User Management

The scripts provided in user_management.zip allow administration of Control Center users using ccc.exe.

Download:
https://download.dbwatch.com/download/misc/ccc/user_management.zip

These scripts can be used for:

• Creating users
• Configuring authentication (Password / Kerberos)
• Updating credentials
• Assigning roles
• Approving users
• Setting expiration dates
• Enabling/disabling two-factor authentication

Deleting users

All scripts are executed using the standard CCC execution pattern.

Prerequisites

Required Privileges

To execute user management operations, the CCC node (certificate/user) must have:

Write access on the Security system

If this privilege is missing, the operation will fail.

Script Package

Extract the following package:

user_management.zip

The package contains:

Place the scripts in the same directory as ccc.exe, or reference them using a full path.

General Syntax

All scripts follow this structure:

ccc.exe <script_name> accesspoint="host:port
" domain="<domain>" username="<user>"

Common parameters:

accesspoint – Control Center endpoint (example: localhost:7100)

domain – Control Center domain name

username – Target Control Center user

Create User

Create user with password authentication

ccc.exe create_user.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" authprovider="password" credentials="replace_me"

Parameters:

authprovider="password"

credentials – Initial password

Create user with Active Directory (Kerberos)

ccc.exe create_user.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" authprovider="kerberos" aduser="donald.duck"

Parameters:

authprovider="kerberos"

aduser – Active Directory user identity

Ensure that the domain is configured for Kerberos authentication before creating AD users.

Update User Settings

Update authentication provider

Change authentication method:

ccc.exe update_user_authprovider.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" authprovider="kerberos"

Valid values:

password

kerberos

Update user credentials (password)

ccc.exe update_user_credentials.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" credentials="new_password"

This operation is only valid for users configured with password authentication.

Update AD user mapping

ccc.exe update_user_aduser.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" aduser="donald.duck"

This updates the associated Active Directory account.

Assign roles

ccc.exe update_user_roles.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" roles="DBA, Super DBA"

Notes:

Roles must already exist in the domain.

Multiple roles are comma-separated.

Approve user

ccc.exe update_user_approved.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" approved="true"

Valid values:

true

false

Users must be approved before they can log in (depending on domain policy).

Set expiration date

ccc.exe update_user_expires.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" expires="2026-05-30"

Date format:

YYYY-MM-DD

When the expiration date is reached, the user account becomes inactive.

Enable or disable two-factor authentication

ccc.exe update_user_twofactor.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck" twofactor="true"

Valid values:

true

false

Delete User

ccc.exe delete_user.script accesspoint="localhost:7100" domain="demo.1453.dbwatch.com" username="donald.duck"

Deleting a user permanently removes the account from the domain.

Best Practices

Use a dedicated automation account with restricted Security write access.

Avoid storing plaintext passwords in scripts or logs.

Test operations in a non-production domain before bulk execution.

Apply the principle of least privilege when assigning roles.

Use expiration dates for temporary or consultant access.