The OneStream Community is temporarily frozen until June 29th due to the ongoing maintenance. Please read the blog post here to learn more.
Forum Discussion
Solved
OneStream Administrator Native User
Hi,
Does OneStream require the OneStream provided 'Administrator' security user? Can you tell me why it's required and how it is used? Administrator is a Native account, and our audit department ...
The Administrator user is the only user that exists at the initial install and creation of your OneStream environment. A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.
You can change the password or disable this user, but it is not recommended. If you need to do so, reach out to OS support.
Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment.
The Administrators group is similar. It is there by default, along with Everyone and Nobody. You can add people to Administrators group, but you cannot change it's properties. In a sense to protect you from locking yourself out. If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.
We do not use the native user Administrator precisely because of the audit problems (it can be turned off in the Application Server Config file). Instead we assign users who need such access to the Administrators group. It gives them the same access and they have to use their SSO ids.
The Administrator user and Administrators group are not needed but if you do not use them you will have problems mainly with managing security. Non-Administrators who have access to ManageSystemSecurityUsers cannot change their own security which includes changing the set up of the groups they are in. As an example, this means that these non-Admins cannot make another user a Security Administrator because that is the security they have and that would be a change. There are ways around this but we decided that was too much of a burden. We have 3/4 users in the Administrators group who also manage the security. Anyone else who needs Admin access is given AdministerApplication.
Thanks for this information!
