User accounts in the Default Enterprise Server Security Configuration

A number of user accounts are included in the default Enterprise Server security configuration. Some are intended for interactive use; others are special-purpose accounts used by the system. This topic lists the predefined user accounts and explains how they are used.

Note: The default security configuration enables all-groups mode for ESCWA, MFDS, and enterprise server instance, by selecting the Use All Groups option in each security configuration definition. In all-groups mode, users have the permissions of all the groups they belong to, and the optional sign-on group field on the various sign-on screens is ignored. All-groups mode simplifies security definitions and user actions, and is similar to how group security works on Windows and UNIX.

The predefined users are:

SYSAD: This is the default administrator. During product installation, a random 8-character password is generated for SYSAD which is written to the default Micro Focus Secrets Vault. You can run mfsecretsadmin read microfocus/temp/admin to retrieve this password. See Getting Started with Default Enterprise Server Security for more information.
If you run mfsecconv init or mfsecconv reset manually to restore the default security definitions, you can specify different or additional administrator user accounts, and optionally specify passwords for them. See The mfsecconv Command for more information.
readonly: This is a user account which has limited access. During product installation, a random 8-character password is generated for it and written to the vault. You can run mfsecretsadmin read microfocus/common/reaodnly to retrieve it.
This account can be used interactively. For example, to give someone permission to check the status of system components but not to make changes. It is also used by default by some Enterprise Server components to retrieve information about a running enterprise server instance so they can communicate with it. The Micro Focus Common Client and the Host Access for the Cloud included with Enterprise Developer will both use this account by default.
CICSUSER: This is the system default user account for Enterprise Server MSS CICS. It is not possible to explicitly sign on interactively as this user (in the default security configuration).
JESUSER: This is the system default user account for Enterprise Server MSS JES. It is not possible to sign on interactively as this user.
IMSUSER: This is the system default user account for Enterprise Server MSS IMS. It is not possible to sign on interactively as this user.
mfuser: This is the system default user account for the ESMAC (Enterprise Server Monitor and Control) Web API. It is not possible to sign on interactively as this user.
PLTPISUR: This is the system user account used for processing enterprise server region startup tasks. It is not possible to sign on interactively as this user.
SAFU: This is a test user account. For historical reasons, this account can be used interactively and has some permission to use various resources, and initially has the password test.
Note: Micro Focus recommends disabling the SAFU user account or changing its password. You can do this in ESCWA.
SAFUIMS: This is a test user account for IMS. Like the SAFU account, it has a known password of test.
Note: Micro Focus recommends disabling the SAFUIMS user account or changing its password.
mf_cs: This is a system account which is used by MFCS to bind to MFDS if MFCS is started without specifying other credentials. Typically this is because an enterprise server instance was started without specifying credentials. If an enterprise server instance is started with credentials, those will be passed to all MFCS communications processes running under that instance.
Note: Micro Focus recommends disabling this account or changing its password to improve security. If the account is disabled, MFCS will not be able to start without credentials (but with security enabled, enterprise server instance need credentials to start anyway). If the password is changed, MFCS will not be able to start without credentials unless the new password is provided in the mf-server.dat file.
mf_dep: This is a system account which is used by default by the COBOL Web service and EJB installation program, mfdepinst.
Note: Micro Focus recommends disabling or deleting this account. If COBOL Web services and EJBs are being used, a different account should be created for service installation. See Security Considerations for Service Interface Deployment.
mf_mdsa: This is a system account which is used by casstart to bind to MFDS if no credentials have been specified.
Note: Micro Focus recommends disabling this account or changing its password to improve security. If the account is disabled or the password changed, casstart will not be able to start without credentials. However, with security enabled, an enterprise server instance require credentials to start.