Overview

A user account allows a single person, organization or device to authenticate to MOVEit DMZ. Admins, SysAdmins and some GroupAdmins may add, delete and edit users.

Every account is guarded with a username and a password of a certain minimum strength. Frequently accounts are also guarded with IP/hostname restrictions, interface/protocol restrictions, or an SSH key or SSL certificate.

By default, any particular username is unique to one organization, so a username can be shared between organizations. The SysAdmin user, who has the ability to administer all organizations, can change this setting so that an individual username can be used only by one organization.

The main list of users has several columns:

• Username: The unique username of the user. People will use their username and their password to sign onto MOVEit DMZ. Clicking on the username will open the User Profile for that user.
• Full Name: The full name of the user.
• Last Signon: When this user last signed on.
• Organization: The name of the organization to which this user belongs. (SysAdmins only.)
• Permission: This user's base permission set (TempUser, User, FileAdmin, Admin, SysAdmin).
• Action:
  • Clone: Allows administrators to clone this user. When a user account is cloned, its settings, group memberships, folder permissions, and home folder structures are all copied to the new account. This action is useful in conjunction with "template" users for creating new accounts based on a pre-defined set of user parameters. Temporary users may not be cloned.

    MOVEit DMZ will attempt to determine the best home folder path for the new user, based on the cloned user's existing home folder path, and provide that path as the default value. Administrators can change the home folder path as desired.

  • Delete: Deletes this user (after confirmation)

An "add" link allows Admins to create new user accounts. (See "Adding a User" section below.)

Because there may be many users on the system, the list of users will be limited to a configurable number per page. Page navigation links will be provided if the number of users exceeds this limit. The value is configurable in the Account Options page.

User Filter

To make finding specific users easier, a filter section is provided to narrow down the list of users presented.

• Permission:
  • - Any -: All users
  • End User: Only end users
  • Admin: Only administrators
  • FileAdmin: Only file administrators
  • GroupAdmin: Only group administrators
  • TempUser: Only temporary users
  • SysAdmin: Only system administrators (only available to SysAdmins)
• Status:
  • - Any -: All users
  • Active: Only active users
  • Inactive: Only suspended or locked out users
  • Never Signed On: Only those users who have never signed on to the system
  • Template: Only those users marked as "template" users
• In Group:
  • - Any -: All users
  • <Group Name>: Only users who are members of the selected group
• Sort By:
  • Username: Sort results by username
  • Full Name: Sort results by full name
  • Last Signon: Sort results by last signon time
• ...Where Value Like:
  • If not blank, only users whose field selected in the Sort By option value matches the provided search term

Adding a User

The Add a New User page is divided into four different sections.

The first section is the general information section. Here is where the username, full name, email address, notification setting, permission code, and language are entered. The notification setting determines if the user will receive email notifications from the system. Setting a blank email address will automatically set the notifications setting to "Off". Setting the notification setting to "On + Admin" will allow administrators and GroupAdmins to receive special admin notifications when certain events happen to users under their control, such as password and account expirations and user lockouts.

Each user must have a unique username, and a unique full name, both of which may contain any character in the ISO-Latin-1 (ISO/IEC 8859-1) character set, with one exception: the username cannot use the slash ("\") character as it is a special character used to add an organization identifier to the username. Email addresses do not need to be unique across users, and can even be left blank.

Note: These values may not begin with the characters "@!", for internal reasons.

The next section is the authentication section. This is where the password is set; the suggested password may be used, or a custom password can be entered. The clickable keyboard is available here for entering new passwords, to help thwart keystroke loggers.

Note: Maximum password length is 32 characters. Any new password created which exceeds the 32 character limit, will be truncated to the first 32 characters.

Also available in this section are the "Force user to change password on first login" and "Email new password to user" options. The latter will only appear if the organization allows sending new passwords by email. The "Force user to change password on first login" option will require the user to change their password when they first sign on with their account (a similar option is available when changing a user's password). The "Email new password to user" option will cause a plain-text email to be sent out to the user, assuming a valid email address has been supplied, and the notifications setting is enabled, containing the user's new account information, including the new password. (If an email address has not been set, or the notifications setting is off, a warning message will be displayed prompting for confirmation, and no email notification will be sent.)

When the current organization is operating in a "mixed" authentication mode (RADIUS then MOVEit or LDAP then MOVEit), another option will appear in the authentication section, called Authentication Method. This allows the administrator to select the authentication method for the user. The authentication method can be "MOVEit Only", "External Only", or "Both". When set to "External Only", MOVEit DMZ will not allow users who fail to authenticate against an external server to be signed onto the system. When set to "MOVEit Only", MOVEit DMZ will not attempt to authenticate a user using the external server; it will use its own user database to authenticate the user. When set to "Both", MOVEit DMZ will first try to authenticate the user using the external server, and if that fails, then attempt to authenticate the user using its own user database.

In the next section, you can specify a default folder to be the user's home folder. The default entry, "/Home/[FULLNAME]," creates a folder with the user's Full Name, which was entered at the top of this form. You can also set the folder name to use the USERNAME, again entered on this form, or the USER ID, which is an internal ID automatically generated when the user is created. This USER ID cannot be changed and will always remain the same for the life of the account.

A second option here is to specify a different folder in place of the /Home folder. For example, you could enter "/Users/[FULLNAME]." If the Users folder does not exist (in the Root folder), it will be created.

Other options for the user's home folder include: setting the user's home folder to any folder, provided it is not a restricted type, in the MOVEit DMZ organization; setting up a shared home folder for multiple users; or not setting a home folder for the user. An Administrator can change the home folder setting for an individual user, at any time, by selecting a user and going to the User Profile - User Settings options.

Note: If an expired user account is deleted, the user's home folder will also be automatically deleted, unless someone else has explicit permissions to that user home folder. For more information, see the Feature Focus - Expiration Policies topic.

The final section is the miscellaneous section, which contains an optional notes field, and a list of groups to choose from to add the user to. Multiple groups may be selected by holding down the Ctrl key while clicking.