored.

Uncheck this box if you want to choose among the four character policies by checking and unchecking the checkboxes

Password expiration intervalThe number of days after which a password expires. When a password expires, the user will be required to enter a new one the next time they attempt to log in.

Session settings

Session timeout interval (min)The timeout for a user logged in to the Legacy Orchestrator web interface. If the user does not interact with the system via the web interface for this amount of time, the user will be automatically logged out and prompted to log in again.

The new timeout interval only affects sessions that start after the change is applied. Sessions that started before the change will time out after the old interval.

Webservice session timeout interval (min)The timeout for a user logged in to the Legacy Orchestrator REST API. If the web user client does not interact with the system via the API for this amount of time, it will be automatically logged out.

The new timeout interval only affects sessions that start after the change is applied. Sessions that started before the change will time out after the old interval.

User lockout

Enable user lockoutCheck this box to lock a user out of the system after a number of failed attempts to log in.

Here are some points to note about user lockout:

  • Administrators (user accounts with ROLE_ADMIN) cannot be locked out.
  • Administrators can unlock other non-admin users (ROLE_OPERATOR, ROLE_VIEWER, ROLE_FW_MGMT, ROLE_WS).

    Note: This only applies to local authentication (not supported for RADIUS authentication). For the procedure to unlock a user account, see "Unlocking a User Account".

Lock after (*) attemptsSet the number of failed attempts after which a user will be locked out.

The default is 3 attempts.

PermanentCheck this box to lock out the user permanently (indefinitely). Even if a user is locked out permanently, an administrator can unlock their account, as explained in "Unlocking a User Account".

To lock the user out temporarily, leave this box unchecked and enter the lockout time in the Lock for field.

Look forThe number of hours that the user will be locked out.

The default is 1 hour.

Unlocking a User Account

An administrator can unlock other non-admin users who have been locked out.
To unlock a user account

  1. Select Admin ▶ Users to view the list of all user accounts defined on Legacy Orchestrator.
  2. Double-click the user in the list.
    The User configuration dialog for the selected user is displayed.
  3. Check the Unlock user checkbox.
  4. Click the Apply button.
    The user can try logging in again immediately.
  5. Click the Close button to close the dialog.

