Foglight 6.1.0 - Administration and Configuration Guide

Email Configuration

A proper configuration of email parameters enables Foglight to send email messages to selected recipients when certain thresholds are reached. Use the Email Configuration dashboard to view, configure and test email configuration parameters in Foglight.

The dashboard contains two views, each listing a set of configuration parameters: Email Server Configuration and Email Routing. Each parameter contains a registry value that Foglight uses to perform email actions. The following table describes the email parameters and identifies the registry variables they are associated with.

Table 3. Foglight email parameters and associated registry variables.

Parameter	Registry Variable	Required?	Description
Email Server Configuration view
Mail Server (Name or IP)	mail.host	Yes	Name or IP address of the mail server.
Email Sender Address	mail.from	Yes	Email address of the user that Foglight uses to send email messages.
Username to Login to Server	mail.user	No	User name of the account that Foglight uses to send email messages.
User Password	mail.password	No	Password of the user account that Foglight uses to send email messages
NOTE: If your mail server requires user authentication, supply the user name and password. For more information, contact you mail server administrator.
Mail Server Port	mail.port	No	Port number that Foglight uses to communicate with the mail server. The default value is 25. If you want to use a different port number, set this parameter to the desired value.
Mail Protocol	mail.transport.protocol	No	Protocol used for sending email messages. The default protocol is SMTP. The only other protocol type supported, aside from SMTP, is SMTPS.
Enable Debug Mode?	mail.debug	No	Indicates whether email-related debugging information is stored in the log.
Enable STARTTLS?	mail.smtp.starttls.enable	No	Indicates whether you want to enable the STARTTLS protocol and use encryption when sending email messages from Foglight.
Enable SSL?	mail.use.ssl	No	Indicates whether you want to enable the SSL protocol and use encryption when sending email messages from Foglight.
Mail Greeting	alarm.notification.template.body.greeting	No	Body message of the customized alarm email. Only string type is supported.
Mail Signature	alarm.notification.template.body.signature	No	Signature of the customized alarm email. Only string type is supported.
Mail Subject	alarm.notification.template.subject	No	Subject of the customized alarm email. Only string type is supported.
Email Routing view
Database Notifications	DBADMIN	No	Email address of the database administrator.
JavaEE Notifications	J2EEADMIN	No	Email address of the Java EE technologies administrator.
Operating System Notifications	SYSADMIN	No	Email address of the system administrator.
Global Notifications	mail.recipient	No	Email address of the default recipient.

Use the Edit button on the Email Configuration dashboard to edit email settings.

IMPORTANT: At minimum, specify the Mail Server (Name or IP) and Email Sender Address parameters.

NOTE: The appearance of the dialog box depends on the data type of the parameter that you are specifying. For example, configuring a text string shows a text box, while the control for editing a Boolean value (such as Is Run in Debug Mode) appears as a check box.

Test your email configuration to ensure that the potential recipients can receive email messages when pre-defined thresholds are reached.

For testing purposes, use an email address that you can easily access, such as your own email address. If you successfully configured email actions, the test email arrives at the specified destination address immediately after initiating the email test action.

TIP: The Mail Server (Name or IP) and Email Sender Address parameters are mandatory for a successful email configuration. Your mail server setup may require you to set additional parameters, such as the user name and password of the default sender, among others.

Users and Security

A Foglight user has a user name and a password and can belong to one or more groups. A user account has access to all the roles associated with the groups the user belongs to, and any additional roles associated with that account. Logging in to Foglight as a specific user authorizes you to perform a certain set of actions, based on the roles that are associated with that user account. Foglight can store user passwords on the Management Server, or in an external directory.

The Users tab lists all Foglight users, including:

For every user, the list shows the following:

The Users tab includes controls for managing user settings, creating new users, deleting users, forcing password changes, unlocking a user accounts, and a search tool. Clicking a user’s role or group entry allows you to quickly edit user permissions.

To access this tab, on the navigation panel, click Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and ensure that the Users tab is open in the display area.

The Users and Security dashboard allows you to look for user account, given a part of their user name.

The Users tab includes a wizard that allows you to create new users and grant them access permissions. The wizard is invoked using the New User button on the Users tab. Using this flow you can create one or more users with the same set of permissions.

Alternatively, use the fglcmd security:createuser command to create a user. For more information, see the Command-Line Reference Guide.

TIP: By default, the maximum length of Name is 15 characters; the maximum length of Email is 80 characters

TIP: The default value is Last 1 Hour.

Use the Remove Users button on the Users tab to remove user accounts from Foglight. You can only delete those users that are added after the installation, or users imported into Foglight from an external directory. Their types appear as Internal and External, respectively, on the Users tab. The type of the default user account included with Foglight appears as Built-In. The Built-In account, or the account used to log in to Foglight, cannot be removed.

Deleting an external user from Foglight does not remove that account from the external directory.

Alternatively, you can delete internal or external users using the security:deleteuser command that comes with the fglcmd interface. For more information, see the Command-Line Reference Guide.

Copying a user account is useful in situations when you need to quickly create a modified version of an existing user. Instead of re-creating all of the account’s settings, such as adding groups or roles, simply copy an existing account and edit the required parameters. Copying external accounts creates a copy of that account in Foglight, with no effects on the external directory in which the account is defined. A copy of an external account appears as an internal account in Foglight and shows no association with external groups that the original account belongs to.

TIP: By default, the maximum length of Name is 15 characters; the maximum length of Email is 80 characters.

TIP: The default value is Last 4 Hours.

Adding a user account to a group grants that user account access to all the roles associated with that group. Adding a role to a user account grants that user account access to any actions associated with that role, in addition to the roles previously given to the groups that user is a member of. Individual roles that are associated with a group a user belongs to cannot be removed from the user account, without removing the user from that group.

Groups and roles can be associated with a user account in many different flows, for example, when creating new accounts or editing user details. This topic describes the process of editing users’ groups and roles directly on the Users tab.

On the Users tab, the Groups column shows the names of groups that are associated with each account, or the number of groups, if that number is higher than five. The Roles column contains the names of the roles that are granted to each group, or the number of roles, if a group takes on six or more roles.

Hovering over these columns shows a list of the groups and roles assigned to the user entry.

When hovering over an entry that contains an external user account, the list also displays the groups from the external directory that the user belongs to, and that are selected for visibility on the Groups tab.

IMPORTANT: Individual roles that are granted to the user though group membership cannot be removed from the user account, and appear disabled for selection. Removing such a role requires removing the user from all groups to which that role is granted. This will, however, disable access to all roles that are associated with the groups from which the user is removed. You can add them to the user account later, as described in this procedure.

Foglight password settings dictate the restrictions for password creation for internal and built-in users. Passwords for external users are defined and managed in the external LDAP directory.

The restrictions include the number of unsuccessful attempts after which an account is locked, or the number of days after which a password expires. The Locked column on the Users tab indicates if an account is locked, while Password Expired shows which user accounts have an expired password. Force Password Change identifies the user accounts that, upon a successful login, are asked to change their passwords. Additionally, Token Available indicates if the Auth Token is available for an account. This setting is recommended during the user creation process, to protect user credentials.

For example, the configured number of unsuccessful login attempts dictates the number of bad logins after which a user account is locked.

It is also possible to set individual user passwords to never expire or to set a specific expiry date.

For more information about password settings, see Configuring Password settings.

TIP: To set a specific expiry date, run the command: fglcmd.bat -cmd security:passwordexpiry -set <date> -u <user_name>

The Details of User View shows current user profile. It also allows you to edit individual settings, such as password changes, groups and roles associated with the user, and the user audit trail. Drill down to this view by clicking the Name column on the Users tab, and choosing View from the shortcut menu that appears.

You can also edit user information using a wizard flow. This flow is limited to internal and built-in users only. It is similar to the one for creating new users. Start this flow by clicking the Name column on the Users tab, and choosing Edit from the shortcut menu.

TIP: The default home page is the Welcome page.

TIP: The default value is Last 4 Hours.

In Foglight, groups contain users. Roles are assigned to groups. A role that assigned to a group is also assigned to each member of that group.

The Groups tab lists all Foglight users. This includes the default groups included with Foglight and any groups that you create after the installation. For every group, the list shows its name, the roles and users associated with that group, and the group type. There are three types of groups in Foglight:

IMPORTANT: Built-in groups can not be deleted.

This tab includes controls for creating new groups, deleting existing groups, editing roles and users, and a search tool. Clicking a user’s role or group entry allows you to quickly edit group details.

To access this tab, on the navigation panel, choose Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and open the Groups tab.

The Groups tab includes a wizard that allows you to create new groups and associate them with roles and users. The wizard is invoked using the New Group button on the Groups tab. Using this flow you can create one or more groups.

Alternatively, you can create groups using the security:createuser fglcmd. For more information, see the Command-Line Reference Guide.

LDAP groups are any user groups that are mapped from an LDAP-compatible directory service supported by Foglight, when external directory services are configured. By default, external groups do not appear on the Groups tab of the Users & Security Management dashboard. You can enable them for visibility, when required. Any groups that appear on this tab also appear in other flows.

You need to turn group visibility on and then configure LDAP group access permissions for the visible groups. Importing LDAP groups into Foglight and granting them access permissions enables their users to access the browser interface. Failure to do so prevents them from using the browser interface.

Groups with a certain set of permissions likely require similar permission levels in Foglight. For example, consider granting the Foglight Administrator role to those LDAP groups that already have administrative privileges in the external directory. In any case, follow you organization’s standards when configuring access permissions.

When you integrate Foglight with an external directory service, any user that is granted the Security Administration role (regardless of whether their account type is internal, built-in, or external), can import LDAP groups. To import one or more LDAP groups into Foglight, you must log in with an internal Foglight account (for example, foglight/foglight) to import and configure LDAP groups.

IMPORTANT: If the external ldap group name is the same as the internal foglight group name we are not able to import it since group name is unique in foglight. By default there are six internal Foglight user groups: • SvcAccts: hidden from UI • Foglight Users • Cartridge Developers • Foglight Administrators • Foglight Operators • Foglight Security Administrators

For more information about configuring Foglight to use an external directory service, see Configuring directory services.

From here, you can grant appropriate Foglight roles to the imported groups. For more information, see Associate users with groups and roles .

In a default Foglight installation, the Welcome page is the default page that appears in the display area after a successful login. In large distributed environments, some users may require access to other, role-specific dashboards immediately after logging in. A Foglight administrator, for example, may want to have the Administration home page as the landing page, instead of being taken to the Welcome page and having to navigate to the Administration page from there. Similarly, an operator may need to go directly to the Alarms dashboards, to review potential bottlenecks.

Foglight Security administrators have the ability to assign different home pages to different users or groups, when required. This can be done by configuring user preferences. In addition to changing the home page, configuring user preferences allows you to set the time range for the home page along with the refresh interval for the data appearing on that page. This is particularly useful when the home page displays important performance metrics that affect the behavior of your monitored system, and your organization as a whole.

You can configure user preferences for a user or a group. Changing a group’s home page affects all users that belong to that group, even if some of them already have a different home page assigned. For example, if a user belongs to the Foglight Administrators group, and you want that user to have a different home page, you can change that user’s preferences. However, changing the Foglight Administrators group preferences at a later time overwrites the user’s preferences causing that user to have the same home page as other members of the Foglight Administrators group.

When assigning home pages, it is important to take into consideration the allowed roles that are associated with individual dashboards. Although it is possible to view and select the dashboards for which a selected user or group does not generally have access permissions, doing so does not grant access to those dashboards. For example, setting the Administration dashboard as an operator’s home page results in the following message after the operator logs in to Foglight:

TIP: If you change the user preferences for all members of the selected group, then the home page changes for those users that already have a home page defined.

TIP: The default home page is the Welcome page.

TIP: The default value is Last 4 Hours.

Use the Remove Groups button on the Groups tab to remove groups from Foglight. You can only delete those groups that are added after the installation, or groups from en external directory that are selected for visibility on the Groups tab. Their types appear as Internal and External, respectively, on the Groups tab. The type of the default groups included with Foglight appears as Built-In. Built-In groups cannot be removed. Removing an external group has no effect on the external directory in which it is defined.

Alternatively, you can delete internal or external groups using the security:deleteuser fglcmd command. For more information, see the Command-Line Reference Guide.

Adding a user account to a group grants that user account access to all the roles associated with that group. You can only edit users for built-in and internal groups, but not for external groups. Adding a role to a group grants the members of that group access to any actions associated with that role.

Roles and users can be associated with a group in many different flows, for example, when creating new groups or editing existing groups. This describes the process of editing groups’ users and roles directly on the Groups tab.

On the Groups tab, the Role Names column shows the roles granted to each group, or the number of roles, if that number is higher than five. The User Names column contains the names of the users that belong to each group, or the number of users, if a group contains six or more users.

Hovering over these columns shows a list of the groups and roles associated with the group entry.

You can edit group details using a wizard. This workflow is very similar to the one used creating new groups. Start it by clicking the Name column on the Groups tab.

TIP: If access requirements associated with this user account change at a later time, you can change their users by editing the group details. For more information, see Associate users with groups and roles .

In Foglight, roles are granted to groups and individual users. A role that is assigned to a group is also assigned to each member of that group.

There are two types of roles in Foglight:

IMPORTANT: The Built-In roles cannot be deleted.

NOTE: Having the Administrator role in addition to the Core Reports role allows you access deprecated reports.

NOTE: The General Access role is not assigned to users, and cannot be used to log in.

This tab includes controls for creating new roles, deleting existing roles, editing groups, and a search tool. Clicking a group column entry allows you to quickly edit the groups that are associated with a role.

To access this tab, on the navigation panel, choose Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and open the Roles tab.

The Roles tab includes a wizard that allows you to create new roles and associate them with groups. The wizard is invoked using the New Role button on the Roles tab. Using this flow you can create one or more roles.

Use the Remove Roles button on the Roles tab to remove roles from Foglight. You can only delete internal roles that are added after the installation.

Granting a role to a group grants the role access to all users that are the members of that group.

Roles and groups can be associated with a group in many different flows, for example, when creating new roles or editing existing roles. This describes the process of editing roles’ groups directly on the Roles tab.

On the Roles tab, the Groups column shows the roles granted to each group, or the number of roles, if that number is higher than five.

Hovering over this column shows a list of the groups associated with the role entry.

You can edit role details using a wizard flow. This flow is very similar to the one used creating new roles. Start this flow by clicking the Name column on the Roles tab.

Foglight administrators can use the setting to control dashboard access for a specific role.

NOTE: This feature requires cartridge support. If a cartridge supports Dashboard Access Control Settings feature, the key dashboards which support access control will be displayed on the Dashboard Access Control Settings view.

To get access to Dashboard Access Control Settings, click Dashboards > Administration > Users & Security in the Navigation panel.

The Dashboard Access Control Settings include the following fields:

NOTE: The icon only means that the specific roles have permission to access the target views, does not guarantee the target views are displayed on the menu, even if the target views are menu views. If the dashboard developer sets the target view to be accessed by the specific roles, but does not set the view to be displayed on the menu for those roles. Then, those role users can only access the target view from other view links to the target view, not from the menu. For example, the Hosts view on Infrastructure cartridge can be accessed by any roles from other cartridge, but not all roles can see the Hosts view on the menu.

NOTE: If the target environment does not have the roles which the source environment has, the configuration for those roles would not be imported into the target environment.

Foglight administrators can configure the object access for users and roles to control which objects the users can see in the dashboards. The objects assigned to a user include:

There are three access levels, All, Customized, and None. By default, all the existed users and newly created users are set to All level. The administrators can change the access level either from the object access level drop-down list for newly created users, or from the cell action in assigned objects column on Users tab for specific users.

NOTE: The drop-down list can only set access level for the newly created users. To set access level for existed users, click the relevant Assigned Objects column on the Users tab, then click the pop-up action menu.

To get access to Topology Object Access Settings, click Dashboards > Administration > Users & Security in the Navigation panel.

The administrators can assign objects to user or role by using the Users, Roles, or Topology Objects tabs. A user can see clearly which objects are assigned through the Users tab.

The Users tab is the main tab to configure the object access. The Assigned Objects column shows the current access level for the user. If the level is Customized, then it will display the numbers of the objects assigned to the user. By clicking the Assigned Objects column of each user, you can change the object access level. The options include, All, None, and Manage.

By clicking Manage, a Manage Object Access Settings dialog-box opens. In the Available Objects fields, it shows the objects that can be assigned to the user. In the Assigned Objects fields, it shows the objects that have been assigned to the user and the roles or services the assigned object belongs to. By checking check-box, you can add Available Objects to the user, or remove the Assigned Objects from the user.

NOTE: For the objects belong to a role or a service, you cannot remove the assigned objects from the user through the Users tab. For a role related object, remove the objects through Roles tab, while for a service related objects, remove the service via Service > Service Builder dashboard.

After finishing configuration, click Set to apply the change. The Set button is also used to change the level from All or None to Customized.

The Roles tab lists the assigned objects numbers to a certain role. By clicking the number of the Assigned Object and Manage, a Manage Object Access Settings dialog-box opens. By checking check-box, you can add Available Objects to the role, or remove the Assigned Objects from the role. After finishing configuration, click Set to apply the change.

NOTE: Assign or remove assigned objects to the role will affect all the users who belong the role.

The Topology Objects tab shows the objects assignment for each object. The supported Topology Type is determined by the cartridge you installed. By default, there is only one type, FSMService.

NOTE: If you assign a FSMService object to a user or a role, you will assign all of the objects belong to the service and its sub-services to the user or the role.

To assign an object to a user or a role, or remove the assigned object from a user or role, do either of the following:

Configure Password Settings

Foglight password settings dictate the restrictions for password creation. Use the Password Settings view to explore and edit these settings to comply with your security requirements.

For example, you can set the complexity level that must be used in the passwords of internal users and the users with the Security role. Foglight uses the following levels:

The security levels are set as User password complexity level and Administrator password complexity level values.

By default, the complexity level for internal users’ passwords is 2, while the default complexity level for users with the Security role is 3. The complexity level for administrator passwords must be set to 2 or higher.

IMPORTANT: If you change the password for the default user (foglight), the currently configured password policy applies to the new password. For example, the default password never expires; if you change the default password, it expires according to the value set for User Password Expires In Days.

Configure Directory Services

Default settings for LDAP directory servers are different. Use the following information as guidelines and substitute the default settings with the most appropriate values. See the documentation for your specific LDAP server for more information about these settings and the applicable values.

If you are using Active Directory, and have trusts configured to allow users from one domain to access resources in different domain, keep in mind that these trusts require OS authentication and as such cannot be used in Foglight. When LDAP is configured, Foglight authenticates users through the main Active Directory forest, but it only searches the domains that are the children of the primary LDAP server (specified by the Nearest LDAP server URL setting). If the primary LDAP server fails, it searches the domains that are the children of the secondary LDAP server (specified by the Secondary LDAP server URL setting). For more information about problems that you may encounter when configuring LDAP with Active Directory, see Common Active Directory configuration problems.

TIP: When integrating Foglight with Active Directory, it is recommended to create a separate user group dedicated to Foglight access.

Learn more about:

TIP: For more information about problems that you may encounter when configuring LDAP with Active Directory, see Common Active Directory configuration problems.

TIP: For more information about problems that you may encounter when configuring LDAP with Active Directory, see Common Active Directory configuration problems.

IMPORTANT: Whenever you change any of the setting on this page, you must re-enter the password in order for these settings to take effect.

IMPORTANT: LDAP authentication can also be configured if the LDAP query prefix is set to “sAMAccountName=”.

Table 4. The table below shows types of LDAP directory servers.

Setting	Active Directory	Oracle Directory Server Enterprise Edition/OpenLDAP	Novell eDirectory
Nearest LDAP server	ldap://ukdatemea01:389
Secondary LDAP server URL	ldap://uklonemea01:389
Account is anonymous	No	Yes	No
Distinguished name of the service account	CN=JW admin,OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com	__anonymous__	CN=foglight_admin, O=services
Group attribute for nested group searching	member	uniqueMember	member
JAAS LoginModule Name	com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule
	NOTE: Do not change this setting.
Match on User DN	true
Maximum level of group nesting	5
Parent group attribute ID	memberOf
Password	********
LDAP query prefix	CN=	uid=	CN=
LDAP query suffix	,CN=Users,DC=emea,DC=corp,DC=apax,DC=com	,OU=Employees,DC=example,DC=com	,O=novell
Role attribute ID	name	cn	cn
Is Role attribute a DN	false
Mode of group searching	direct	indirect	direct
The scope(s) to search for groups	OU=Foglight Admins,DC=emea, DC=corp,DC=apax,DC=com Note: Setting the scope to search for a group with the ldap root DN may cause a javax.naming.PartialResultException during searching. To search from the root DN, change the ldap url to use a global category. For example, setting the Nearest LDAP server as ldap://ukdatemea01:3268 should prevent a javax.naming.PartialResultException.	OU=Groups,DC=example,DC=com	O=novell
The second group namespace	OU=EMEA Admins, DC=emea,DC=corp,DC=apax,DC=com	OU=Dynamic Groups,DC=example,DC=com	N/A
The third group namespace	CN=Foglight,OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com	N/A
LDAP search timeout (milliseconds)	10000
Name of JAAS security domain	fgl-web-console
	NOTE: Do not change this setting.
User alias attribute ID	sAMAccountName	uid	uniqueId
User attribute ID to search for groups	memberOf	uniqueMember	member
The LDAP context for user searching	OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com	OU=People,DC=example,DC=com	o=novell

Integrating Active Directory with Foglight can sometimes result in configuration problems. This topic lists the common configuration problems and provides the suggested solutions.

The Service Account must use the distinguished name (DN) format. The syntax must match exactly how the LDAP directory sees the object. You can use an LDAP browser (free LDAP browsers are available for download) to inspect your LDAP directory.

You can use the Active Directory dsquery command to see the DN for a Service Account.

This command creates a text file that you can search for proper Service Account DNs.

For example:

Foglight uses the LDAP context for user searching setting to determine where to start looking for LDAP users in the LDAP directory when an LDAP user logs into Foglight. Foglight searches for that user in that location, and every container level under that starting point. If the user account is at a higher level than what is set by the LDAP context for user searching, the login fails.

To test this behavior, simply set the context to the highest level of the LDAP tree. In Microsoft Active Directory, this is the Domain. For example, if the AD domain is example.com, the .LDAP context for user searching can be set to DC=example,DC=com.

You can adjust this setting later after ensuring that Foglight integration with LDAP works.

NOTE: The Service Account does not have to exist in or under the directory specified by the LDAP context for user searching setting. The Service Account is specified by the Distinguished name of the service account setting on the Configure Directory Services page.

Foglight can only handle any check and return requests coming from LDAP. For example, Foglight cannot process requests for changing passwords that occur during login. Other types of requests that are also not handled by Foglight include: prevention of logon hours, prevention of logon to (specific workstations), password expirations, disabling accounts, and proprietary security requests. See your LDAP Administrator to help you inspect the Service Account.

To test this, log in to a Windows machine, to the Domain using the specified LDAP account. If anything is presented other than a successful login, Foglight will have a problem with this when it tries to submit an authentication. See your LDAP administrator to resolve your LDAP account issues.

If LDAP authentication is not working in Foglight, try configuring the LDAP query prefix setting to force using older NTLM authentication. Do this by changing the LDAP query prefix from “CN=” to “sAMAccount=” .

Cross-reference your Configure Directory Services settings with those on another Management Server that are not edited. Compare the formats of the entries. Check the settings that you think have not changed. Examples of incorrect formatting include:

Observing the result of a login attempt can often tell you if LDAP is successfully configured.

To do that, log in to the Foglight browser interface using your Active Directory account. If LDAP is successfully configured, you see the following message:

This message confirms that the LDAP configuration is successful. You just need to log in as a Foglight Security Administrator and add the newly added LDAP (External) user to a Foglight group which has the appropriate abilities (roles) granted.

If LDAP is not configured correctly, you see the following message:

You can return to the beginning of this topic and go through the troubleshooting steps to determine the problem.

NOTE: Active Directory passwords do not need to conform to Foglight password policies. Password policy settings specified on the Password Settings page only apply to internal Foglight accounts. External (LDAP) accounts do not need to follow these settings.

Starting with the Foglight Management Server 5.7.5.7, it is possible to configure multiple LDAP directories and you are allowed to select any of the LDAP configurations for user authentication.

You are allowed to activate an LDAP configuration for authenticating the user login to Active Directory, as needed.

Once an LDAP configuration is activated, the Activate button will be changed to Deactivate. You can repeat the above workflow to deactivate this LDAP configuration when needed.

With the support of multiple LDAP configurations, the Foglight Management Server enables you to sort the LDAP query configurations for more effective user authentication.

Use the Configure Directory Services view to enable Foglight to access user information that is stored in an external directory and to test these settings.

IMPORTANT: Whenever you change any of the settings on this page, you must re-enter the password in order for these settings to take effect.

Use the User Session Settings link on the Users & Security Management dashboard to configure the period of time after which Foglight logs out inactive users. You can set it to a desired number of minutes, or to an infinite period, as required. The time-out session minimum is five minutes.

By default, global search is enabled for the Management Server. In some cases, you may want to disable global search, either for individual users, or for the entire Management Server. You can disable global search by following this procedure.

After you have disabled global search, you can enable it for specific users. Any users that require access to global search must have the WCF permission globalSearch set on their account. This allows you to control what users can access in their designated environment.

Where **Some other Role** is a role that you have created and assigned to users or groups that you want to be able to perform global search.