Login accounts

At Administration > Security, you can manage access to the functionality in the Console. Because any set of changes to the IT environment of your organization can be delivered from the Console, it is important to prevent unauthorized access, in order to prevent that these changes lead to unexpected and undesired results. Login accounts are used to authenticate users as legitimate Console user. Login accounts can be configured on the Logins tab.

Configuration

  • The Global Password Security Policy area reflects the password security policy as configured in the global settings. This makes it possible to get an immediate overview which global settings are enabled, and if so, what their value is. These settings only apply to login accounts using Ivanti Automation Authentication.
  • The columns give an overview of the settings of all individual logins accounts, including settings related to password security. The password security columns only apply to login accounts that use Ivanti Automation Authentication.
  • To apply an account action to multiple login accounts, select the login accounts and right-click to display the context menu. In the context menu you can delete, enable or disable the selected login accounts at once. In addition, you can change the password security policy for login accounts using Ivanti Automation Authentication. If your selection includes Microsoft Windows Authentication logins and you want to change the password security policy, the login accounts using Microsoft Windows Authentication will be skipped.

When configuring a login account:

  • Use the Properties tab to specify general properties of the login account, such as authentication settings and account actions.
    • The maximum length of the name of the Login account is 255 characters.
    • Select Ivanti Automation Authentication at Account type to configure custom authentication credentials. The user will be prompted for these credentials when he starts the Console. Ivanti Automation Authentication is an efficient way to provide access to a group of people with the same level of access: simply create a single login account, assign a relevant administrative role to it and provide all legitimate Console users with the relevant login information.
      • Use the Account action area to specify the password settings of the login account. The configured values will be shown in the corresponding columns on the Logins tab.
        • Do not apply global Password Security Policy: Select this option to not apply the configured global Password Security Policy for this login account.
        • Account is locked out: Use this option to unlock a locked out login account. When a user enters the wrong password and the number of attempts has exceeded, the account is locked out and this option is enabled and checked. After clearing (and saving) the option, the password is unlocked. It is not possible to lock accounts using this option: disable the account instead.
        • User must change password at next login: Use this option to prompt the user to change the password at next login. The Change my password window appears.
      • When the password is changed by the administrator, the password change date will also be reset. Except if the password is changed to the previous password.
    • Select Microsoft Windows authentication at Account type to use existing Microsoft Windows user accounts and local and global groups to authenticate access to the Console. This allows users to access the Console with their Microsoft Windows account and does not require additional authentication. If users also need access to the Console when not logged on with their Microsoft Windows account, use Ivanti Automation Authentication instead.
      • If a Microsoft Windows user account cannot be authenticated, the user will be prompted for the credentials of a login account using Ivanti Automation Authentication. It is not possible to provide Microsoft Windows credentials at that point.
      • By selecting the Check type of an account that applies to the login account, you can handle authentication in scenarios in which machines have the same name as a Windows domain, but are not a member of any domain:
        • Domain: Select this option to grant access to users who are logged on to a machine with a domain account.
        • Local: Select this option to grant access to users who are logged on to a machine that is not a member of a Windows domain.
        • Both: Select this option to grant access to users irrespective of the type of account used. This is the default option.
    • You can use login accounts using Ivanti Automation Authentication and Microsoft Windows Authentication alongside each other in the same Ivanti Automation environment.
      • The authentication method of existing login accounts cannot be changed from one method to the other.
  • Use the Administrative Roles tab to assign administrative roles to the login account.
    • The Console is password-protected if at least one login account exists.
    • To avoid accidental lockout of the Console, the first login account that you create is automatically assigned to the Full Access administrative role.
    • You can assign a login account to multiple administrative roles.
    • Login accounts that are not assigned to an administrative role do not have access to the Console.
  • Use the Permissions tab to view the permissions of the login account.

Deleting the last login account with administrative role Full Access restores Full Access for all users of the Console.

Active Directory nested groups are not supported.