The OneStream Community is temporarily frozen until June 29th due to the ongoing maintenance. Please read the blog post here to learn more.
Forum Discussion
Solved
OneStream Administrator Native User
Hi,
Does OneStream require the OneStream provided 'Administrator' security user? Can you tell me why it's required and how it is used? Administrator is a Native account, and our audit department ...
The Administrator user is the only user that exists at the initial install and creation of your OneStream environment. A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.
You can change the password or disable this user, but it is not recommended. If you need to do so, reach out to OS support.
Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment.
The Administrators group is similar. It is there by default, along with Everyone and Nobody. You can add people to Administrators group, but you cannot change it's properties. In a sense to protect you from locking yourself out. If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.
T_Kress
OneStream Employee
OneStream EmployeeThe Administrator user is the only user that exists at the initial install and creation of your OneStream environment. A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.
You can change the password or disable this user, but it is not recommended. If you need to do so, reach out to OS support.
Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment.
The Administrators group is similar. It is there by default, along with Everyone and Nobody. You can add people to Administrators group, but you cannot change it's properties. In a sense to protect you from locking yourself out. If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.
When you say, 'encrypted vault', do you mean where the OS secrets are kept? Was that already done? I created a sys parm named 'Administrator' with its password so it's in the secret vault. I wanted to have a place where administrators can see it if necessary. Was that OK?
- T_Kress
Yes, I believe so. I believe it is an encrypted OneStream vault in Azure. But if you have any doubts, you can open a support case to confirm.
T_Kress - to clarify, if the Native Administrator account is disabled using the out of box capability available on the system tab, will this prevent OneStream Support from accessing the environment when required?
As pointed out by others, active use of this account versus members of Administrators Group, can convolute accountability of actions performed by users.
- T_Kress
If you disable this native Administrator user, it will prevent support from logging when required (upgrades, troubleshooting, etc.). I would not disable or at least re-enable before support is needed for things like an upgrade.
If you need to change the password, you will want to coordinate with OneStream Support. You will need to schedule a time when your environment will be offline for approximately two hours, to get this password changed and restored in the
encrypted key vault.
