If 10 user are logged in at a time and I change my database adjusting a setting to the following:
Number of Administrative Sessions Allowed:5"
how will maximo identify which 5 user remain logged in.
If any of the Maxadmin users are logged in, they will not be logged out. If in case, there are 10 users who all are MAXADMINs and only 5 are authorized users in Admin Mode, the people who are Inactive for longer time will be logged out.
It is based on the MAXADMIN security role. Any users on the application that is not part of MAXADMIN will be kicked out and not allowed to login until you take the Maximo application out of Admin Mode. Admin Mode allows you to perform many application configuration and database configuration without having to stop MXServer (maximo.ear).
Some systems may have customized MAXADMIN security groups, and the MAXADMIN user will be a part of all these 'custom' groups. In this case, only those users who are atleast present in the groups same as MAXADMIN user, will not be logged out of Maximo during Admin mode.
for eg. MAXADMIN user is present in these security groups: MAXADMIN, MAXADMIN_CUST1, MAXADMIN_CUST2.
Now, if user USER1 does not want to be kicked off during admin mode, he will have to be in atleast these groups: MAXADMIN, MAXADMIN_CUST1, MAXADMIN_CUST2.
Related
Using AzureAD, users can log in through https://portal.office.com/myapps to their assigned apps. Some of them use the password-based sso with the option "User manages credentials".
This works fine, the user gets a question for his password and this password is used for SSO. Exept when this password changes or is mistyped the first time, then the user can't change his own saved credentials unless two factor authentication is activated for this user.
What is the best way to let the initial password prompt reappear for an user, or give another way to reset the password without activating 2FA?
To answer my own question, there are two portals, the Office 365 version at https://portal.office.com/myapps and the Azure version at https://myapps.microsoft.com. At the second portal, you can click on the three dots and select "update credentials". This can only be done by the users themselves.
Another way, is via the Azure admin portal. There you can assign permissions to an app. We do this normally based on groups. If you assign the permission individually, you can set or change the password, but also empty the fields. This way the user will be re-prompted for their password. After this, you can delete the individual permission, so it's again only group assigned. This can only be done by an admin.
I have a requirement to deactivate a user for a particular organization.In liferay we deactivate the user directly by control panel under users tool.if i deactivate,The user will deactivate in portal level so it is applicable to all organizations not to particular organization.so can i do manual code for this or is there any alternative by default?
User Management in Liferay is global - to the whole portal. You authenticate to the portal, thus a deactivated user can't be authenticated to the portal.
You can make users members of Organizations or site - and this membership (or other organization- or site-level roles) can be used to provide them with permissions.
If you want them to be able to sign in, don't deactivate them. If you don't want them to access a certain organization, make the content of that organization available to members only - and exclude the user from the members of that organization.
OK you could do this in code level ,
User singleUser=UserLocalServiceUtil.getUser(userId)
singleUser.setStatus(WorkflowConstants.STATUS_DENIED);
UserLocalServiceUtil.updateUser(singleUser);
So basically setting User Status to either WorkflowConstants.STATUS_DENIED, WorkflowConstants.STATUS_EXPIRED or WorkflowConstants.STATUS_INACTIVE will do the work of deactivating particular User.
But you need to research on the aftermath effect of these status field.
Please, can you give me your opinion about this issue?
I've done an Autologin which is authenticating the username and password against my legacy system.
Once I've verified the user, I have two choices:
Add the user (if it does not exist) to Liferay ( and assign groups )
or
Map the verified user against 3 or 4 liferay users.
If my database is about 10.000 users, but I only have 3 or 4 roles, I thought the second choice would be better, but, what happens then with the welcome message once the user is logged with the liferay user credentials?
Ivan,
You need to create all the users in liferay because while login either we use the screenName or emailAdress(which must be unique and exsits in DB) ,also before login we can't check what role is assigned to user and we can't fetch the user of same role from the liferay(probably it will effect the security measures of liferay).About the welcome message it's managed by theme (velocity template) which use the name of current loggeIn user,it can't be managed, so we can't show different name with the same user login on the basis of role.
Thanks
suppose user is accessing account at the same time admin delete his account then what should happen at front end? can user access his account or redirect to login page??
same if admin inactivated user what should be happen there??
for web site
Depends entirely how you set it up. If you want it to automatically log him out you'd have to manually delete the session after you delete the user from the database.
Solution
if user deleted
logout and redirect user to one page and informed that account is deleted. inform to contact administrator
if user inactive
logout and redirect user to the login page or on some other page of the system and inform that his/her account is inactive. inform to contact administrator
You should be checking user session before any action performed by the user (I simply use the information in session to log them in 'again' and return relevant information back to the session, which makes it also easy to keep track of any account changes the user may have made), thus after admin deletes the account, once user attempts to do anything with is account, the login function/method, or whatever mechanism you use, should return false and set the session accordingly
I need to create a process with integrity level high, so that it can do all the administrative tasks. But the created process should run in the current logged in desktop i.e. it should not run in session 0. By default only administrators will log on to the console.
The service should launch the process, as service is running in session 0 and system account. Can it any how get the non restricted token and use it in CreateProcessAsUser, so that the process created does have integrity level of high or system. Is it possible? One more thing is i should get the non restricted token with out prompting for user name or password of the logged in user.
Thanks
Yes it is possible, we need to query for the linked token.
http://www.eggheadcafe.com/software/aspnet/28532422/-starting-administrato.aspx
http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2008-05/msg00356.html
Thanks