Recover/reset administrator access rights

Owned by Olivier Michaut
Last updated: Nov 11, 2024
5 min read


The default 'admin' user is created during the initial installation with its default password 'admin_password'. This password, like for any UDMG user is hashed and cannot be recovered.


If you have lost of forgotten the password for this administrator user (or any other user that was created for admin purpose), you can follow the following steps to reset it.

There is no command to directly reset the password, nor to create a new admin user but is is possible to import the definition a a new admin user with the minimum permissions for updating the admin user password.


This is necessary only if you don't have access to the system with any other user having at least the permission to edit user data (Write User permission).

  

Otherwise, simply login with that user and navigate to the Users page to change the 'admin' password:

Temporary administrator user (simple way)


For the following steps, it is required that you have access to the UDMG Server installation and be able to run the udmg-server in the same condition as the running service. This means reading both the configuration file and the passphrase file.


  1. Create a JSON file with the definition for creating a new user, granting it the permission to manage users, and assigning it to the Generic user group. 

    import-user-and-grp-admin_fix.json
    {
  "users": [
    {
      "username": "admin_fix",
      "password": "admin_fix",
      "permissions": {
        "users": "rw-"
      }
    }
  ],
  "userGroups": [
    {
      "id": 1,
      "name": "Generic",
      "businessServiceName": "Generic",
      "members": [
        "user::admin_fix"
      ]
    }
  ]
}

    The username and password can be set to your convenience, make sure to put the same username in both sections.
    The order of the sections is important, the user is first created then assigned to the user group.

  2. Load the file with the import command of udmg-server:

    Linux command:
    $ /opt/udmg/bin/udmg-server import -v -v -v -c /opt/udmg/etc/udmg-server/server.ini -s import-user-and-grp-admin_fix.json
    Windows command:
    > "C:\UDMG\UDMG Server\udmg-server.exe" import -v -v -v -c "C:\UDMG\UDMG Server\server.ini" -s import-user-and-grp-admin_fix.json

    Command Output
    [Info ] Starting database service...
[Info ] Startup successful
[Info ] Import Partners - All
[Info ] Import Server - All
[Info ] Import Rules - All
[Info ] Import Users - All
[Debug ] No user found with conditions (username='admin_fix' AND owner='sb-mft-01')
[Info ] Created user admin_fix

[Info ] Import Business Services - All
[Info ] User Groups - All
[Info ] Promoted user group with name 'Generic' and UUID '' has a different UUID than the original 'Generic' with UUID 'fcd0e5ea-4828-499c-a30e-145cafb57485'.
[Info ] Updated user group Generic

[Debug ] No user group membership found with conditions (group_id='fcd0e5ea-4828-499c-a30e-145cafb57485' AND user_id=18)
[Info ] Local Accounts - All
Import successful.
[Info ] Shutting down...
[Info ] Shutdown complete

  3. Use either udmg-client or UDMG Admin UI to reset the administrator user password. The 'admin_fix' user can now view and edit user data. 
    Here is an example to reset the admin password, make sure to use the correct port number for your configuration.

    Reset password with udmg-client
    udmg-client -a http://admin_fix:admin_fix@localhost:8080 user update -p 'THE_NEW_PASSWORD' 'admin'
The user admin was successfully updated.

  4. Recommended: delete the 'admin_fix' user once the access to the normal administrator account is recovered. 

    Note

    To avoid lockout situation where no user can edit users, the system does not allow to delete the last user with the Write User permission, nor to revoke the permission from the last user having it.

Temporary administrator user (isolated way)


It is also possible to completely isolate the temporary user into a dedicated user group (and business service).

A user must belong to a user group and a user group must be linked to a business service. The below procedure is creating the 3 entities to isolate the fix from the business configuration and allow for a completely safe and clean removal once the administrator access is recovered.

This can be preferred in a production environment to avoid any tampering of the Generic user group and the Generic business service entities.


  1. Create a JSON file with the definition for creating a new user, a new business service, a new group, granting it the permission to manage users, and assigning it to the Generic user group. 

    import-user-and-bs-admin_fix.json
    {
  "users": [
    {
      "username": "admin_fix",
      "password": "admin_fix",
      "permissions": {
        "users": "rw-"
      }
    }
  ],
  "businessServices": [
    {
      "name": "admin_fix",
    }
  ],
  "userGroups": [
    {
      "name": "admin_fix",
      "businessServiceName": "admin_fix",
      "members": [
        "user::admin_fix"
      ]
    }
  ]
}

  2. Load the file with the import command of udmg-server:

    Linux command:
    $ /opt/udmg/bin/udmg-server import -v -v -v -c /opt/udmg/etc/udmg-server/server.ini -s import-user-and-bs-admin_fix.json
    Windows command:
    > "C:\UDMG\UDMG Server\udmg-server.exe" import -v -v -v -c "C:\UDMG\UDMG Server\server.ini" -s import-user-and-bs-admin_fix.json

    Command Output
    [Info ] Starting database service...
[Info ] Startup successful
[Info ] Import Partners - All
[Info ] Import Server - All
[Info ] Import Rules - All
[Info ] Import Users - All
[Debug ] No user found with conditions (username='admin_fix' AND owner='sb-mft-01')
[Info ] Created user admin_fix

[Info ] Import Business Services - All
[Info ] Created business service admin_fix

[Info ] User Groups - All
[Info ] Created user group admin_fix

[Debug ] No user group membership found with conditions (group_id='acaf15fc-95aa-4438-a916-283d56dfdb4e' AND user_id=20)
[Info ] Local Accounts - All
Import successful.
[Info ] Shutting down...
[Info ] Shutdown complete

  3. Use either udmg-client or UDMG Admin UI to reset the administrator user password. The 'admin_fix' user can now view and edit user data. 

  4. Recommended: delete the 'admin_fix' user, user group and business service once the access to the normal administrator account is recovered. 

    Cleanup
    $ udmg-client user delete admin_fix
 The user admin_fix was successfully deleted.
$ udmg-client sb_usr delete admin_fix
 The user group admin_fix was successfully deleted.
$ udmg-client sb_biz delete admin_fix
 The business service admin_fix was successfully deleted.

Create or promote a new admin user

To create another admin user, with the same set of permission as the default 'admin' user, use the udmg-client user add command with the special permission 'superuser'.

It can also be set when updated an existing user with the user update command.

This requires to execute the udmg-client with a user having the Write User permission.

Create a new admin user
$ udmg-client user add -u admin_new -p password_new -r superuser
 The user admin_new was successfully added.

$ udmg-client user get admin_new
 ● User: admin_new
    User groups: Generic
    Email:
    Login Type: local
    Permissions:
    ├─Transfers: rw-
    ├─Servers: rwd
    ├─Partners: rwd
    ├─Rules: rwd
    ├─Users: rwd
    ├─Administration: rwd
    ├─Pgp: rwd
    ├─Audit: rwd
    └─Shared Accounts: rwd