Class specific additional properties
In addition to the properties defined through included schemas, this object includes the following additional class-specific properties:
Certain properties are only valid when mutable prerequisite properties have specific values. When such properties are not valid, their value is null. For instance the password-rule-uri is null when the authentication-type value is "ldap".
Name | Qualifier | Type | Description |
---|---|---|---|
type | — | String Enum | The type of user. Supported values are:
|
user-pattern-uri | — | String/ URI | The canonical URI path of the User Pattern object upon which this user is
based. Prerequisite: type is "pattern-based" |
user-template-uri | — | String/ URI | The canonical URI path of the User Template object upon which this user is
based. Prerequisite: type is "pattern-based" |
disabled | (w)(pc) | Boolean | Indicates whether the user is currently disabled. When disabled, the user is
prevented from logging on to the console through either the UI or the Web Services APIs. Prerequisite: type is not "template". Default: false |
authentication-type | (w)(pc) | String Enum | The type of user ID and password authentication used for this user, which must
be one of the following:
If type is "template", this must be "ldap". Note: The value of this property is a prerequisite for certain other
properties. Changing this value requires certain properties to be included in the same request; see
the Update User Properties operation for details.
|
password-rule-uri | (w)(pc) | String/ URI | The canonical URI path of the Password Rule for this user. Prerequisite: authentication-type is "local". |
password | (wo)(pc) | String | The console logon password for this user. The specific length, character and
other requirements on this password are controlled by the authentication type and Password Rule
assigned to this user. Note the (wo) qualifier; this field may be altered through an API, but it is not included in the response when this object's properties are retrieved through an API. |
password-expires | — | Integer | The time interval, in days, until the user's current password expires. A value of 0 indicates that the password will expire within the next 24 hours. A value of -1 indicates that the HMC does not enforce password expiration for this user; however, if this user is authenticated with an external authentication mechanism (e.g. LDAP) such expiration might be enforced by that mechanism. |
force-password-change | (w)(pc) | Boolean |
Indicates whether the user should be forced to change their console logon password the next time they log in. Prerequisite: authentication-type is "local" Default: true |
ldap-server-definition-uri | (w)(pc) | String/ URI | The canonical URI path of the configuration object for the LDAP server used
for authentication of this user. Prerequisite: authentication-type is "ldap". |
userid-on-ldap-server | (w)(pc) | String (0-32) | The user ID for this user on the LDAP server identified in
ldap-server-definition-uri, or null if the user's console
user ID (value of the name property) should be used. See the LDAP Server
Definition object for more information on how this property is used. Prerequisite: authentication-type is "ldap" and type is not "template". Default: an empty string |
session-timeout | (w)(pc) | Integer (0- 525600) |
The session timeout in minutes for this user. This is the interval over which a user's UI session can run before being prompted for identity verification. 0 indicates no timeout. Default: 0 |
verify-timeout | (w)(pc) | Integer (0- 525600) |
The verification timeout in minutes for this user. This is the amount of time allowed for the user to re-enter their password after being prompted due to a session timeout (see the session-timeout property). 0 indicates no timeout. Default: 15 |
idle-timeout | (w)(pc) | Integer (0- 525600) |
The idle timeout in minutes for this user. This is the amount of time the user's UI session can be idle before it is disconnected. 0 indicates no timeout. Default: 0 |
min-pw-change-time | (w)(pc) | Integer (0- 525600) |
The minimum password change time in minutes for this user. This is the minimum amount of time that must elapse between changes to this user's password. 0 indicates no minimum; that is, the password can be changed immediately after it has just been changed. Prerequisite: authentication-type is "local". Default: 0 |
max-failed-logins | (w)(pc) | Integer (0- 525600) | The maximum number of failed login attempts for this user. This is maximum
number of consecutive failed login attempts before the user is temporarily disabled for the amount
of time specified in the disable-delay property. 0 indicates that the user is
never disabled due to failed login attempts. Default: 3 |
disable-delay | (w)(pc) | Integer (0- 525600) |
The time in minutes that the user is disabled after exceeding the maximum number of failed login attempts specified in the max-failed-logins property. 0 indicates that the user is not disabled for any period of time after reaching the maximum number of invalid login attempts. Default: 1 |
inactivity-timeout | (w)(pc) | Integer (0- 525600) |
The inactivity timeout in days for this user. This is the maximum number of days of inactivity (consecutive days with no login) before the user is disabled. 0 indicates no timeout. Default: 0 |
disruptive-pw-required | (w)(pc) | Boolean | Indicates whether the user's password is required to perform disruptive
actions through the UI. Default: true |
disruptive-text-required | (w)(pc) | Boolean | Indicates whether text input is required to perform disruptive actions through the
UI. Default: false |
allow-remote-access | (w)(pc) | Boolean | Indicates whether the user is allowed to access the HMC through its remote web
server interface Default: false |
allow-management-interfaces | (w)(pc) | Boolean | Indicates whether the user is allowed access to management interfaces. This
includes access to the Web Services APIs. Default: false |
max-web-services-api-sessions | (w)(pc) | Integer (0-9999) | The maximum number of simultaneous Web Services API sessions the user is
permitted to have. Default: 100 |
web-services-api-session-idle-timeout | (w)(pc) | Integer (1-360) | The idle timeout in minutes for Web Services API sessions created by this
user. This is the amount of time a Web Services API session can be idle before it is
terminated. Default: 360 |
user-roles | (c)(pc) | Array of String/ URI | The list of user roles defined for this user. Each element in this array is a
canonical URI path for a User Role object. The roles provided in this list can change as a result of
the Add User Role to User and Remove User Role from User
operations. This property is immutable if type is "system-defined". |
default-group-uri | (w)(pc) | String/ URI | The canonical URI path of the user's default group or
null if the user has no default group. Managed objects created by this user
automatically become members of this group. The user must have object-access permission to this
group. This must be a user-defined group to which the user has object-access permission. API users are permitted to change their own default group designation through the Update User Properties operation. Default: null |
replication-overwrite-possible | — | Boolean | Indicates whether this object is customizable data that is replicated to this HMC from an HMC configured as a Data Source in the Data Replication service. |
multi-factor-authentication-required | (w)(pc) | Boolean | Indicates whether the user is required to
use the HMC's built-in MFA support. If true, the user is required to enter their
current TOTP multi-factor authentication code (time-based
one-time password) in addition to their logon password during UI and API logons. Setting this to true will cause mfa-types to be set to a one-element
array containing "hmc-totp". Setting this to false will cause mfa-types to be
set to null if "hmc-totp" is present. Default: false |
force-shared-secret-key-change | (w)(pc) | Boolean | Indicates whether the user is required to establish a new shared secret key
during the next logon. The shared secret key is used to calculate the user's current multi-factor
authentication code, which is required during logon. Prerequisite: multi-factor-authentication-required is true Default: false |
email-address | (w)(pc) | String (0-254) | The user's email address or null if the user has no email address. This email address must roughly adhere to Internet Engineering Task Force (IETF) RFC 822. |
mfa-types | (w)(pc) | Array of String Enum | Identifies the types of multi-factor authentication (MFA) the user is required
to use when logging onto the HMC, or null if MFA is not required. When setting this property,
the API client program is responsible for keeping it and multi-factor-authentication-required
consistent. Each element of this array must be unique and must be one of the following:
Default: null |
primary-mfa-server-definition-uri | (w)(pc) | String/ URI | The canonical URI path of the MFA Server Definition object for the primary MFA
server used to authenticate the user. Prerequisite: mfa-types contains "mfa-server" Default: null |
backup-mfa-server-definition-uri | (w)(pc) | String/ URI | The canonical URI path of the MFA Server Definition object for the backup MFA
server used to authenticate the user, or null if there is no backup server. Must specify a
different MFA server than the primary MFA server. Prerequisite: mfa-types contains "mfa-server" Default: null |
mfa-policy | (w)(pc) | String (1-64) | The name of the MFA policy, such as a RACF® Policy, that applies to the user when an MFA server authenticates the user. It must
identify a policy whose only MFA factor is the RSA SecurID factor. Prerequisite: mfa-types contains "mfa-server" Default: null |
mfa-userid | (w)(pc) | String (1-64) | The MFA user ID. This is a user ID, such as a RACF user ID, that identifies this user to the MFA server that authenticates this
user. For User objects with a type of "pattern-based", this property's default value
may be overridden by the LDAP attribute identified by mfa-userid-override. Prerequisite: type is not "template", and mfa-types contains "mfa-server" Default: same value as name property |
mfa-userid-override | (w)(pc) | String (1-256) | The name of the LDAP attribute that contains the MFA user ID, such as a RACF user ID, that identifies the user to the MFA server that
authenticates the user, or null if there is no such attribute. This can be used to override
the value of the mfa-userid property during authentication. If the named LDAP attribute does not exist in a user's directory entry, or it exists but is empty, then the user's MFA user ID is not altered. Prerequisite: type is "template", and mfa-types contains "mfa-server" Default: null |