BPC RiskManager - Create the Root Administrator

From RiskWiki
Jump to: navigation, search

Introduction

This tab has only one purpose: to create a single account that will be used to create the first application / risk administrator account. You only need to use this account if you have NOT loaded account(s) during database setup.


Note: If you are restoring an already ‘in use’ database, or upgrading from an earlier version, your access accounts will already exist and you do not have to do any of this and can skip this step entirely.


Only one rootadmin can exist in each database. It will be linked to the network logon id you enter in the user name field on this screen – and that user id can not therefore be used as a normal user id until another id (or nonsense string) is entered into the username field on this screen. We recommend using the Administrator id as this account should not normally access the system.


Configuration

Part A

RMDS GP11.png


To set up the rootadmin:


  1. For each database configured on the database connections tab, choose the database connection from the database tab. When you connect to the database the ‘not connected’ string will change to ‘connected’.
  2. Enter the domain (if using domain/username style authentication). This field will only be useable if you have enabled domain/username authentication in the security configuration above.
  3. Enter a real network user id in the username field and an email address for that account in the username and email fields respectively. The username must correspond to the user id that will be used to access the system in rootadmin mode because the application will attempt to authenticate the rootadmin as that user id with the network security system. The userid chosen does not need any special rights, except that whilever it is associated with the rootadmin account it will no be able to be a normal BPC RiskManager user. So if ‘jackstraw’ is used as rootadmin, you will not be able to create a separate jackstraw user of the system, and his name will always appear as ‘rootadmin’ - not Jack Straw. You can of course simply assign a different nonsense user id later to the rootadmin if you want – which will free up jackstraw for reuse as a real user id. We suggest using Administrator for his reason.
  4. Select the ‘Create’ button.
  5. Repeat for each database.


Part B

Once the rootadmin has been used to create another risk administrator account account, the new risk administrator can remove the admin rights from the rootadministrator account from within BPC RiskManager through the secure access screen, and the rootadmin will then have no powers within the application, and this screen can not be used to re-grant powers to the rootadmin account. In other words – it is a one way exercise:


  1. Allocate the rootadmin account to a real user account – we will call that account ‘administrator’ for the purposes of this discussion.
  2. Attempt to login to the application using another real account – we will call that account ‘smith’ for the purposes of this discussion (so the access details are recorded) – this login will fail (which is correct).
  3. Login to the application as the rootadmin (automatically done by using the chosen network id as the login account) - in this case administrator –
  4. Look for ‘smith’ in the resources section of the security screen and grant administration rights to that account (i.e. access all areas + auditor + user mode of ADMINISTRATOR). We have now created the real administrator.
  5. Logout of the application as rootadmin.
  6. Login as ‘smith’. This account now looks for rootadmin in the security screen and removes ADMINISTRATOR access and restricts access to only defined areas (and defines no areas of access) and removes auditor rights. Rootadmin can now not do anything.
  7. The new real administrator (smith) may proceed with creation of accounts as required.


Rootadmin will never be required again, but if for some reason you want it back, just re-enable its ADMINISTRATOR rights and access all area right. Of course you would have to do this from another administrator ID.


BackLinks