Management Products




Web-based User Account and Identity Management - Making it Work

  1. What's Required
    2.
  2. How to Administer eControl
    3.
  3. Configure the Help Desk Module
    4.
  4. Configure the Account Create Module
    5.
  5. Configure the Self-Service Module
    6.
  6. View Sample Audit Log
    7.
  7. More Information
    8.

What's Required


eControl 2.5 must be installed on a Windows 2000 Professional, Windows XP Professional, Windows 2000 Server, or Windows 2003 Server operating system. Windows is required because of a dependency for the GroupWise Win32 APIs and for access to Active Directory and Exchange.



eControl can access multiple and mixed operating systems and email systems at the same time because it acts as an authenticated intermediary (proxy) service to the target systems. eControl is a non-intrusive installation. eControl uses native Operating System APIs and LDAP calls to communicate with the target servers. This means that no agents need to be installed on the target servers or operating systems.

Since each network environment is unique, eControl is installed by an Omni engineer to ensure that it will match the needs of each network. For more information on the installation, please refer to Full System Requirements and Remote Installation Requirements.

eControl acts as a proxy service and uses an eControl account which must have full supervisor rights to the systems that it is going to manage. When the Omni engineer installs and configures the eControl server, the following is performed:

  • The eControl account login and password is configured.

  • The LDAP server property mappings are confirmed.

  • The target systems are identified (eDirectory, Active Directory, Exchange and GroupWise).

How to Administer eControl


eControl Administrator is the utility used to configure the eControl server to deliver a secure web-based, "ZERO Rights", user account and identity management and provisioning solution. With eControl Administrator, the network administrator can define who can perform which tasks on which user accounts.



Using eControl Administrator, the network administrator defines global parameters, creates task collections (sets of tasks that can be assigned), and assigns those task collections to eDirectory or Active Directory groups.

Configure the Help Desk Module


For the Help Desk Module:
  1. Task collections are created and configured. This defines what tasks can be carried out.

  2. Task collections are assigned to eDirectory or Active Directory Groups. This defines who has authority to carry out the assigned task(s).

  3. Search paths are assigned to each task to determine which user objects are able to be managed by the task. This determines where (in which containers and therefore against which users) the assigned tasks can be carried out. The “where” part also involves deciding which post offices and domain objects are going to be managed. eControl provides a measure of granularity and control that native applications are not able to deliver.
The following tasks can be assigned to be managed by eControl users based on their eDirectory or Active Directory group memberships.

  eDirectory & GroupWise
1.  Manage Account Password and Strong Password
2.  Manage GroupWise Password and Strong Password
3.  Enable / Disable User Accounts
4.  Manage Group Memberships
5.  Manage Organizational Roles
6.  Set Password Restrictions
7.  Release Intruder Lockout
8.  Create User Identification Information
9.  Manage Login Information (Login Script and Profile)
10.  Manage Login Restrictions
11.  Manage GroupWise Distribution Lists
12.  Manage GroupWise Options (Visiblity, Expiration Date)
13.  Manage NetMail Account Status
 Active Directory & Exchange
1.  Manage Account Password and Strong Password
2.  Enable / Disable User Accounts
3.  Manage Group Memberships
4.  Manage Exchange Mail Groups
5.  Release Intruder Lockout
6.  Create User Identification Information
7.  Manage Account Expiration Date


The illustration below shows how an eControl user can manage eDirectory and Active Directory accounts at the same time from the same browser session:



Configure the Account Create Module


For the Account Create Module, eControl “Create Profiles” are added. An eControl "Create Profile" links the user creation “business logic” to either an eDirectory template or an Active Directory base account. The profile determines which attributes will be required for the account and takes care of all of the “magic” behind the scenes, including ensuring a unique account name across the multiple systems, strong password requirements, etc.

Based on assigned user create tasks, non-technical and clerical staff are able to create users by selecting the create profile wizard to be used to create the account.




Sample Audit Log


The audit log can be configured to track all view and change actions carried out in eControl. It contains the login ID and IP address of the help desk operator and the name of the account on which the action was carried out.

Date and Time; Action ID; Action Description; Status; Source IP; Account; Destination Object; Parameter(s);; Module Name

2/2/2006 9:50:19 AM;10;Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin5,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:42 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:52:50 AM;1011; Group Membership Viewed;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
    LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:00 AM;1051; Directory Password Changed;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
     LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:01 AM;1052; Email Password Changed;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin1,ou=HDO,ou=Berlin,o=ACME;
    LDAP://10.10.2.16:389/cn=AaJacob,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 9:53:24 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin2,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:53:35 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 9:56:24 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 10:19:54 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk
2/2/2006 10:20:01 AM;1021; GW Distribution List Membership Viewed;True;10.10.2.21;
   LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 10:20:11 AM;1022; GW Distribution List Membership Added;True;10.10.2.21;
   LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;29D3B710-04E6-0000-9040-1F00DA008A00 2DB3B060-04E6-0000-9040-1F00DA008A00 30187B60-04E6-0000-9040-1F00DA008A00 328B9E40-04E6-0000-9040-1F00DA008A00 349A8110-04E6-0000-9040-1F00DA008A00;HelpDesk
2/2/2006 10:20:12 AM;1021; GW Distribution List Membership Viewed;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=Stephane,o=DEV;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;HelpDesk
2/2/2006 10:20:31 AM;10; Authentication Attempt;True;10.10.2.21;
    LDAP://10.10.2.16:389/cn=HDOBerlin3,ou=HDO,ou=Berlin,o=ACME;;;HelpDesk
2/2/2006 1:06:28 PM;10; Authentication Attempt;False;10.10.2.7;
    LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;Global
2/2/2006 1:06:35 PM;10; Authentication Attempt;True;10.10.2.7;
    LDAP://10.10.2.16:389/cn=Stephane,o=DEV;;;HelpDesk

Configure the Self-Service Module


For the Self-service Module:

  • The administrator determines which groups are going to be allowed to access the Self-service Module. This includes configuring demographic values an authorised user is able to read and/or write to.
  • The administrator defines the distribution lists and groups that users, based on their group membership task assignments, will be able to subscribe to and unsubscribe from.
  • The administrator defines the Challenge/Response templates and configures the required and or minimum number of questions to be answered for web-based password changes. 
With eControl Self-service, users are able to login to eControl and securely manage their personal information and change their own passwords without requiring administrator or help desk intervention.




More Information
© 2007 Omni Technology Solutions, Inc. All Rights Reserved. All trademarks are property of their respective owners.
Omni Technology Solutions Inc.   •   #1200, Bell Tower  •  10104 - 103 Avenue  •  Edmonton  •  Alberta  •  Canada  •  T5J 0H8
Tel +1 780.423.4200  •  Fax +1 780.423.4711  •  Send an Email