What are the NSP user management requirements and restrictions?

Remote user accounts in NSP

Remote users have a local account instance created in the NSP database. The remote user accounts appear in Users and Security, Users list, flagged as remote users. Remote users continue to use their login credentials, as defined on the remote server. System administrators can edit certain fields of a remote user local account instance, including first and last name, description and email address; see How do I modify a user account?. Remote users are subject to the same global user session limits as locally defined NSP users.

Active Directory

If NSP is configured for remote user authentication with an Active Directory server, the AD users also appear as local accounts in the NSP database. However, AD users are bulk imported to NSP at system startup. The bulk import of AD users into NSP is automatic and cannot be avoided, but customers can manage the scope of the import by defining remote NSP users with a unique distinguished name on the AD server, and limiting the user search scope to that DN only. Refer to the userDn and searchScope parameters in the NSP Installation and Upgrade Guide.

LDAP, RADIUS, and TACACS

As LDAP, RADIUS, and TACACS users log in to NSP, a local account instance is created in the NSP database. Only the remote users that have logged into NSP appear as local instances of those user accounts in Users and Security.

Email verification

When the global Verify Email setting is enabled, new NSP users must complete a verification process on their first NSP login attempt. During the initial login attempt, the login page informs the operator that an e-mail has been sent to the user e-mail address to verify the account. The user locates the account verification e-mail message, clicks on the URL in the message to complete the verification process, and the NSP sign-in page opens.

Forgotten passwords

The NSP sign-in page has a Forgot Password option. If a user clicks this option, they are prompted for their username. A message "You should receive an e-mail shortly ..." appears on the sign-in page. In order to ensure that the Forgot Password option works for local users, configure all local user accounts with e-mail addresses. The Forgot Password feature functions only for local NSP users; remote users cannot reset a password through NSP.

User account lockout messaging

The NSP provides the ability to automatically send an e-mail message to users whose accounts have been locked. A user receives an e-mail when they are temporarily or permanently locked out through Brute Force Detection protection mechanisms. Local user accounts must be configured with an e-mail address to be sent lockout messages.

The lockout e-mail function is enabled through the NSP system settings; see How do I configure an e-mail server for notifications?. You can specify the Subject line and body text for the e-mail message.

Note: Lockout messages are not sent to users whose accounts have been set to Suspended status by an administrator. That is a separate function.