Best Practices for User Access to IGEL UMS Server

Starting from IGEL Universal Management Suite (UMS) version 12.07.100, you can define the user under which the UMS Tomcat services should run. Using a non-root user allows you to meet security standards with greater flexibility. In this article, you will find how to define user access and why it is not recommended to start the UMS Tomcat services as root user or admin user.

The service user can only be set during an initial UMS installation, not during an update installation.

The installation of the IGEL UMS itself must be performed under a root/admin user but for security reasons, it is not recommended to run the UMS Tomcat services as a root/admin user. Using a dedicated user with the minimum necessary authorizations for the operating system significantly reduces security risks.

We strongly recommend using a user with minimal authorizations in order to follow the principle of least privilege and increase system security.

How to Specify the User in Windows Installation

1. Create a user that can be used to start the UMS Tomcat services before the UMS installation is started.

   • The service user should not have root rights.

   • The user must have a valid password.

   • No additional permissions are required, as all necessary permissions are granted during the installation process.

2. Select the service user during the UMS installation. For details, see IGEL UMS Installation under Windows .

3. Authenticate the user through password verification.
   All UMS Tomcat services will now be started with this user.

 How to Specify the User in Linux Installation

1. Create a user that can be used to start the services before the UMS installation is started.

   • The service user should not have root rights.

   • The user must have a valid password.

   • No additional permissions are required, as all necessary permissions are granted during the installation process.

2. Select the service user during the UMS installation. For details, see IGEL UMS Installation under Linux .

The watchdog service (used in UMS High Availability) needs root user privileges on Linux. Therefore, this service will be started as root on Linux. 

3. Authenticate the user through password verification.
   All UMS Tomcat services will now be started with this user.

For password verification, the module “pamtester” is required on your system. This module will be automatically downloaded as part of the installation process. If you choose not to install it, the installation will only be functional for the root user.