Scalar i3 User Access

Displays a list of all users created for your library.

Lists details for a user highlighted in the North Panel.

Shows configuration details on the user, admin, and service user roles.

Provides options for user configuration and actions.

You can add two types of users: user and administrator. Administrators have access to all features and functions, while users have some restrictions on what they can configure.

1. From the Navigation panel, select User Access.

2. In the Operations panel, click Add.

   

   Item	Description	Action
   User Name	Allows you to create a user name. User names must be 8-64 characters long and may contain any printable characters except back tick (`), tilde (~), and a leading or trailing space character ( ). User names are not case sensitive.	Enter text.
   Role	Allows you to select the type of user you want to create: user administrator	Select the desired role from the drop-down menu.
   Password	Allows you create a password. Current password creation rules can be reviewed and configured under Login Rules.	Enter text.
   Confirm Password	Validate password created in the Password field.	Re-enter text.

3. Click Apply to save your settings.

4. Click Close to exit the window.

1. From the Navigation panel, select User Access.
2. In the North Panel, click the checkbox next to the user you want to modify.

3. In the Operations panel, click Modify.

   

   Item	Description	Action
   User Name	Users assigned the Admin role can have the User Name changed. Users assigned the User role cannot be edited. If you want to change this field, you must delete the user profile and create a new one.	If the user role is Admin, modify the User Name.
   Role	Allows an administrator to select the type of role: user administrator	Select the desired role from the drop-down menu.
   Password	Allows a user or admin to change a password. Current password rules can be reviewed and configured under Login Rules. Note: After the initial installation of the library, the initial Admin user password cannot be changed to the default password of "password". Admin users created after the initial installation have no password restrictions.	Enter text.
   Confirm Password		Re-enter text.

4. Click Apply to save your settings.

5. Click Close to exit the window.

1. From the Navigation panel, select User Access.
2. In the North Panel, click the checkbox next to the user you want to delete.

3. In the Operations panel, click Delete.

   

4. Click Apply to save your settings. The user is removed from the list in the North Panel.

5. Click Close to exit the window.

Lightweight Directory Access Protocol (LDAP) is the industry standard Internet protocol that provides centralized user account management. The library supports LDAP Directory servers based on Microsoft Active Directory and Novell eDirectory. You can configure the Lightweight Directory Access Protocol (LDAP) settings any time after the initial library configuration. Once you enable and configure LDAP, you can view your current LDAP settings using the LDAP menu.

Note: Active Directory no longer requires Windows Services for Unix 2.5.

OpenLDAP Server Guidelines

Enabling LDAP allows existing user accounts residing on an LDAP server to be integrated into the library’s current user account management subsystem. User account information is centralized and shared by different applications, simplifying user account management tasks.

The remote client and operator panel do not allow you to create, modify, or delete user account information on an LDAP server. This must be done by the directory service provider.

The following groups must be created on the LDAP server to enable remote login on the library:

Group	Description
Library User Group	Assign users to this group who need user privilege access to the library
Partition Groups	For LDAP users with user privileges, access to library partitions is determined by group assignment on the LDAP server. Groups must be created on the LDAP server with names that match the library partition names (names must match but are not case sensitive). Users with user privileges must be assigned to these groups on the LDAP server to have access to the corresponding partitions on the library.
Library Admin Group	Assign users to this group who need administrator-privilege access to the library. LDAP users with administrator privileges have access to all partitions and administrator functions and do not need to be assigned to partition related groups on the LDAP server.

Additional Information

• Groups must be created on the LDAP server with names that correspond to the library partition names.
• User and library groups must reside in or below the group context.
• User names and group objects must be in LDAP Distinguished Names formats.

OpenLDAP 2.4

For OpenLDAP 2.4:

• You must install and run OpenLDAP 2.4 or later.
• The supported Objects in OpenLDAP 2.4 and later are of type “Person” or derived objects, and the group Objects must be of type “GroupOfNames.”
• OpenLDAP must be compiled with Overlay Support and requires the installation of “memberOf” overlay. More information can be found in the man pages of OpenLDAP with the “man slapo-member of” command.

Configure LDAP

1. From the Navigation panel, select User Access.

2. In the Operations panel, click LDAP.

   

   Item	Description	Action
   Enable LDAP	Activates LDAP setting fields. Note: Disabling LDAP will not cause you to lose any entered and saved settings. If you need to change any settings prior to re-enabling LDAP, you will need to enter the necessary changes to each field.	Select the check box to enable LDAP. Deselect the check box to disable LDAP.
   Primary Server	Allows you to enter the address to the server that is first accessed for user LDAP information.	Enter text.
   Alternate Server	Allows you to enter the address to a server to access user LDAP information if the primary server is unavailable.	Enter text.
   LDAP Port	Basic connection type. Default port is 389.	Select the radio button.
   LDAPS Port	Secure connection type. Default port is 636.	Select the radio button.
   StartTLS Port	Default port is 389.	Select the radio button.
   Principal	The user name of the user with permissions to search for the user trying to use LDAP to login.	Enter text.
   Password	The password of the principal.	Enter text.
   Confirm Password		Re-enter text.
   User DN	This is a fully qualified LDAP DN (distinguished name) and is used as the base to search for a user's login credentials. You can search for a user in the context specified and all contexts below it.	Click the + to enter the user DN.
   Group DN	Use this field to search and discover what groups a user is a member of. Only groups which are in the group context are considered for library access.	Enter text.
   User Group	The group associated with the library. A user that belongs to the library user access group is granted user level permission to access the library. For a user to manage a partition, that user must also be a member of a user group with the same name as the library partition in question. If a CN with users in it is not available, use a name of a group the users are members of. An OU will not work.	Enter text. Note: You can provide the Common Name (CN) value only for this search value.
   Admin Group	The group associated with the library administrator, equivalent to the local administrative user privilege level. Any member of this group has administrative privileges. If a CN with users in it is not available, use a name of a group the users are members of. An OU will not work.	Enter text. Note: You can provide the Common Name (CN) value only for this search value.
   User ID Attribute	The user ID that is associated with the user object in the LDAP or AD hierarchy. For LDAP, this attribute is commonly uid. For AD, this attribute is commonly SAMAccountName. Use this field to search and discover a user ID object. Note: If a user ID attribute is not provided (empty string), the default search is used.	Enter text. Note: The attribute cannot contain the following characters: ,+”\<>;= Note: The attribute cannot contain a space at the beginning or end, and cannot contain a line feed or carriage return.

Note: Non-admin library users also need to be members of the groups that match the partition names for which they are granted access. These group names do not need to be specifically listed anywhere in the LDAP setup on the library. When user logins are validated during login, their group memberships for partition access are validated automatically.

3. Click Apply to save your settings.

4. Select the Test tab and run a test on your settings to ensure they are configured properly.

5. Click Close to exit the window.

Kerberos Settings

Kerberos is a secure method for authenticating a request for a service in a computer network. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

Note: The Kerberos tab is only available when the Enable LDAP check box is selected.

1. From the Navigation panel, select User Access.
2. In the Operations panel, click LDAP.

3. Select the Kerberos tab.

   Item	Description	Action
   Enable Kerberos	Activates the Kerberos security protocol.	Select the check box.
   Realm	Name of instance. Typically the realm is the same as your domain name, only in all upper case letters.	Enter text.
   KDC	The Kerberos Key Distribution Center (KDC). This is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain. The KDC runs on each domain controller as part of Active Directory Domain Services (AD DS).	Enter text.
   Domain Mapping	The fully qualified DNS name of the machine that provides the Kerberos service.	Enter text.
   Keytab File	A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. However, when you change your Kerberos password, you will need to recreate all your keytabs. Keytab files are commonly used to allow scripts to automatically authenticate using Kerberos, without requiring human interaction or access to passwords stored in a plain-text file. The script can use the acquired credentials to access files stored on a remote system.	Click Browse to navigate to where the keytab file is located.

4. Click Apply to save your settings.

5. Click Close to exit the window.

Load LDAP Certificate

LDAP communications are not encrypted by default and you may want to use LDAPS for greater security. You can do this by using an SSL certificate to provide security for any LDAP data transfers.

1. From the Navigation panel, select User Access.
2. In the Operations panel, click LDAP.

3. Select the Certificates tab.

   

   Item	Description	Action
   Certificate Name	Displays the LDAPS certificate name.	Click Browse to navigate to where the LDAPS certificate is located.

4. Click Apply to save your settings.

5. The Certificate Installation Summary contains the following information regarding the loaded LDAP certificate:

   Item	Description
   Type	Specifies the certificate type. Types include server, root, and client.
   Validity	Time period the certificate is valid for.
   Status	Valid or invalid.
   Details	Contains information regarding the certificate issuer, such as organization name, location, and contact information.

6. Click Close to exit the window.

Test LDAP Settings

When setting up LDAP you may want to test your settings to ensure they work properly. On the Test tab, you can test a specific user or your configuration settings.

Note: The Test tab is only available when the Enable LDAP radio button is selected.

1. From the Navigation panel, select User Access.
2. In the Operations panel, click LDAP.

3. Select the Test tab.

   

   Item	Description	Action
   Test User	Allows you to test a specific user's logon credentials.	Select the radio button.
   User Name	Allows you to enter a user name.	Enter text.
   Password	Allows you to enter the user's password.	Enter text.
   Test Configuration	Allows you to test the configuration settings you entered on the LDAP tab.	Select the radio button.

4. Click Apply to save your settings.

5. Click Close to exit the window.

This window allows an administrator to configure partition-specific access restrictions for each user.

1. From the Navigation panel, select User Access.
2. Select a user from the North Panel

3. In the Operations panel, click Entitlement.

   

   Item	Description	Action
   Partition Access	Displays a list of available partitions.	Select the check box next to the partition(s) you want to enable media access. Deselect the check box next to the partition(s) you want to disable media access.
   Media Restrictions	Lists the five (5) types of access to media for the partition: Move - ability to move media from/to the selected partition Import - ability to import media into the selected partition Export - ability to export media from the selected partition Unload - ability to remove media from drives associated with the selected partition	User the Partition Access check box to disable/enable media access.

4. Click Apply to save your settings.

5. Click Close to exit the window.

This window allows you to set up specific access properties for the three different user roles that can access your library: user, administrator and service.

1. From the Navigation panel, select User Access.

2. In the Operations panel, click Settings.

   

   Item	Description	Action
   Local User Interface Access	Allows you to decide how you want users to access the library: Open Access- no login or PIN required Login Required - must use a login ID and password PIN Required - must use a PIN number. A PIN can use any combination of numbers 0-9.	Select the desired radio button. If PIN Required is selected, enter the number you want to use.
   Admin/User Access	Session Timeout - Allows you to set the amount of time a user must be inactive before the session is ended. This timeout applies to both admin and user accounts. The default session timeout is 15 minutes.	Select the desired value from the drop-down menu.
   Service Access - Enable Remote Login	Allows a service user to access your library remotely. You can set the access window from Indefinite to 72 hours. A service user will automatically be logged out after 4 hours of inactivity. Note: Enable remote login is disabled by default for 250 library firmware and above.
   Service Access - Local Service Port Login	Allows a service user to only access your library if they are onsite and plugged in via the library service port. You can set the access window from Indefinite to 72 hours. A service user will automatically be logged out after 4 hours of inactivity.	Select the check box to enable local service port login. Deselect the check box to disable local service port login.
   Service Access - Access Window	The access window determines time period a service user has to successfully utilize an enabled remote login or service port before access is once again disabled. The time period begins once the service enablement is applied.	Select the desired service access time from the drop-down menu.
   Service Access - Enable Reverse Tunnel	Reverse tunneling allows a Quantum Service access to the library through a secured connection. To enable the reverse tunnel, the following process occurs: Library administrator sets an access window time period for a reverse tunnel and enables the tunnel in the WebGUI. A reverse service tunnel request is made to Quantum Service through the CBA portal (see Cloud-Based Analytics). The library or CBA administrator approves the request in the CBA portal. Once approved, Quantum Service makes a secured connection to the library using CBA infrastructure. Quantum Service can connect and disconnect to the library during the specified access window. When the specified access window expires, all connections from Quantum Service to the library are closed. A new reverse tunnel request must be made.	Select the check box to enable the service tunnel. Deselect the check box to disable the service tunnel.
   Reverse Tunnel - Access Window	The access window determines the time period that Quantum Service can access the library through the reverse tunnel. The time period begins once the service tunnel enablement is applied. Once a reverse tunnel access window expires, a new request and approval must be made to establish a reverse tunnel.	Select the desired reverse tunnel access time from the drop-down menu.

3. Click Apply to save your settings.

4. Click Close to exit the window.

Multi-Factor Authentication (MFA) is an authentication method that requires a user to successfully enter both a password and an authentication code before access to the library is allowed.

The authentication code is a temporary passcode that is generated by a Time-based One-time Password (TOTP) algorithm. A user generates authentication codes using an authenticator application on a client device.

Enable MFA

1. From the Navigation panel, select User Access.

2. In the Operations panel, click MFA.

   

3. Select the Enable Multi Factor Authentication check box. The Time-based One-time Password (TOTP) is selected and a shared secret code is generated by the library. The shared secret appears in the Shared Secret box in a numerical and QR code format.

   

4. If you have not already done so, download an authenticator application to a client device.

   • An example of an authenticator application would be Microsoft Authenticator or Google Authenticator.
   • An example of a client device would be a mobile phone or tablet.

5. Open the authenticator application on your client device. Scan the QR code or enter the shared secret code generated by the library in step 3. The authenticator application will now generate a 6 digit authentication code that changes every 30 seconds.

   

6. Enter the 6 digit authentication code generated by the authenticator application in the Authentication Code field. If the code is accepted, MFA will be enabled. If the code is not accepted, MFA will not be enabled.

   Note: The authentication code must be entered and applied within 90 seconds after being generated by the authenticator application. If more than 90 seconds have passed, you must generate a new authentication code to successfully enable MFA.

   

7. Click Apply. MFA is now enabled on the library. All subsequent login requests will be required to configure MFA and provide the additional authentication code during system login attempts.

   

   To access the library, users will now have to enter an authentication code in addition to username and password

   

   

Disable MFA

Note: Only a library administrator can disable MFA.

1. From the Navigation panel, select User Access.

2. In the Operations panel, click MFA.

   

3. Deselect the Enable Multi Factor Authentication check box.

4. Disabling MFA requires an authentication code generated from the authentication application. Enter the 6 digit authentication code generated by the authenticator application in the Authentication Code field.

   Note: The authentication code must be entered and applied 90 seconds after being generated by the authenticator application. If more than 90 seconds has passed, you must generate a new authentication code to successfully disable MFA.

5. Click Apply. MFA is now disabled on the library.

Multi-Factor Authentication Guidelines

User Access When MFA is Enabled

1. Current Users

   A current user will log into the library using the current assigned User Name and Password.

   New Users

   If a new user needs access to the library the library administrator creates a new user (see Add a User). The new user will then log into the library using the User Name and default Password created by the administrator.

2. After the new user logs on, a dialog box will appear containing a shared secret code in numerical and QR code format:

   

3. To complete the login process, the user must do the following:

   • Install an authenticator application on a client device.
   • Scan the QR code or enter the shared secret code into the authenticator application. The authenticator application will now generate a 6 digit authentication code that changes every 90 seconds.

4. Current Users

   Using the authenticator application, the user enters an Authentication Code and clicks Apply to complete the login.

   New Users

   Using the authenticator application, a new user enters an Authentication Code and clicks Apply. The Password Change Request dialog then appears, prompting the new user to change the default password created by the library administrator.

   

Lost Client Devices

Users

If a user loses the client device (such as a mobile phone) with the authentication application installed, a library administrator will need to delete the user and create a new user profile.

Default Administrator

If the default administrator (the original admin account created when the system was installed) loses the client device with the authentication application installed, the default administrator can use the Local User Interface (LUI) to disable MFA and gain access to the library. The disable MFA feature is located at Admin > Maintenance > Library > Disable MFA in the LUI.

Service User Access

A service user does not require MFA authentication. If MFA is enabled, there are two options for the service user to access the library:

• Service user can access the library through the Local User Interface (LUI).
• For remote access to the library, the administrator can enable remote service login for a specified time period for the service user (see User Access Settings).

Allows you to restrict remote login library access for user and administrator accounts on defined IP addresses.

Note: This feature is not available for service users.

1. From the Navigation panel, select User Access.

2. In the Operations panel, click Restrictions.

   Note: For IP restrictions to be enabled, no users can be selected in the North panel.

   

   Item	Description	Action
   Current IP Source IP Address	Indicates your current IP Address. When enabling IP restrictions, your IP address must be in the IP Address Permissions list.	To copy your current IP Address to the IP Address Permissions List, click on the IP address. In IP Address Permissions, click + to open an IP Address field. Right-click your mouse over the field and select Paste.
   Enable Login Restrictions	Allows you to enable or disable IP login restrictions. When enabled, only users and administrators with IP addresses in the IP Address Permissions List will have remote login access to the library.	Select the check box to enable IP Address login restrictions. Deselect the check box to disable IP Address login restrictions.
   IP Address Permissions	Allows you to add or delete IPv4 and IPv6 addresses from the permission list. A maximum of 25 IP addresses can be added to the permission list. Note: The host IP address must be in the permission list.	Click + to add an IP address to the list. Click the trash icon to delete an IP address from the list.

3. Click Apply to save your settings. The Apply button will be disabled if login restrictions are enabled and your IP address is not in the IP permissions list.

Administrators can configure the login rules for library user passwords.

1. From the Navigation panel, select User Access.

2. In the Operations panel, click Login Rules.

   

   Item	Description	Default Setting	Setting Range
   Minimum Characters	Minimum password length.	8	Minimum Setting: 8 Maximum Setting: 64
   Maximum Characters	Maximum password length.	64	Minimum Setting: 8 Maximum Setting: 64
   Minimum Uppercase	Password requires a specific number of upper case characters (A-Z).	0	Minimum Setting: 0 Maximum Setting: 64 Note: The number of minimum uppercase characters cannot exceed the defined maximum password length.
   Minimum Lowercase	Password requires a specific number of lower case characters (a-z).	0	Minimum Setting: 0 Maximum Setting: 64 Note: The number of minimum lowercase characters cannot exceed the defined maximum password length.
   Minimum Digits	Minimum number of number digits (0-9) required in password:	0	Minimum Setting: 0 Maximum Setting: 64 Note: The number of minimum digits cannot exceed the defined maximum password length.
   Minimum Special Characters	Minimum number of special characters in password (!@#$%^&*()_+-={}|[]\;':"<>?,./). Note: By default, back tick (`), tilde (~), and a leading or trailing space character ( ) are not allowed in a password.	0	Minimum Setting: 0 Maximum Setting: 64 Note: The number of minimum special characters cannot exceed the defined maximum password length.
   Exclude Characters	Enter characters to exclude from password. Note: By default, back tick (`), tilde (~), and a leading or trailing space character ( ) are not allowed in a password.	back tick (`), tilde (~), and a leading or trailing space character ( )	N/A
   Maximum Repeat Characters	Maximum number of repeated, sequential characters allowed in password.	63	Minimum Setting: 0 Maximum Setting: 63 Note: The number of maximum repeat characters cannot exceed the defined maximum password length.
   Min Days Until Password Change	Sets the minimum days before a password can be changed.	0	Minimum Setting: 0 Maximum Setting: 364
   Max Days Until Password Change	Sets the maximum days before a password must be changed.	0	Minimum Setting: 0 days Maximum Setting: 364 days
   Max Username Sequence Characters	Allowed character sequence from login name allowed in the password. For example, a login user name is sampleuser and the password rules are set to allow a maximum of a 3 character sequence from the login name to be used in the password. A password of passworduse123 would be allowed because it meets the criteria for a maximum of a 3 character sequence (use) from the login name in the password. A password of passworduser123 would not be allow because it contains a 4 character sequence (user) from the login name.	64	Minimum Setting: 3 Maximum Setting: 64
   Exclude Previous Passwords	Number of new passwords that must be used before a previously used password can be used again.	1	Minimum Setting: 1 Maximum Setting: 5
   Failed Login Attempts	Number of invalid login attempts until the library locks the user account for the defined number of lockout minutes.	5	Minimum Setting: 5 invalid attempts Maximum Setting: 32 invalid attempts
   Lockout Minutes	Number of minutes before a locked out user can attempt to log into the library.	5	Minimum Setting: 5 minutes Maximum Setting 1440 minutes (24 hours)

3. Click Apply to save your settings.

4. Click Close to exit the window.

Administrators can use this window to end a user session.

1. From the Navigation panel, select User Access.
2. In the North Panel, click the checkbox next to the user whose library session you want to end.
3. In the Operations panel, click End Session.
4. Click Apply to save your settings. The user's session is ended. In the North Panel, the Session column shows a zero (0) indicating the session has ended.