The OneStream Community is temporarily frozen until June 29th due to the ongoing maintenance. Please read the blog post here to learn more.
Forum Discussion
Solved
OneStream Administrator Native User
Hi,
Does OneStream require the OneStream provided 'Administrator' security user? Can you tell me why it's required and how it is used? Administrator is a Native account, and our audit department wants our users to be SSO. What would be the impact of changing the Administrator user account from Native to SSO?
Thanks!
The Administrator user is the only user that exists at the initial install and creation of your OneStream environment. A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.
You can change the password or disable this user, but it is not recommended. If you need to do so, reach out to OS support.
Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment.
The Administrators group is similar. It is there by default, along with Everyone and Nobody. You can add people to Administrators group, but you cannot change it's properties. In a sense to protect you from locking yourself out. If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.
8 Replies
- T_Kress
OneStream Employee
The Administrator user is the only user that exists at the initial install and creation of your OneStream environment. A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.
You can change the password or disable this user, but it is not recommended. If you need to do so, reach out to OS support.
Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment.
The Administrators group is similar. It is there by default, along with Everyone and Nobody. You can add people to Administrators group, but you cannot change it's properties. In a sense to protect you from locking yourself out. If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.
When you say, 'encrypted vault', do you mean where the OS secrets are kept? Was that already done? I created a sys parm named 'Administrator' with its password so it's in the secret vault. I wanted to have a place where administrators can see it if necessary. Was that OK?
- T_Kress
Yes, I believe so. I believe it is an encrypted OneStream vault in Azure. But if you have any doubts, you can open a support case to confirm.
T_Kress - to clarify, if the Native Administrator account is disabled using the out of box capability available on the system tab, will this prevent OneStream Support from accessing the environment when required?
As pointed out by others, active use of this account versus members of Administrators Group, can convolute accountability of actions performed by users.
- T_Kress
If you disable this native Administrator user, it will prevent support from logging when required (upgrades, troubleshooting, etc.). I would not disable or at least re-enable before support is needed for things like an upgrade.
If you need to change the password, you will want to coordinate with OneStream Support. You will need to schedule a time when your environment will be offline for approximately two hours, to get this password changed and restored in the
encrypted key vault.
We do not use the native user Administrator precisely because of the audit problems (it can be turned off in the Application Server Config file). Instead we assign users who need such access to the Administrators group. It gives them the same access and they have to use their SSO ids.
The Administrator user and Administrators group are not needed but if you do not use them you will have problems mainly with managing security. Non-Administrators who have access to ManageSystemSecurityUsers cannot change their own security which includes changing the set up of the groups they are in. As an example, this means that these non-Admins cannot make another user a Security Administrator because that is the security they have and that would be a change. There are ways around this but we decided that was too much of a burden. We have 3/4 users in the Administrators group who also manage the security. Anyone else who needs Admin access is given AdministerApplication.
Thanks for this information!
Thank you!
