Managing Delphix users
This section describes how to manage users. Here, you can learn how to:
Adding users
Prerequisites
If you intend to validate user logins using LDAP authentication, make sure a system administrator has configured LDAP.
Procedure
Launch the Delphix Management application.
Click Manage.
Select Users.
Click plus icon to Add User.
Enter the mandatory fields Username, Email Address, and New Password for the new user.
Rules for creating a username:
Must be between 1 to 256 characters.
Can be just letters, just numbers, or just any of the following special characters (_, -, ., @) or a combination of all of these. For example, a username could be just "@".
Can start with any of the above-listed characters and is case-sensitive.
Your password has no restrictions.
Select the User Type.
Click Next.
In the Privileges tab enter the privileges for the user.
Click Next and review the summary.
Click Submit.
Assigning owner and provisioner privileges
Assigning owner privileges at the group level conveys ownership privileges over all objects in that group. Click the expand icon next to each group name to see all objects in that group.
You can also assign ownership privileges only for specific objects in a group. You do not have to assign owner or auditor privileges for all Delphix objects, only those for which you want to grant the user-specific access.
Editing, deleting, and suspending users
The delphix_admin user
The user named delphix_admin cannot be deleted since this is a user created by the Delphix Engine. However, you can suspend it.
When engines created before 5.3.1 are upgraded to 5.3.1 or later they will retain their old username 'delphix_admin'. To avoid complications Delphix recommends creating users with an admin role and then Disabling delphix_admin.
Launch the Delphix Management application.
Select Manage > Users.
Click the user's name to open the user's profile panel.
Click the disable icon to disable the user.
Click the trash can icon to delete the user.
Deleting a user cannot be undone.
Managing individual profile information
After logging in, click your name in the menu bar.
Click Profile.
Edit profile information as necessary.
Select options for the event level that will trigger a notification email.
Select a time period for Session Timeout.
Click Password to edit your password.
Click OK when finished.
Click Privileges to see your privileges (Auditor or Owner) for Delphix objects.
Delphix user account lockouts
User account lockouts
This feature applies to all kinds of users – Delphix and LDAP. It also applies to usernames that do not correspond to any user in the system. A user who enters a wrong password three times in a row is "locked out" (i.e., unable to continue attempting to log in) for an initial period of 30 seconds. After three more bad login attempts, the user must wait 60 seconds, then 90 seconds, and so on.
Troubleshooting a user account lockout
The initial wait time for any future lockouts is reset to 30 seconds when the user successfully logs in or when an administrator resets the user's password. When an administrator resets a locked-out user's password, the user can immediately attempt to log in.
Self-service password reset
This feature allows users to independently reset their forgotten passwords to reduce the need for administrator intervention.
The password reset functionality is integrated into the login interface. Users will find a Forgot Password? link on the login page, which initiates the password reset process. This feature's availability can be controlled through a feature flag, and a configurable validity period for password reset tokens is implemented.
Additional notes
Non-admin users can reset their passwords without needing administrator assistance.
Users are required to validate their email identity for password resets, linking each user account with an email address.
Security considerations
Self-service password reset should record source network addresses for complete audit records.
Requests from unsecured clients (HTTP) are automatically blocked, ensuring password reset is only accessible through secure connections (HTTPS).
Rate-limiting and monitoring are implemented to prevent abuse and to ensure secure handling of password reset requests.
User interface
Login page: A Forgot Password? link directs to the password reset request page.
Password reset request page: Users enter their username or associated email address. Upon submission, an automated response indicates that password reset instructions will be sent to the registered email if the provided information matches an account.
New password setting page: Users will be prompted to enter and confirm a new password, adhering to the engine’s password policy requirements.
Additional notes
Password Reset Validity: Administrators can configure the validity period for password reset tokens.
Password Reset Emails: These emails include a unique token for resetting the password, an explanation of the token's validity period, and guidance for users who did not initiate the reset request.