Fusion Security can be used to manage user accounts across the Fusion product range. Changes to user accounts in Fusion Security will become effective immediately in any of the Fusion Products that are secured with Fusion Security.
Fusion Security must be configured to communicate to an SDMX Structure source (this may be a Fusion Registry) in order to obtain a list of Data Providers, Data Consumers, and Agencies. Connecting to a structure source is covered in the installation guide. When creating a user account, it is possible to assign the user to zero or more SDMX organisations (Data Provider, Data Consumer, Agency).
Any user may also be assigned the role of Admin. Admin access gives higher privileges to other Fusion tools such as Fusion Audit, Fusion Matrix, and Fusion Registry.
Fusion Security also provides an additional privileged user account, called the “root user” (userid ‘root’) who is an administrator with all of the privileges that go along with it. The root user may not be deleted, but he can be locked. The root user also has the ability to import or export user information from Fusion Security (see section 5) and has the ability to modify any other user account. The root user is not visible to administrator users, so if logging into Fusion Security as an administrator user, the root user will not be displayed. It is recommended to use administrator accounts for user administration, and only use the root user if absolutely required, for example if the administrator password(s) are forgotten. It is highly recommended to change the root user password or lock the root account as soon as possible.
User accounts may be enabled or disabled by an administrator though the UI. User accounts may additionally be locked or unlocked. An account will be locked automatically by the system if a user tries to log into their account with the incorrect password an excessive number of times. By default there is no maximum limit set, this can be configured as required. An account can only be enabled/disabled or unlocked using the UI.
It is possible to restrict accounts to only authenticate if the login is from certain IP addresses. A failed login due to IP restriction will be counted as a failed login attempt, and an excessive number of consecutive login failures may cause the user’s account to be locked.
Only users with root or admin rights can login to the Fusion Security user interface. Access from any other user account is prohibited.
To administer accounts first log in to Fusion Security via the web interface.
The home page will show a list of all the users in the system. Users are listed by username and the display name is shown in brackets (unless username and display name are the same).
Modifying a user's details is simply a case of clicking on the appropriate control (e.g. Account Enabled) and the change is made to that user. The only exceptions to this are 'Display Name' and 'Email Address'. These controls have their own "Save" button which is displayed when a change is made to the value.
Click on New User, a popup dialogue will appear. Ensure all fields in this dialogue are filled in before clicking ‘Add User’. The characters allowed in the username include all alphabetic, all numeric and the following characters: underscore (_), dollar ($) and hyphen (-).
The username for each user must be unique and cannot be changed once set. The display name for each user does not have to be unique and can be modified at a later date from the "User Details" screen.
The password rules are displayed on the right-hand side of the dialog. These rules are configurable, as discussed in the installation guide. On form submission Fusion Security will additionally verify that the password supplied is not contained in the list of illegal passwords: these are passwords which are deemed unsafe due to their simplicity or commonality.
On successful creation of a new user account, the pop up dialogue will close, and the user will be added to the list of users displayed in the area in the left-hand side of the screen.
The user’s account will be enabled, but at this stage of user account setup the user will not be assigned to any organisations. Organisation assignment will provide the user with specific roles. The Fusion products may require that certain actions have a specific role, e.g. only a Data Provider can register data. It is not mandatory to assign a user to an organisation, however this may restrict what access rights the user has in secured systems.
A user's account can be assigned to zero or more organisations, allowing the user to assume the role of an organisation type (e.g. Data Provider) when using a Fusion application. To assign a user to an organisation first select the user, then click the 'Organisations' tab. Note that the root user is the only user that cannot be assigned to an organisation, as the root user has full access privileges. The Organisations view will show a hierarchical tree of all the organisations known to the Fusion Security application. These organisations are obtained from the Structure repository. The changes will be immediate in any Fusion application that has been configured to use Fusion Security.
It is possible to promote a user to 'admin' status by clicking the 'Admin enabled' checkbox under the 'User Details' tab. Admin users have the privilege of being able to log into Fusion Security and are able to maintain any user account, including other admin users. The root user is not visible in the UI to any other users and so cannot be modified by any other user.
As part of the administration function admin users can change the password of any user in the system, except root. Root users are allowed to change any user password. It is not possible to discover what a user’s password is as it is encrypted on the server using a strong one way hashing algorithm.
To change a password, first select the user and then click on the 'Change Password' icon under the 'User Details' tab. A pop up dialogue will be displayed, allowing the user's password to be changed. The admin user must re-enter his own password before this operation will be allowed to succeed. The password verification rules are the same as the rules enforced on account creation.
It is possible to change the display name, and email address for a user. It is not possible to change a user's username. To change either the display name or email address select the user's account, and modify these entries in the 'User Details' tab. Click the 'Save' button to action these changes. If an invalid display name (such as an empty display name) or email is entered, then an appropriate error message will be displayed.
It is possible to restrict a user's account so that the user can only log in from computers which match the restricted IP address. The IP address specified may contain wildcarded fields. To restrict a user’s account in this way, select the user, and click the add icon under 'Restrict IP Addresses'.
A pop up dialogue will appear prompting for a full or partial IP. To wildcard part of the IP Address, simply leave it blank, this is shown in Figure 6 below. On completion, click ‘Add IP’ which will have the effect of closing the dialogue, and adding the IP to the list. The change will become effective immediately. You may repeat this process to add as many IP addresses as you like against a particular user.
A user's account may be disabled. A disabled account will prevent the user from logging into any Fusion application with their login credentials. To disable or enable an account, select the user and check/uncheck the 'Account Enabled' checkbox. The user’s name in the list or users will have a 'cross' icon next to it if the account is disabled.
A user's account may be locked and unlocked. A locked account will prevent the user from logging into any Fusion application with their credentials. An account is locked automatically after an excessive number of failed login attempts to any Fusion application. To lock or unlock an account, select the user and click the ‘Lock/Unlock’ button at the top of the page. The account will be locked/unlocked with immediate effect. The user's name in the list of users will have a 'padlock' icon next to it if the account is locked.
Note: If the ROOT Account is locked, then this can only be unlocked by using the command line application, FusionMatrixCL which is discussed in the technical section.
To delete an account, select the user to delete, and click the 'Delete' button at the top of the page. A confirmation dialogue will appear. It is important to note that once confirmed a delete operation cannot be undone. It is important to note that the delete operation does not delete any SDMX Organisation from the structure source: it deletes only the user account that may have been linked to an Organisation(s).
To make a copy of the information persisted by Fusion Security, the database that Fusion Security is communicating with can simply be backed-up in the usual manner. However there is an additional technique. The root user has the ability to import and export user information with the aim of allowing information from one Fusion Security instance to be easily applied to another instance without the necessity for performing database requests and uploads.
Clicking Export will attempt to download all of the user information from Fusion Security. The actual behaviour of what happens is dependent on the behaviour of your browser. If your browser automatically downloads files to a particular directory then that is what will happen. If your browser prompts you for the name and location of the file then that is what will happen.
Once saved to hard-disk the file can then be backed-up as you require.
To import a saved file, use the Import function. A dialog will be displayed requesting a file to be loaded. This should be a file previously exported from Fusion Security. Once loaded in, the new user will be in your Fusion Security system.
There is an important point to note when importing user information. When the import occurs, only users which do not already exist in Fusion Security will be imported from the file. This prevents the root account from being updated with information from the old system. If you wish to overwrite existing users, please delete them from the Fusion Security system before performing the update.
Please note that passwords are encrypted in the exported file. When the user information is applied to a new instance of Fusion Security the passwords will work as they did previously.