Creating or modifying users

You must be the installation owner, or have system administrator or superuser privileges to create users. Superusers and system administrators cannot modify their own extended privileges.

Before you create users, determine what type of authentication the server uses. If the server authenticates users against the operating system, each user must have an account on the server host. If the server uses an LDAP directory server for user authentication, the users do not need to have operating system accounts.

If the repository is the governing member of a federation, a new user can be a global user. Global users are managed through the governing repository in a federation, and have the same attribute values in each member repositories within the federation. If you add a global user to the governing repository, that user is added to all the member repositories by a federation job that synchronizes the repositories.

If a user is authenticated by an LDAP server, only a superuser can modify the user’s LDAP-mapped attributes.

To create or modify user accounts:

  1. Connect to the repository where you want to create new users.

  2. Navigate to Administration > User Management > Users.

  3. Do one of the following:

    • To create a user, select File > New > User.

      The New User page displays.

    • To modify an existing user, select the user, then select View > Properties > Info.

      The User Properties page displays.

  4. Enter or modify the user information, as described in

    .

  5. Click OK.

Table 4.3. User properties

Field labelValue

State

Indicates the user account state in the repository. Valid values are:

  • Active: The user is a currently active repository user. Active users are able to connect to the repository.

  • Inactive: The user is not currently active in the repository. Inactive users are unable to connect to the repository.

  • Locked: The user is unable to connect to the repository.

  • Locked and inactive: The user is inactive and unable to connect to the repository.

If the user is a superuser, only another superuser can reset the state.

Name

The user name for the new user. The user name cannot be modified, but can be reassigned to another user. For more information, refer to Reassigning objects to another user.

User Login Name

The login name used for authenticating a user in repositories.

If the user is an operating system user, the user login name must match the operating system name of the user. If the user is an LDAP user, the user login name must match the LDAP authentication name of the user.

User Login Domain

Identifies the domain in which the user is authenticated. This is typically a Windows domain or the name of the LDAP server used for authentication.

If you are using Kerberos authentication with LDAP synchronization, the user login domain must be set to the short domain name, as described in Configuring LDAP synchronization for Kerberos users.

User Source

Specifies how to authenticate a given repository user’s user name and password. Valid values depend on whether the repository runs on a UNIX or Windows server.

  • None: The user is authenticated in a Windows domain.

  • UNIX only: The user is authenticated using the default UNIX mechanism, dm_check_password or other external password checking program.

  • Domain only: The user is authenticated against a Windows domain.

  • UNIX first: This is used for UNIX repositories where Windows domain authentication is in use. The user is authenticated first by the default UNIX mechanism; if that fails, the user is authenticated against a Windows domain.

  • Domain first: This is used for UNIX repositories where Windows domain authentication is in use. The user is authenticated first against a Windows domain; if that fails, the user is authenticated by the default UNIX mechanism.

  • LDAP: The user is authenticated through an LDAP directory server.

  • Inline Password: The user is authenticated based on a password stored in the repository. This option is available only when Documentum Administrator is used to create users. It is not available in other applications in which it is possible to create users.

  • dm_krb: The user is authenticated using Kerberos Single-Sign-On (SSO).

Password

The password for the user.

This field is displayed if Inline Password is selected as the User Source. Type the password, which is then encrypted and stored in the repository.

This must be provided manually for users added using an imported LDIF file.

Confirm Password

The password for the user.

This field is displayed if Inline Password is selected as the User Source. Enter the same password you entered in the Password field.

Description

A description of the user account.

E-Mail Address

The E-mail address of the user. This is the E-Mail address to which notifications are sent for workflow tasks and registered events.

User OS Name

The operating system user name of the user.

Windows Domain

The Windows domain associated with the user account or the domain on which the user is authenticated. The latter applies if Content Server is installed on a UNIX host and Windows domain authentication is used.

Home Repository

The repository where the user receives notifications and tasks.

User is global

If the user is created in the governing repository of a federation, select this option to propagate the user account to all members of the federation.

Restrict Folder Access To

Specifies which folders the user can access. Click Select to specify a cabinet or folder. Only the selected cabinets and folders display for the user. The other folders do not display but the user can access the folders using the search or advanced search options.

If no folders or cabinets are specified, the user has access to all folders and cabinets in the repository, depending on the permissions on those cabinets and folders, and depending on folder security.

Default Folder

The default storage place for any object the user creates. This option only displays when you are creating a user. Valid values are:

  • Choose existing folder: Select this option to assign a folder you already created as the default folder for that user.

  • Choose/Create folder with the user name: Select this option to automatically create a folder with the name of the user as the object name.

Default Group

The group that is associated with the default permission set of the user. Click Select to specify a default group.

When the user creates an object in the repository, it automatically belongs to this group.

Default Permission Set

The permission set that assigns the default permissions to objects the user creates. Click Select to specify a default permission set.

Db Name

The user name of the user in the underlying RDBMS. The DB Name is only required if the user is a repository owner or a user who registers RDBMS tables.

Privileges

The privileges that are assigned to the user.

User privileges authorize certain users to perform activities in the repository. Select one of the privileges from the drop-down list, as follows:

  • None

  • Create Type

  • Create Cabinet

  • Create Cabinet and Type

  • Create Group

  • Create Group and Type

  • Create Group and Cabinet

  • Create Group, Cabinet, and Type

  • System administrator

  • Superuser: If you grant superuser privileges to a user, add that user manually to the group called admingroup. If you revoke a user’s superuser privileges, remove the user from the admingroup.

Extended Privileges

Specifies the auditing privileges for the user. Superusers and system administrators cannot modify their own extended privileges.

  • None: The user cannot configure auditing, view audit trails, or purge audit trails.

  • Config audit: The user can configure auditing.

  • Purge audit: The user can purge existing audit trails.

  • Config and Purge Audit: The user can configure auditing and purge existing audit trails.

  • View Audit: The user can view audit trails.

  • Config and View Audit: The user can configure auditing and view existing audit trails.

  • View and Purge Audit: The user can view existing audit trails and purge them.

  • Config, View, and Purge Audit: The user can configure auditing and view and purge existing audit trails.

Client Capability

Describes the expertise level of the user.

The client capability setting is used by Documentum client products, such as Webtop, to determine which functionality to deliver to the user. Content Server does not recognize or use the client capability setting. For information about the client features available with each setting, refer to the Documentum client documentation.

Choose a user type from the list:

  • Consumer

  • Contributor

  • Coordinator

  • System Administrator

Alias Set

The default alias set for the user. Click Select to specify an alias set.

Disable Workflow

Indicates whether a user can receive workflow tasks.

Disable Authentication Failure Checking

If selected, user can exceed the number of failed logins specified in the Maximum Authentication Attempts field of the repository configuration object.