Accounts
Accounts in UDMG represent the login and authentication credentials that enable your partners (such as customers, vendors, organizations, departments, internal/external users, or automated systems) to exchange files with you and your business ecosystem. As the primary participants in data exchange, Accounts serve as the bridge between your external business relationships and your internal file transfer infrastructure.
Accounts are not to be confused with Users, who are administrative individuals who access your UDMG Admin UI to configure, monitor, and manage data file transfers.
When UDMG acts as the server, Accounts provide the authentication credentials that external clients use to connect to UDMG (Local Protocol Server Endpoints). Each Account within a Domain contains the necessary authentication information for one or more of the supported server protocols listed below. External clients, such as FileZilla, OpenAS2, or other FTP/SFTP/AS2 client software, use these Account credentials to establish secure connections to UDMG.
When an Account is associated with a Pipeline via an Account Group, it can exchange data with UDMG according to that Pipeline's configured permissions and routing rules.
Supported Server Protocols:
- Local SFTP Server Endpoint - Clients connect using SFTP client software
- Local FTP Server Endpoint - Clients connect using FTP/FTPS client software
- Local AS2 Server Endpoint - Clients connect using AS2 client software
- Local HTTPS Server (WTC) Endpoint - Users connect via web browser through the Web Transfer Client interface
Accounts are not required for file transfers when UDMG acts as the client. All connection and authentication details are stored in the Endpoint and Pipeline.
Generally speaking, UDMG's flexible Account framework enables the following capabilities:
- Secure Authentication: Partner credentials are protected using modern, one-way hashing algorithms, ensuring they cannot be reversed or exposed.
- Group Assignment: Accounts are associated with Account Groups, representing collections of Accounts with similar traits or permissions.
- Individualized Tracking: Account access is logged, producing a secure audit trail, ensuring complete accountability for all file transfer activities.
- Comprehensive Administration: UDMG offers robust tools for the complete Account lifecycle: creation, configuration, monitoring, and deactivation.
- Directory Integration: Support for external authentication sources like LDAP and Single Sign-On enables centralized identity management across your organization.
Before You Begin
Domain Scope
Accounts are created and managed within individual Domains and cannot be shared across Domains. If access is required in multiple Domains, a separate Account must be created for each one.
Account Groups and Pipeline Access
To participate in UDMG file transfers, Accounts must be associated with at least one Account Group, which holds a collection of Pipelines.
- The Pipeline's Source-Destination pairing determines the type of file transfers and permissions the Account can participate in.
- An Account Group association is not required on Account creation. Accounts can be associated with Account Group(s) after saving.
- LDAP Accounts are created with at least one Account Group associated due to LDAP syncing requirements, but can be updated after creation.
- SSO Accounts are created with at least one Account Group associated, but can be updated after creation.
To ensure configuration integrity, UDMG performs validation checks whenever an Account Group association is added to an Account. These checks prevent conflicts that could impact file transfers.
- Analyze all Pipelines within the Account Groups currently associated with the Account.
- Compare each Pipeline in the newly added Account Group against the existing collection.
- Verify that each Pipeline combination of Source Endpoint ID and Virtual Path is unique.
info
Each Source Endpoint ID and Virtual Path combination must be unique within an Account Group and across all Pipelines associated with an Account.
- Display a detailed error message if a conflict is detected.
Account Credentials
Accounts may require associated Credentials to authenticate with UDMG. The required Credentials depend on the transfer type and the Authentication Method of the Endpoint.
- SFTP: For Accounts participating in SFTP file transfers when UDMG is the SFTP server, an associated Public Key may be required to authenticate with UDMG. Your partner maintains their own SSH key pair, with their Public Key shared with you and used to authenticate their SFTP client. Password or key authentication is supported, with key-only authentication used for automated or scripted transfers. This is referred to as passwordless authentication.
When an Account connects to a Local SFTP Server Endpoint, a Public Key is required if the Local SFTP Server's Authentication Method is Public Key, Password or Public Key, or Password and Public Key.
- AS2: For Accounts participating in Local AS2 file transfers when UDMG is the Receiver, an associated X.509 Certificate may be required.
Multiple Credentials can be associated with an Account (e.g., multiple SSH public keys).
Login Methods
UDMG supports three Account creation and login methods, providing flexibility and scalability options.
- Standard Authentication: The default method uses a manually set username and password.
- LDAP Authentication: This method automatically creates and authenticates Accounts against users in an LDAP server.
- Single Sign-On (SSO) Authentication: This method automatically creates and authenticates Accounts through an external Identity Provider (IdP).
Two-Factor Authentication (2FA) can be enabled as an additional security layer for both Standard and LDAP authentication methods.
Adding an Account
There are two three ways to add Accounts:
- New Accounts with Standard Authentication can be added manually from the Accounts page.
- New LDAP Accounts are automatically generated during an LDAP Sync after LDAP authentication is configured.
- New SSO Accounts are automatically generated upon login after SSO authentication is configured.
To add an Account manually, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Add Account button above the Accounts list.
- Complete the Name and Description for the new Account.
- Add the Username and Password that the Account will use for authentication.
- Select the Account Groups through which the Account will send file transfers.
- Select any required credentials from the Credentials dropdown.
- Click Save.
Within the Account form, the Account Group combinations with Pipeline conflicts are not identified in the dropdown field. If there are conflicts between the Account Group - Pipeline combinations selected, then an error is displayed after saving.
Field Descriptions
The following table describes the fields that are configured for the Account:
| Name | Description | Specifications | Required |
|---|---|---|---|
| Account Name | The name of the Account. The name of the Account. The Account Name (not the same as the Username used for logging in) is used only for administration and association purposes. | If Login Method is Standard,
| Yes |
| Partner Identifier | Unique to each partner, identifies the partner when using AS2 protocol. | Must be unique.
| No |
| Description | The description of the Account. | No | |
| Username | Account's login name used to authenticate the Account. | If Login Method is Standard,
| Yes |
| Password | Account's password used to log in. | If Login Method is Standard,
| Yes |
| Confirm Password | Re-entered password. | Must match the Password field. | Yes |
| Account Groups | Account Groups associated with the Account, chosen from a list of all Account Groups created on the Account Groups page. An Account must be associated with at least one Account Group to send or receive files. | This multi-select field references already-created Account Group(s). | No |
| Credentials | The Credentials used by this Account for authentication with an Endpoint. For Local SFTP file transfers, select a Public Key if authentication requires it. For Local A2S file transfers, select an x.509 Certificate. | This multi-select field references already-created Credentials. | No |
| Require Two-Factor Authentication (TOTP) | Requires Accounts to login with 2FA. | Must have a Login Method equal to Standard or LDAP. | Yes |
Editing an Account
To edit an Account, follow these steps:
- From the Sidebar, select Configuration > Accounts.
- Click the Name of the Account you want to edit.
- Click the Edit button above the Account details.
- Edit details for the Account using the Field Descriptions table as a guide.
- Click Save.
Editing an LDAP Account should be done with caution. Changes made, specifically Account details (Username, Password, etc.), will make the two systems out of sync. UDMG allows the Account details to be changed, but they are not "activated" (that is, new password is not usable). If a change is required, then it must be made in both systems (UDMG and external LDAP system).
Managing an Account
Account management includes viewing metadata, verifying associated Account Group - Pipeline combinations, and controlling the Account's enabled status.
Viewing Account Details
To view the details of an Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to view.
- Review the Account details.
- To view the associated Credentials, click the Credentials tab.
- To view the associated Account Groups, click the Account Groups tab.
Account Metadata
Account details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this Account. |
| Version | Version number of the configuration. Every change increases the number. |
| Enabled | Account's Enabled status. If enabled, field is set to True. |
| Created | Date and time this Account was created. |
| Updated | Date and time this Account was last updated. |
| Login Method | The method the Account uses to log in and authenticate with the specific Endpoints. Options include Standard, LDAP, SAML, and OIDC. If a different Login Method is needed, a new Account must be created. |
Enabling and Disabling Accounts
Accounts can be Enabled or Disabled to control their active status and ability to participate in file transfers. The status is defaulted to Enabled and can be changed after creation.
- Enabled (default): The Account is active and can participate in file transfers.
- Disabled: The Account is inactive and cannot participate in file transfers.
To enable or disable an Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to enable or disable.
- Click the Enable or Disable button above the Account details, depending on the current status.
Changes to the Account's Enabled/Disabled status are not active until the Account reconnects. Disabling an Account is a good alternative to deleting an Account.
Deleting an Account
To delete an Account, follow these steps:
- From the Sidebar, click Configuration > Accounts.
- Click the Name of the Account you want to delete.
- Click the Delete button above the Account details.
- You will be asked to confirm the deletion. Click Delete.
Deletion cannot be undone. Deleting an LDAP Account should be done with caution, as UDMG does not automatically resynchronize with the LDAP directory. To avoid inconsistencies, ensure the Account is also removed from the LDAP system.
Troubleshooting
If an Account is experiencing connection issues, verify the following:
1. Authentication details: Ensure the Account's Username, Password, and any associated Credentials (e.g., SSH keys) are correct and valid.
2. Pipeline and Endpoint status: Confirm that the Pipelines and Endpoints associated with the Account's Account Groups are enabled and properly configured.