Security Guide > Users and Groups > Managing Users
  

Managing Users

You can create, edit, and delete users in the native security domain. You cannot delete or modify the properties of user accounts in the LDAP security domains. You cannot modify the user assignments to LDAP groups.
You can assign roles, permissions, and privileges to a user account in the native security domain or an LDAP security domain. The roles, permissions, and privileges assigned to the user determines the tasks the user can perform within the Informatica domain.
You can also unlock a user account.

Creating Native Users

Add, edit, or delete native users on the Security tab.
    1. In the Administrator tool, click the Security tab.
    2. On the Security Actions menu, click Create User.
    3. Enter the following details for the user:
    Property
    Description
    Login Name
    Login name for the user account. The login name for a user account must be unique within the security domain to which it belongs.
    The name is not case sensitive and cannot exceed 128 characters. It cannot include a tab, newline character, or the following special characters:
    , + " \ < > ; / * % ? &
    The name can include an ASCII space character except for the first and last character. All other space characters are not allowed.
    Password
    Password for the user account. The password can be from 1 through 80 characters long.
    Confirm Password
    Enter the password again to confirm. You must retype the password. Do not copy and paste the password.
    Full Name
    Full name for the user account. The full name cannot include the following special characters:
    < > “
    Description
    Description of the user account. The description cannot exceed 765 characters or include the following special characters:
    < > “
    Email
    Email address for the user. The email address cannot include the following special characters:
    < > “
    Enter the email address in the format UserName@Domain.
    Phone
    Telephone number for the user. The telephone number cannot include the following special characters:
    < > “
    4. Click OK to save the user account.
    After you create a user account, the details panel displays the properties of the user account and the groups that the user is assigned to.

Editing General Properties of Native Users

You cannot change the login name of a native user. You can change the password and other details for a native user account.
    1. In the Administrator tool, click the Security tab.
    2. In the Users section of the Navigator, select a native user account and click Edit.
    3. To change the password, select Change Password.
    The Security tab clears the Password and Confirm Password fields.
    4. Enter a new password and confirm.
    5. Modify the full name, description, email, and phone as necessary.
    6. Click OK to save the changes.

Assigning Native Users to Native Groups

Assign native users to native groups on the Security tab.
    1. In the Administrator tool, click the Security tab.
    2. In the Users section of the Navigator, select a native user account and click Edit.
    3. Click the Groups tab.
    4. To assign a native user to a group, select a group name in the All Groups column and click Add.
    If nested groups do not display in the All Groups column, expand each group to show all nested groups.
    You can assign a native user to more than one group. Use the Ctrl or Shift keys to select multiple groups at the same time.
    5. To remove a native user from a group, select a group in the Assigned Groups column and click Remove.
    6. Click OK to save the group assignments.

Assigning LDAP Users to Native Groups

You can assign LDAP user accounts to native groups. You cannot change the assignment of LDAP user accounts to LDAP groups.
    1. In the Administrator tool, click the Security tab.
    2. In the Groups section of the Navigator, select a native group, and then click Edit.
    3. Click the Users tab.
    4. To assign an LDAP user to a group, select an LDAP user in the All Users column, and then click Add.
    5. To remove an LDAP user from a group, select an LDAP user in the Assigned Users column, and then click Remove.
    6. Click OK to save the user assignments.

Enabling and Disabling User Accounts

Users with active accounts can log in to application clients and perform tasks based on their permissions and privileges. If you do not want users to access application clients temporarily, you can disable their accounts. You can enable or disable user accounts in the native or an LDAP security domain. When you disable a user account, the user cannot log in to the application clients.
To disable a user account, select a user account in the Users section of the Navigator and click Disable. When you select a disabled user account, the Security tab displays a message that the user account is disabled. When a user account is disabled, the Enable button is available. To enable the user account, click Enable.
You cannot disable the default administrator account.
Note: When the Service Manager imports a user account from the LDAP directory service, it does not import the LDAP attribute that indicates that a user account is enabled or disabled. The Service Manager imports all user accounts as enabled user accounts. You must disable an LDAP user account in the Administrator tool if you do not want the user to access application clients. During subsequent synchronization with the LDAP server, the user account retains the enabled or disabled status set in the Administrator tool.

Deleting Native Users

To delete a native user account, right-click the user account name in the Users section of the Navigator and select Delete User. Confirm that you want to delete the user account.
You cannot delete the default administrator account. When you log in to the Administrator tool, you cannot delete your user account.

Deleting Users of PowerCenter

When you delete a user who owns objects in the PowerCenter repository, you remove any ownership that the user has over folders, connection objects, deployment groups, labels, or queries. After you delete a user, the default administrator becomes the owner of all objects owned by the deleted user.
When you view the history of a versioned object previously owned by a deleted user, the name of the deleted user appears prefixed by the word "deleted."

Deleting Users of Metadata Manager

When you delete a user who owns shortcuts and folders, Metadata Manager moves the user's personal folder to a folder named Deleted Users owned by the default administrator. The deleted user's personal folder contains all shortcuts and folders created by the user. Any shared folders remain shared after you delete the user.
If the Deleted Users folder contains a folder with the same user name, Metadata Manager names the additional folder "Copy (n) of <username>."

LDAP Users

You cannot add, edit, or delete LDAP users in the Administrator tool. You must manage the LDAP user accounts in the LDAP directory service.

Unlocking a User Account

The domain administrator can unlock a user account that is locked out of the domain. If the user is a native user, the administrator can request that the user reset their password before logging back into the domain.
The user must have a valid email address configured in the domain to receive notifications when their account password has been reset.
If the user is locked out of the LDAP authentication server, the LDAP administrator must unlock the user account in the LDAP server.
    1. In the Administrator tool, click the Security tab.
    2. Click Account Management.
    The Account Management page displays the following lists of locked-out users:
    Locked Out Native Users
    Includes user accounts in the Native security domain that are locked out.
    Locked Out LDAP Users
    Includes user accounts in LDAP security domains that are locked out.
    3. Select the users that you want to unlock.
    4. Select Unlock user and reset password to generate a new password for the user after you unlock the account.
    The user receives the new password in an email.
    5. Click the Unlock selected users button.

Increasing System Memory for Many Users

Processing time for an Informatica domain restart, LDAP user synchronization, and some infacmd and infasetup commands increases proportionally with the number of users in the Informatica domain.
The number of users affects the processing time of the following commands:
You may need to increase the system memory used by Informatica Services, infasetup, and infacmd when you have a large number of users in the domain. To increase the maximum heap size, configure the following environment variables and specify the value in megabytes:
For example, to configure 2048 MB of system memory on UNIX for the INFA_JAVA_OPTS environment variable, use the following command:
setenv INFA_JAVA_OPTS "-Xmx2048m"
On Windows, configure the variables as system variables.
The following table lists the minimum requirement for the maximum heap size settings, based on the number of users and services in the domain:
Number of Domain Users
Maximum Heap Size
(1-5 Services)
Maximum Heap Size
(6-10 Services)
1,000 or less
512 MB (default)
1024 MB
5,000
2048 MB
3072 MB
10,000
3072 MB
5120 MB
20,000
5120 MB
6144 MB
30,000
5120 MB
6144 MB
Note: The maximum heap size settings in the table are based on the number of application services in the domain.
After you configure these environment variables, restart the node for the changes to take effect.

Viewing User Activity

Use the Logs tab of the Administrator tool to view user activity logs. View user activity logs to review login attempts from Informatica client applications. You can also view the logs to determine when a user created, updated, or removed services, nodes, users, groups, or roles.
See the Informatica Administrator Guide for more information about user activity logs and the Logs tab of the Administrator tool.
You can also use the infacmd isp getUserActivityLog command to view user activity log data. The infacmd isp getUserActivityLog command uses the following syntax:
infacmd isp getUserActivityLog -dn domain_name -un user_name -pd password
The infacmd isp getUserActivityLog command requires the Administrator role or membership in the Administrator group. For more information about the isp getUserActivityLog command, see the Informatica Command Reference.
The user activity log data includes successful and unsuccessful user login attempts from Informatica clients. If the client sets custom properties on login requests, the log data includes the custom properties.
Note: The user activity logs do not include user login attempts in a domain configured to use Kerberos authentication.
The user activity data includes the following properties for each login attempt from an Informatica client:
You can view log events based on the following optional filters:
You can display the log events at the command prompt or write the events to a file in one the following formats:
If you print a log in binary format, you can use the infacmd isp convertUserActivityLog command to convert it to text or XML format. See the Informatica Command Reference for more information on using the infacmd isp convertUserActivityLog command.

User Activity Codes

User activity logs include codes that indicate the success or failure of each activity.
Valid activity codes include the following:

User Activity Log Filters

Use one or more filters to retrieve log events for specific users, dates, or events.
Use one or more of the following parameters for the infacmd isp getUserActivityLog command to filter log events:
Users and security domains
Optional. The list of users that you want to get log events for. Separate multiple users with a space. Use the wildcard symbol (*) to view logs for multiple users on a single security domain or all security domains. For example, the following strings are valid values for the option:
user:Native
"user:*"
"user*"
"*_users_*"
"*:Native"
Add the following parameter to the getUserActivityLog command to filter log events based on user or security domain:
-usrs <UserName>:<SecurityDomain>
For example, add the following parameter to retrieve user activity for a user named User1 on all security domains:
-usrs "User1:*"
Date and time
Optional. The range of dates you want to view log events for.
If you enter an end date that is before the start date, the command returns no log events.
Enter the date and time in one of the following formats:
Add the following parameter to the getUserActivityLog command to filter the log by start date or end date:
-sd <start_date> -ed <end_date>
For example, add the following parameter to retrieve user activity between January 1, 2014 and February 3, 2014:
-sd 01/01/2014 -ed 02/03/2014
Activity code
Optional. Returns log events based on the activity code.
Use the wildcard symbol (*) to retrieve log events for multiple activity codes. Valid activity codes include:
Add the following parameter to the getUserActivityLog command to filter by activity code:
-ac <activity_code>
For example, add the following parameter to retrieve log events that succeeded:
-ac CCM_10437
If you use the wildcard symbol, enclose the argument in quotation marks.
Activity text
Optional. Returns log events based on a string found in the activity text.
Add the following parameter to the getUserActivityLog command to filter by activity text:
-atxt <activity_text>
Use the wildcard symbol (*) to retrieve logs for multiple events. For example, the following parameter returns all log events that contain the phrase "Enabling service" in their description:
-atxt "*Enabling service*"
If you use the wildcard symbol, enclose the argument in quotation marks.
Chronological order
Optional. Prints log events in reverse chronological order. If you do not specify this parameter, the command displays log events in chronological order.
Add the following parameter to the getUserActivityLog command to print the most recent event first:
-ro true

Writing and Viewing User Activity Log Events

You can write user activity log events to a file or display it in the command line when you use the infacmd isp getUserActivityLog command. Write the user activity log events to the format based on how you plan to use the exported log events file.

Writing and Viewing Log Files

To write the user activity log events to a file, run the command with the output file parameter -lo:
-lo output_file_name
If you do not specify an output format, the command writes the log events to a text file. For example, run the following command to write log events to a file named log.txt:
infacmd isp getUserActivityLog -dn TestDomain -un Administrator -pd Administrator -lo log.txt
To specify an output format, run the command with the format parameter -fm:
-fm output_format_BIN_TEXT_XML
Valid formats include:
If you specify text or XML as the output format, but you do not specify an output file, the command displays the text or XML log on the command line.
If you specify binary as the output format, you must provide an output file name.
For example, run the following command to print log events to a file named log.xml:
infacmd isp getUserActivityLog -dn TestDomain -un Administrator -pd Administrator -fm xml -lo log.xml

Converting Log Files

If you use the getUserActivity command to write log events to a binary file, you can convert the file to text or XML format.
Run the following command to convert a binary log you retrieved to text or XML format:
infacmd isp convertUserActivityLogFile -in BIN_input_file_name -fm output_format_TEXT_XML -lo output_file_name
For example, run the following command to convert a binary input file named log.bin to XML format and output it to a file named convertedLog.xml:
infacmd isp convertUserActivityLogFile -in log.bin -fm XML -lo convertedLog.xml
To display the log on the command line, omit the output file name.
If you omit the format, the command uses the text format.