NSP user management requirements and restrictions
Remote user accounts in NSP
Remote users will have a local account instance created in the NSP database. The remote user accounts appear in Users and Security, Users list, flagged as remote users. Remote users continue to use their login credentials, as defined on the remote server. System administrators can edit certain fields of a remote user’s local account instance, including first/last name, description and email address (see How do I modify a user account?). Remote users are subject to the same global user session limits as locally defined NSP users.
Active Directory
If NSP is configured for remote user authentication with an Active Directory server, the AD users also appear as local accounts in the NSP database. However, AD users are bulk imported to NSP at system startup. The bulk import of AD users into NSP is automatic and cannot be avoided, but customers can manage the scope of the import by defining remote NSP users with a unique distinguished name on the AD server, and limiting the user search scope to that DN only. Refer to the userDn and searchScope parameters in the NSP Installation and Upgrade Guide
LDAP, RADIUS, and TACACS
As LDAP, RADIUS, and TACACS users login to NSP, a local account instance is created in NSP database. Only the remote users that have logged into NSP appear as local instances of those user accounts in Users and Security.
Email verification
When the global Verify Email setting is enabled, new NSP users must complete a verification process on their first login to NSP.
When a new user logs in to NSP for the first time, the login page displays a message, stating that an email has been sent to the user’s email address to verify their account. The user goes to their email account and locates the account verification email message. The user clicks on the URL link in the email message. The NSP login page opens to NSP.
Forgotten passwords
The NSP sign-in page has a Forgot Password option. If a user clicks this option, they are prompted for their username. A message "You should receive an email shortly ..." appears on the sign-in page. In order to ensure that the Forgot Password option works for local users, you should configure all local user accounts with email addresses. The Forgot Password feature functions only for local NSP users; remote users cannot reset a password through NSP.
User account lockout messaging
In an OAUTH2 deployment, NSP provides the ability to automatically send an email message to users whose accounts have been locked. A user receives an email when they are temporarily or permanently locked out through Brute Force Detection protection mechanisms. Local user accounts must be configured with an email address to be sent lockout messages.
The lockout email function is enabled through the NSP system settings; see How do I configure an e-mail server for notifications?. You can specify the Subject line and body text for the email message.
Note: Lockout messages are not sent to users whose accounts have been set to Suspended status by an administrator. That is a separate function.