Class specific additional properties

In addition to the properties defined through included schemas, this object includes the following additional class-specific properties:

Note: Some properties are only valid for users of a specific type. Such properties are only included in the User object if the user is of that type, as indicated by its type property. For example, a user with a type of "standard" includes the disabled property but not the user-pattern-uri property.

Certain properties are only valid when mutable prerequisite properties have specific values. When such properties are not valid, their value is null. For instance the password-rule-uri is null when the authentication-type value is "ldap".

Table 1. User object: class specific additional properties
Name Qualifier Type Description
type String Enum The type of user. Supported values are:
  • "standard" - a standard, normal user.
  • "template" - a user template.
  • "pattern-based" - a user created dynamically from a User Pattern and its associated template.
  • "system-defined" - a user supplied by the system. Certain properties of system-defined users are immutable.
user-pattern-uri String/ URI The canonical URI path of the User Pattern object upon which this user is based.

Prerequisite: type is "pattern-based"

user-template-uri String/ URI The canonical URI path of the User Template object upon which this user is based.

Prerequisite: type is "pattern-based"

disabled (w)(pc) Boolean Indicates whether the user is currently disabled. When disabled, the user is prevented from logging on to the console through either the UI or the Web Services APIs.

Prerequisite: type is not "template".

Default: false

authentication-type (w)(pc) String Enum The type of user ID and password authentication used for this user, which must be one of the following:
  • "local" - the console performs the authentication.
  • "ldap" - authentication is delegated to the LDAP server identified in the ldap-server-definition-uri property.

If type is "template", this must be "ldap".

Note: The value of this property is a prerequisite for certain other properties. Changing this value requires certain properties to be included in the same request; see the Update User Properties operation for details.
password-rule-uri (w)(pc) String/ URI The canonical URI path of the Password Rule for this user.

Prerequisite: authentication-type is "local".

password (wo)(pc) String The console logon password for this user. The specific length, character and other requirements on this password are controlled by the authentication type and Password Rule assigned to this user.

Note the (wo) qualifier; this field may be altered through an API, but it is not included in the response when this object's properties are retrieved through an API.

password-expires Integer The time interval, in days, until the user's current password expires. A value of 0 indicates that the password will expire within the next 24 hours. A value of -1 indicates that the HMC does not enforce password expiration for this user; however, if this user is authenticated with an external authentication mechanism (e.g. LDAP) such expiration might be enforced by that mechanism.
force-password-change (w)(pc) Boolean

Indicates whether the user should be forced to change their console logon password the next time they log in.

Prerequisite: authentication-type is "local"

Default: true

ldap-server-definition-uri (w)(pc) String/ URI The canonical URI path of the configuration object for the LDAP server used for authentication of this user.

Prerequisite: authentication-type is "ldap".

userid-on-ldap-server (w)(pc) String (0-32) The user ID for this user on the LDAP server identified in ldap-server-definition-uri, or null if the user's console user ID (value of the name property) should be used. See the LDAP Server Definition object for more information on how this property is used.

Prerequisite: authentication-type is "ldap" and type is not "template".

Default: an empty string

session-timeout (w)(pc) Integer (0- 525600)

The session timeout in minutes for this user. This is the interval over which a user's UI session can run before being prompted for identity verification. 0 indicates no timeout.

Default: 0

verify-timeout (w)(pc) Integer (0- 525600)

The verification timeout in minutes for this user. This is the amount of time allowed for the user to re-enter their password after being prompted due to a session timeout (see the session-timeout property). 0 indicates no timeout.

Default: 15

idle-timeout (w)(pc) Integer (0- 525600)

The idle timeout in minutes for this user. This is the amount of time the user's UI session can be idle before it is disconnected. 0 indicates no timeout.

Default: 0

min-pw-change-time (w)(pc) Integer (0- 525600)

The minimum password change time in minutes for this user. This is the minimum amount of time that must elapse between changes to this user's password. 0 indicates no minimum; that is, the password can be changed immediately after it has just been changed.

Prerequisite: authentication-type is "local".

Default: 0

max-failed-logins (w)(pc) Integer (0- 525600) The maximum number of failed login attempts for this user. This is maximum number of consecutive failed login attempts before the user is temporarily disabled for the amount of time specified in the disable-delay property. 0 indicates that the user is never disabled due to failed login attempts.

Default: 3

disable-delay (w)(pc) Integer (0- 525600)

The time in minutes that the user is disabled after exceeding the maximum number of failed login attempts specified in the max-failed-logins property. 0 indicates that the user is not disabled for any period of time after reaching the maximum number of invalid login attempts.

Default: 1

inactivity-timeout (w)(pc) Integer (0- 525600)

The inactivity timeout in days for this user. This is the maximum number of days of inactivity (consecutive days with no login) before the user is disabled. 0 indicates no timeout.

Default: 0

disruptive-pw-required (w)(pc) Boolean Indicates whether the user's password is required to perform disruptive actions through the UI.

Default: true

disruptive-text-required (w)(pc) Boolean Indicates whether text input is required to perform disruptive actions through the UI.

Default: false

allow-remote-access (w)(pc) Boolean Indicates whether the user is allowed to access the HMC through its remote web server interface

Default: false

allow-management-interfaces (w)(pc) Boolean Indicates whether the user is allowed access to management interfaces. This includes access to the Web Services APIs.

Default: false

max-web-services-api-sessions (w)(pc) Integer (0-9999) The maximum number of simultaneous Web Services API sessions the user is permitted to have.

Default: 100

web-services-api-session-idle-timeout (w)(pc) Integer (1-360) The idle timeout in minutes for Web Services API sessions created by this user. This is the amount of time a Web Services API session can be idle before it is terminated.

Default: 360

user-roles (c)(pc) Array of String/ URI The list of user roles defined for this user. Each element in this array is a canonical URI path for a User Role object. The roles provided in this list can change as a result of the Add User Role to User and Remove User Role from User operations.

This property is immutable if type is "system-defined".

default-group-uri (w)(pc) String/ URI The canonical URI path of the user's default group or null if the user has no default group. Managed objects created by this user automatically become members of this group. The user must have object-access permission to this group. This must be a user-defined group to which the user has object-access permission.

API users are permitted to change their own default group designation through the Update User Properties operation.

Default: null

replication-overwrite-possible Boolean Indicates whether this object is customizable data that is replicated to this HMC from an HMC configured as a Data Source in the Data Replication service.
multi-factor-authentication-required (w)(pc) Boolean Indicates whether the user is required to use the HMC's built-in MFA support. If true, the user is required to enter their current TOTP multi-factor authentication code (time-based one-time password) in addition to their logon password during UI and API logons. Setting this to true will cause mfa-types to be set to a one-element array containing "hmc-totp". Setting this to false will cause mfa-types to be set to null if "hmc-totp" is present.

Default: false

force-shared-secret-key-change (w)(pc) Boolean Indicates whether the user is required to establish a new shared secret key during the next logon. The shared secret key is used to calculate the user's current multi-factor authentication code, which is required during logon.

Prerequisite: multi-factor-authentication-required is true

Default: false

email-address (w)(pc) String (0-254) The user's email address or null if the user has no email address. This email address must roughly adhere to Internet Engineering Task Force (IETF) RFC 822.
mfa-types (w)(pc) Array of String Enum Identifies the types of multi-factor authentication (MFA) the user is required to use when logging onto the HMC, or null if MFA is not required. When setting this property, the API client program is responsible for keeping it and multi-factor-authentication-required consistent. Each element of this array must be unique and must be one of the following:
  • "hmc-totp" - Time-based one-time password validated by the HMC. This is equivalent to setting multi-factor-authentication-required to true. If present in the array, it must be the only element of the array.
  • "mfa-server" - Additional factors validated by an MFA server.

Default: null

primary-mfa-server-definition-uri (w)(pc) String/ URI The canonical URI path of the MFA Server Definition object for the primary MFA server used to authenticate the user.

Prerequisite: mfa-types contains "mfa-server"

Default: null

backup-mfa-server-definition-uri (w)(pc) String/ URI The canonical URI path of the MFA Server Definition object for the backup MFA server used to authenticate the user, or null if there is no backup server. Must specify a different MFA server than the primary MFA server.

Prerequisite: mfa-types contains "mfa-server"

Default: null

mfa-policy (w)(pc) String (1-64) The name of the MFA policy, such as a RACF® Policy, that applies to the user when an MFA server authenticates the user. It must identify a policy whose only MFA factor is the RSA SecurID factor.

Prerequisite: mfa-types contains "mfa-server"

Default: null

mfa-userid (w)(pc) String (1-64) The MFA user ID. This is a user ID, such as a RACF user ID, that identifies this user to the MFA server that authenticates this user. For User objects with a type of "pattern-based", this property's default value may be overridden by the LDAP attribute identified by mfa-userid-override.

Prerequisite: type is not "template", and mfa-types contains "mfa-server"

Default: same value as name property

mfa-userid-override (w)(pc) String (1-256) The name of the LDAP attribute that contains the MFA user ID, such as a RACF user ID, that identifies the user to the MFA server that authenticates the user, or null if there is no such attribute. This can be used to override the value of the mfa-userid property during authentication.

If the named LDAP attribute does not exist in a user's directory entry, or it exists but is empty, then the user's MFA user ID is not altered.

Prerequisite: type is "template", and mfa-types contains "mfa-server"

Default: null