Managing users

Release 9.3.1 E-mail This Topic Printable Version Give Us Feedback

The Security tab in Manager contains a Users link where you can view a list of your users. The appearance of this panel varies depending on where you're storing your user information. If you're using SQL Server as your user store, you have the option to add, modify, and delete users within Manager. If you are using a custom provider for users, you may be able to add and modify users if the provider supports it. If your users are Windows users, the view on this panel is read-only. When the view is read-only, you need to use the tools inherent to Windows or your custom provider to add, modify, and delete users.

Note: if your role store is Windows groups, any changes to group membership require logging off and back on to take effect. For example, if you add user SallyB to Managers, then you must log off and log back on before you can use SallyB's credentials to access services permitted for the Managers group.

When your user store has many users, you can filter them to show just a portion of the total user list. Use the options near the top of the panel to limit the display to the users you want to view.

If users have been assigned to roles, you can click the plus (+) button to the left of the user name to view the roles the user is a member of. When the role store is in a SQL Server database, you can change these role assignments by editing the user properties (see below). When Windows or a custom provider stores role members, this view is read-only.

The following sections explain the Manager tools for adding, modifying, and deleting users that you've stored in a SQL Server database.

Note: On Windows Server 2000, if you configured your users to be in SQL Server, and you encounter an error when attempting to view or add users, you may need to add the ASPNET account to the database. Follow steps 1 through 9 in the Alternate instructions for manual setup of SQL Server for users.

Adding users

When SQL Server stores your users, you can add a new user by clicking Add User on the Users panel. This displays a dialog box to add the user. Some custom providers also support adding users through this dialog box. In this dialog box you can set:

Do not use a comma (,) or semicolon (;) in the user name. Other special characters may not be allowed by the membership provider. If you see an error when attempting to add the user, try again without the special character.

Password strength requirement. By default, when adding a user, a strong password is required. With these settings, passwords must be at least seven characters and must contain at least one nonalphanumeric character (such as #, %, or ^). These requirements are based on the membership provider in ASP.NET, which is used when users are added or edited in Manager. These password settings can be modified to require a different length of password or a different number of nonalphanumeric characters. You modify these settings by editing the <providers> tag inside the web.config file of the <ArcGIS Instance>\Security Web application. For example, to not require a non-alphanumeric character, set the attribute for minRequiredNonalphanumericCharacters to 0 (you can add the attribute if it is not present). Any changes to password policy will only affect accounts created or changed after you save the web.config file. For details on user account settings, see this Microsoft page: http://msdn2.microsoft.com/En-US/library/whae3t94.aspx.

Once you have set the user's properties, click Add User to save the new user to the database and return to the main Users panel. Click Cancel to abandon creation of the new user.

Modifying users

To update an existing user, click the corresponding Edit (pencil) icon in the users list. The Edit dialog box resembles the Add User dialog box, except that you cannot change the user name. You also cannot change passwords for users with this dialog box. See the next section for information on changing and recovering passwords.

An account may become locked if multiple failed attempts are made to log in with the user's account within a short period of time. This is a built-in feature in ASP.NET. If an account becomes locked, the Locked status in the user properties will indicate that the account has been locked. To unlock the accounts in SQL Server, use SQL Server Management Studio (Express) to open the user database, Membership table, and change the IsLockedOut column for the user). For users in a custom provider, you must use tools specific to your custom provider to unlock the account.

Once you have made your changes, click the Apply button to save the changes and make additional changes, or click OK to save the changes and return to the Users panel. Click Cancel to abandon any changes made and return to the Users panel.

Changing and recovering lost passwords

Manager cannot be used to change or view passwords once an account is created. Some security storage types do support password management. For example, SQL Server supports changing and recovering passwords, whereas for Windows users, native operating system tools must be used to manage passwords. If the security store supports them, the following tools are available to change passwords and to recover lost passwords:

Several issues may affect the recovery of passwords:

Deleting users

To delete a user, click the Delete icon (red circle with an X) next to the user's name. You'll be prompted to confirm that you want to delete the user.