Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Getting Started with Trento / User management

6 User management

 

Trento provides a local permission-based user management feature with optional multi-factor authentication. This feature enables segregation of duties in the Trento interface and ensures that only authorized users with the right permissions can access it.

User management actions are performed in the Users view in the left-hand side panel of the Trento Web.

By default, a newly created user is granted display access rights except for the Users view. Where available, a user with default access can configure filters and pagination settings matching their preferences.

To perform protected actions, the user must have additional permissions added to their user profile. Below is the list of currently available permissions:

  • all:users: grants full access to user management actions under the Users view

  • all:checks_selection: grants check selection capabilities for any target in the registered environment for which checks are available

  • all:checks_execution: grants check execution capabilities for any target in the registered environment for which checks are available and have been previously selected

  • all:tags: allows creation and deletion of the available tags

  • cleanup:all: allows triggering housekeeping actions on hosts where agents heartbeat is lost and SAP or HANA instances that are no longer found

  • all:settings: grants changing capabilities on any system settings under the Settings view

  • all:all: grants all the permissions above

Using the described permissions, it is possible to create the following types of users:

  • User managers: users with all:users permissions

  • SAP Basis administrator with Trento display-only access: users with default permissions

  • SAP Basis administrator with Trento configuration access: users with all:checks_selection, all:tags and all:settings permissions

  • SAP Basis administrator with Trento operation access: users with all:check_execution and cleanup:all permissions.

The default admin user created during the installation process is granted all:all permissions and cannot be modified or deleted. Use it only to create the first user manager (a user with all:users permissions who creates all the other required users). Once a user with all:users permissions is created, the default admin user must be treated as a fallback user in case all other access to the console is lost. If the password of the default admin user is lost, it can be reset by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User passwords, including the default admin user password, must follow the rules below:

  • Password must contain at least 8 characters

  • The same number or letter must not be repeated three or more times in a row (for example: 111 or aaa)

  • Password must not contain four consecutive numbers or letters (for example: 1234, abcd or ABCD)

The Create User and Edit User views provide a built-in password generation button that allows user managers to easily generate secure and compliant passwords. The user manager must provide the user with their password through an authorized secure channel.

A user can reset their password in the Profile view. In this view, they can also update their name and email address as well as activate multi-factor authentication using an authenticator app. Multi-factor authentication increases the security of a user account by requesting a temporary second password or code when logging in the console. User managers can disable multi-factor authentication for any given user that has it enabled. However, user managers cannot enable multi-factor authentication on their behalf. The default admin user cannot enable its own multi-factor authentication.

Note
Note: Security Tip for Multi-Factor Authentication

Since multi-factor authentication cannot be enabled for the default admin user, keeping its password safe is imperative. If the default admin user’s password is compromised, reset it immediately by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User managers can enable and disable users. When a user logged in the console is disabled by a user admin, their session is terminated immediately.