Users & Server Security
This topic covers the security implications of which user you select to run Enfold Server on your machine. This user is called the service user. You initially choose a service user during the installation wizard, but you can change that later with the Encontrol utility. (See Using Encontrol and Installing with the Enfold Server install wizard).
The word "user" can refer to many different things in Plone and Enfold Server.
The (Windows) user installing Enfold Server should have local Administrator rights on the machine (regardless of whether the user needs to login to a Windows domain). This is usually the same user on Windows who is running the Encontrol utility (and who can turn on/off services).
Zope user. This is the user (created during the Installation wizard) which allows you to access the Zope Management Interface (ZMI). This is functionally equivalent to a user who has been assigned the Manager Role and can sometimes be referred to as Zope Administrator. With this user you can sign in to the ZMI and Plone site regardless of which authentication profile you may have configured. Note: if you lose the Zope user's password, you will need to use Encontrol to create an emergency user to update the Zope user's password. (See Setting Up and Using the Emergency User).
Plone user. This refers to any user who can login to a website running Enfold Server (and presumably write or edit content). This Plone user can have been created inside Active Directory (see Windows Single Signon) or LDAP. Enfold Server lets you link this Windows domain user to Plone. A simple Plone user is created and managed directly from within Plone Site Setup (read more about creating simple Plone users).
Emergency User. This is a kind of Zope user you can create when you lose your Zope Administrator password or when you accidentally removed permissions needed to manage Zope. You can create this by using the Enfold Server configuration utility. (See setting up an emergency user).
Installing User. This is the Windows user who installs Enfold Server. This user must have local Administrator rights on the local machine. If your user account belongs to a Windows domain, you may need to give this user local administrator privileges. This documentation assumes that when you are making changes to Enfold Server with the Encontrol configuration utility, you will be logged on with the account of the Installing user.
Service User. The Windows user which runs Enfold Server is called the service user. This account is separate and distinct from the Installing user. The service user runs the server processes (which you can see in Start --> Control Panel --> Administrator Tools --> Services) and scheduled tasks if you have configured them. (See this note about running Scheduled Tasks on Windows 2003)
Domain User. This Windows user has the ability to log onto a Windows domain (if your company's site has one). Enfold Server permits the Windows domain user account to be used to log onto the web site as well. See also: What if I don't need to sign on to a Windows domain?
(For more about users, see Users and Permissions FAQ).
Service User. This user account runs the Zope/Plone process on the Windows machine. It typically is separate from the user running the install wizard (and launching Encontrol).
When you install Enfold Server, you are asked to select a service user. In many cases, you will simply use an existing user account and supply the username and password when prompted. Generally the service user should be the same for ZEO server and for every Zope client you add. (An exception is when you are running multiple Windows domains and you have Enfold Server on multiple machines. Read more ). After installing Enfold Server, you can change the Service User by using the Encontrol configuration tool. (See Using Encontrol).
Here are three recommendations for Service Users. This applies for installations BOTH where the user is connected to a Windows domain and installations where the user is not connected to one.
should be different from the user who installed Enfold Server or launched the Encontrol application.
should not have Administrator rights to the local machine. (Having the service user separate from the user installing Enfold Server prevents other services, applications or data from being affected if the account is compromised).
should be used solely to perform Plone/Enfold tasks (like backup, logging and ZODB packing) on Windows. (See this note about running Scheduled Tasks on Windows 2003).
Local System Account. This kind of user account is a builtin Windows account with administrative privileges. Using the same Windows account you installed ES with as the service user is not recommended. Use for testing environments only (not for production use).
Local Machine Account. (Recommended if the server won't need to log onto the Windows domain) This is a separate user account from the user installing Enfold Server. If you choose this option, you will see two additional options.
- Create New Account. ES will provide a user name (starting with ZRUNNER) and you need merely to create a password. (If you lose it, you can create another local machine account later). This assumes that the current logged in user has the ability to create a local system account. Generally it is easy to create a new local account when you are not logging onto a domain.
- Use Existing Account. This option will allow you to provide data about the user name and account.
Domain user. (Recommended if you are logged onto a domain via Active Directory).
- Create New Account. This requires that the domain user have the ability to create new users on the Active Directory.
- Use Existing Account This requires that you obtain account information for another domain user. You can obtain account information from your AD administrator.
- Note: for security reasons, the AD Administrator account cannot be the service user who runs Enfold Server. If the service user is also a domain user (and hence listed in AD), this user will have the ability to login to a Plone site as an authenticated domain user. However, this service user will have no special privileges (i.e., he or she will lack access to the Plone Site Setup menu). If you want to promote a domain user to have access to Plone site setup (essentially giving him Admin or "Manager" privileges), you will need to assign this user to an AD group and map this group to the Zope role of Manager. (See assigning roles to groups ).
See also: problems configuring the service user
After a domain user or local user has the ability to sign in to a Plone account, the next step is assigning this user a role to play on the website. A role is a set of rights and permissions to create/edit/delete/publish content. Example of roles: contributor, editor, reader, reviewer, manager. (Read more about assigning roles to Plone users).
The user who installs Enfold Server needs to have Administrator privileges to complete the installation and set up scheduled tasks. A Windows domain user might not have this ability. Here are steps to give a domain user local Administrator rights on the local machine. (You need the Administrator's password for the local machine).
Sign out as the domain user and sign onto your machine as the local Administrator. In the screenshot below, ROBERTVIRTUAL is the name of the local machine, not the domain.
Choose Control Panel --> Administrative Tools --> Computer Management --> Local Users and Groups --> Groups.
Select the Administrator Group and right click to Properties.
Click Add (from this Location). You will see the Select Computers, Users or Groups dialog and enter the domain name (i.e., qehouston.local ) for the domain user's account.
For the Name of Domain User field, Type in your domain user's name and Check Names.
You will be prompted for a domain login and password.
After this succeeds, you can press OK.
Next sign out as the local Administrator and sign onto the machine with the domain user's account. An easy way to know for sure if the domain user has Administrator privileges is to right click the Start button. If you see a right-click option Explore All Users, that means your domain user has administrator rights.
Note: To avoid problems, try not to change the user from Local to Domain user or vice versa after initially set up. If you do need to do this, make sure that Authentication Profiles in Plone have been changed to "Default Plone with Cookie Authentication"") while you are making the change (For more detail, see choosing authentication profiles) .
The Enfold Server installation process lets you create a single Zope user. The Zope User has permissions to write/edit/delete anything via the website. The Zope user will have a link to Site Setup on the top left side of the page when logged on.
If you want another user to have the same privileges, there are two different ways to do this:
Using Plone Site Setup
- Login to Plone as the Zope User. Go to Plone Site Setup.
- Choose Users and Groups on the Plone control panel. (Read more about creating simple users from Plone Site Setup).
- Assign this account to the Manager user role. (Read more about Plone user roles).
Using Active Directory Groups
- Create a group in Active Directory called Manager.
- Map this group to a Zope role. (Read more about mapping AD groups to Zope roles).
- Create a user and add it to the Manager group.
After doing this, the user will be able to access Site Setup and the ZMI.
If you have already set up Active Directory with Enfold Server, Enfold recommends the second method listed above. It is easier to maintain over the long run.
Emergency users are necessary if you have lost signon information for the Zope account you created during the installation process.
To create: Open Enfold Server configuration utility. Click on your Zope client, Emergency Access. Create a user in this way. Next go to the ZMI for your website and access it through the management port (i.e., http://localhost:8080). Then login using the emergency user's name and password.
The next step after you login successfully is to click acl_users on the left and then the Users object on the right panel. From there, you can change passwords of existing users (such as Admin) and add users. Please note that the emergency user can add/edit user account objects, but not create new "content", "logic" or "presentation" objects.
If you are using Active Directory, and if you have already mapped certain domain users or groups to the Zope role, Enfold recommends that you create a Manager group in AD and then map this AD group to the Manager role in the ZMI.
To avoid being locked out of your site (while configuring Windows authentication for example), Enfold Server provides alternate ways to sign on.
First, the Zope user account which you created initially lets you login through the ZMI root. (You will usually need to include the port number (i.e., http://localhost:8080).
Second, the GUI for Enfold Server Configuration utility lets you create a user with emergency access to the ZMI. If for some reason you lose your Zope user password, you can create an emergency user. See the preceding section above about how to create an emergency user.
When making changes to the authentication profile, it is best to login as a Zope user to the ZMI (using the management port number; i.e., http://qehouston.local:8080/ ). Authentication profiles do not apply when logging into the ZMI. Therefore, even if you misconfigure the authentication profile, you will always be able to log in to the ZMI with your Zope password.
Click on the Plone instance and view it by clicking the View tab of the ZMI frame. At that point, you can select Site Setup --> Authentication Setup and make changes without worrying about being logged out.