Go to the table of contents Go to the previous page Go to the next page
Migration Reference > Upgrading or merging administrator accounts
Upgrading or merging administrator accounts
Deployment and Installation Center | Web Security Solutions | Version 7.5.x
 
This article discusses what happens to Websense administrator accounts:
*
*
In v7.7 (as in v7.6.x), the default administrator account (with Global Security Administrator permissions) is admin. This account has access to all administrative and management functions for all modules of the TRITON Unified Security Center (the Websense management console).
This default account replaces the WebsenseAdministrator account from versions 7.5 and earlier.
Upgrading Web Security administrator accounts
When v7.5 Web Security solutions are upgraded to v7.7, administrator accounts are upgraded as described here.
WebsenseAdministrator
On upgrade, the WebsenseAdministrator account is replaced by the admin account.
During TRITON Unified Security Center installation, you are prompted to provide a password for the admin account.
If a v7.5 Websense appliance is running on-appliance TRITON - Web Security, it is upgraded to version 7.7 TRITON Unified Security Center (Web Security module only). In this case, the admin account is automatically configured to use the password assigned to the existing WebsenseAdministrator account.
Local accounts
Websense administrator accounts not authenticated against a directory service are referred to as local accounts. Local administrator accounts are brought into the upgraded system, but they must be assigned email addresses.
Administrators can use these accounts to log on to TRITON Unified Security Center, but no permissions changes can be made until the account is associated with an email address. The email address is required for these accounts to access password recovery functionality and receive alerts.
Network accounts
Websense administrator accounts authenticated against a directory service are referred to as network accounts. The directory service used to authenticate network administrator accounts prior to upgrade continues to be used by the v7.7 TRITON Unified Security Center. As part of the upgrade process, the email address associated with the account in the directory service (if any) is also associated with the account in the TRITON console.
 
Windows NT Directory
Prior to upgrade, if Windows NT Directory or Windows NT Directory/Active Directory (Mixed Mode) is used to authenticate network administrator accounts, configure the system to use a directory service supported in version 7.7 (see version 7.7 System Requirements). Do this prior to upgrade.
To do this:
1.
2.
See the TRITON - Web Security Help for instructions on removing and adding accounts.
If this is not done, the accounts are not usable in version 7.7. The accounts are still listed, but cannot be used to log on to the console. Also, the accounts cannot be removed.
Other LDAP Directory
If Other LDAP Directory is selected on the Settings > General > Logon Directory page in v7.5 TRITON - Web Security, the setting is changed on upgrade to Generic Directory in the v7.7 TRITON Settings > User Directory page.
This occurs even if the directory service is one specifically supported by the v7.7 TRITON console. (If the directory service is Active Directory (Native Mode), Active Directory is still specified after upgrade.)
After upgrade, log on to the TRITON Unified Security Center and go to TRITON Settings > User Directory to verify the configured directory service and make any changes necessary.
Merging administrator accounts
When a TRITON backup is restored to a TRITON management server, the administrator accounts it contains must be merged with existing accounts.
Local accounts
TRITON administrator accounts not authenticated against a directory service are referred to as local accounts. If an incoming (from backup restore or upgrade merge) local account matches an existing local account on both name and email address, it is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming account matches an existing local account on either name or email address, but not both, it is rejected.
If an incoming local account's name matches an existing network account, it is imported but has its name modified by appending @local. For example, an incoming account with name user would be imported into the TRITON Unified Security Center as user@local. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.
If an existing modified name is already used, then incremented numbers are also included. For example user@local1, user@local2, and so on.
Network accounts
TRITON administrator accounts authenticated against a directory service are referred to as network accounts. The currently configured directory service is used to resolve incoming accounts. If not directory service is currently configured, then the directory service used by the incoming accounts is used.
Incoming accounts are matched to existing network accounts by LDAP distinguished name. If a match occurs, the account is merged with the existing account. The permissions currently defined for the existing account are used.
If an incoming network account's name matches that of an existing local account, it is imported but has its name modified by appending @network. For example, an incoming account with name user would be imported into the TRITON Unified Security Center as user@network. A Global Security Administrator or the appropriate Security Administrator must verify renamed accounts and resolve them with existing accounts as necessary.
If an existing modified name is already used, then incremented numbers are also included. For example user@network1, user@network2, and so on.

Go to the table of contents Go to the previous page Go to the next page
Migration Reference > Upgrading or merging administrator accounts
Copyright 2016 Forcepoint LLC. All rights reserved.