Forum Discussion

cap08's avatar
cap08
New Contributor III
14 days ago
Solved

OneStream Administrator Native User

Hi, 

Does OneStream require the OneStream provided 'Administrator' security user?  Can you tell me why it's required and how it is used? Administrator is a Native account, and our audit department wants our users to be SSO.  What would be the impact of changing the Administrator user account from Native to SSO?

Thanks! 

Infrastructure
Security
  • T_Kress's avatar
    T_Kress
    10 days ago

    The Administrator user is the only user that exists at the initial install and creation of your OneStream environment.  A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.

    You can change the password or disable this user, but it is not recommended.  If you need to do so, reach out to OS support.

    Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment. 

    The Administrators group is similar.   It is there by default, along with Everyone and Nobody.  You can add people to Administrators group, but you cannot change it's properties.  In a sense to protect you from locking yourself out.  If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.

6 Replies

Sort By
  • T_Kress's avatar
    T_Kress
    Valued Contributor
    10 days ago

    The Administrator user is the only user that exists at the initial install and creation of your OneStream environment.  A random password generator is used to generate a long, complex password for this user, which is then stored in an encrypted vault. OneStream Support uses this ID when you open a support case and grant them permission for troubleshooting or upgrades.

    You can change the password or disable this user, but it is not recommended.  If you need to do so, reach out to OS support.

    Also, this user name is unaffected by inactivity thresholds and password expiration requirements that prevent users from logging in after a specific period elapses or being forced to change their password. And, it cannot be deleted. This is the one user who can always manage artifacts, data, and tools within an environment. 

    The Administrators group is similar.   It is there by default, along with Everyone and Nobody.  You can add people to Administrators group, but you cannot change it's properties.  In a sense to protect you from locking yourself out.  If you did not have a system admin group, you could potentially make security changes to which you could prevent even admins from doing certain things.

    • cap08's avatar
      cap08
      New Contributor III
      10 days ago

      When you say, 'encrypted vault', do you mean where the OS secrets are kept?  Was that already done? I created a sys parm named 'Administrator' with its password so it's in the secret vault. I wanted to have a place where administrators can see it if necessary. Was that OK?

      • T_Kress's avatar
        T_Kress
        Valued Contributor
        10 days ago

        Yes, I believe so.  I  believe it is an encrypted OneStream vault in Azure.  But if you have any doubts, you can open a support case to confirm.

  • MarcusH's avatar
    MarcusH
    Valued Contributor
    10 days ago

    We do not use the native user Administrator precisely because of the audit problems (it can be turned off in the Application Server Config file). Instead we assign users who need such access to the Administrators group. It gives them the same access and they have to use their SSO ids.

    The Administrator user and Administrators group are not needed but if you do not use them you will have problems mainly with managing security. Non-Administrators who have access to ManageSystemSecurityUsers cannot change their own security which includes changing the set up of the groups they are in. As an example, this means that these non-Admins cannot make another user a Security Administrator because that is the security they have and that would be a change. There are ways around this but we decided that was too much of a burden. We have 3/4 users in the Administrators group who also manage the security. Anyone else who needs Admin access is given AdministerApplication.

    • cap08's avatar
      cap08
      New Contributor III
      10 days ago

      Thanks for this information!