← Back to ColdFusion Administrator Reference

Security - User Manager

Manage administrator users, roles, and permissions

Last updated: October 27, 20257 min read

Overview

The User Manager (available in ColdFusion Enterprise edition) provides role-based access control (RBAC) for the ColdFusion Administrator. Instead of sharing a single administrator password among multiple team members, you can create individual user accounts with specific permissions tailored to each person's responsibilities.

This feature enables the principle of least privilege, improves accountability through audit trails, and eliminates the security risks associated with shared credentials.

Enterprise Only: User Manager is only available in ColdFusion Enterprise edition. Standard edition uses a single administrator password for all users.

User Management

Create and manage individual administrator user accounts.

Creating Administrator Users

PurposeCreate individual accounts for each administrator
Required Info• Username (unique identifier)
• Password (strong, unique)
• Description (user's name/role)
• Assigned roles (permissions)
Best PracticeOne account per person - never share credentials
Username Guidelines:
  • Use real names or email addresses for accountability (e.g., "john.doe" or "jdoe@company.com")
  • Avoid generic names like "admin", "webmaster", "developer"
  • Use consistent naming convention across team
  • Document who each account belongs to
Security: Never create shared "team" accounts. Each administrator must have their own unique credentials for proper audit trails and accountability.

Password Requirements

Minimum Length12+ characters (16+ recommended)
ComplexityMix of uppercase, lowercase, numbers, and symbols
UniquenessDifferent from all other passwords user has
RotationChange every 90 days or when employee departs
Password Best Practices:
  • Use password manager to generate and store complex passwords
  • Never reuse passwords from other systems
  • Enforce password expiration policies
  • Lock accounts after multiple failed login attempts
  • Require password change on first login
  • Maintain password history to prevent reuse

User Account Lifecycle

OnboardingCreate account with minimal permissions, increase as needed
Active UseRegular access reviews, monitor for unusual activity
Role ChangesUpdate permissions when responsibilities change
OffboardingDisable account immediately when employee departs
Critical: Disable administrator accounts immediately when employees leave the company. Do not wait until next password rotation or access review.

Role-Based Access Control

Assign granular permissions through predefined or custom roles.

Administrator (Full Access)

Permissions
Complete control over all settings
Use Case
Senior admins, infrastructure team leads
Count
Limit to 2-3 people maximum

Full administrative privileges including user management and security settings

Database Administrator

Permissions
Datasource management only
Use Case
DBA team managing database connections
Access
Data Sources, caching related to DB

Limited to database-related settings, cannot modify server configuration

Application Developer

Permissions
Mappings, debugging, logging
Use Case
Development team needing config access
Access
Dev tools, no production changes

Can configure development settings but not security or production settings

System Monitor

Permissions
Read-only access to logs and metrics
Use Case
Operations team monitoring health
Access
View only, no modifications

Monitor server status, logs, and performance without ability to change settings

Security Administrator

Permissions
Security settings, user management
Use Case
Security team managing access control
Access
Security section, sandboxes, users

Manage security policies, users, and access control without server config access

Custom Roles

Permissions
Tailored combination of access rights
Use Case
Specific organizational needs
Configuration
Select from available permissions

Create roles matching your organization's specific requirements and workflows

Permission Types

Available Permission Categories

Administrator Sections:
  • Server Settings: Core server configuration, request handling, caching
  • Data & Services: Datasources, web services, Solr, mail settings
  • Debugging & Logging: Debug output, log files, monitoring
  • Extensions: Java applets, CFX tags, custom tag paths
  • Event Gateways: Gateway configuration and management
  • Security: Sandboxes, RDS, secure profile, user manager (if authorized)
  • Packaging & Deployment: CAR/EAR file operations
  • System Information: View server info, license, update status (read-only)
Example Custom Role Configuration
CUSTOM ROLE: "Production Support Engineer"
==============================================

Business Need:
  Support team needs to troubleshoot production issues without
  ability to modify critical settings or access sensitive data.

Permissions Granted:
  ✓ View server status and system information
  ✓ Access log files (read-only)
  ✓ View datasource settings (no passwords visible)
  ✓ Monitor active sessions and requests
  ✓ Clear template cache
  ✓ View debug information (when enabled)
  ✓ Access performance monitoring

Permissions Denied:
  ✗ Modify any server settings
  ✗ Change datasource configurations
  ✗ Access security settings
  ✗ Manage users or roles
  ✗ Enable/disable features
  ✗ View or modify RDS settings
  ✗ Execute administrative operations

Example Users Assigned This Role:
  - On-call support engineers (nights/weekends)
  - Level 1/2 support technicians
  - Offshore support team
  - Contractors without admin access

Review Schedule:
  Quarterly review to ensure permissions still appropriate

Access Control Best Practices

Principle of Least Privilege

Implementation Guidelines:
  • Start with minimal permissions, add only what's needed
  • Grant access to specific sections, not full administrator
  • Use temporary privilege elevation for one-time tasks
  • Remove permissions when no longer required
  • Regular access reviews (quarterly minimum)
  • Document business justification for each permission

Separation of Duties

Role Segregation Examples:
  • Developer vs. Production Admin: Developers shouldn't have production write access
  • Security vs. Operations: Separate security policy management from daily operations
  • Database vs. Application: DBA manages datasources, app team manages code deployments
  • Monitoring vs. Configuration: Support can view logs but not change settings
Compliance: Many regulations (SOX, PCI-DSS, HIPAA) require separation of duties. Document your role structure for audit purposes.

User Account Auditing

Activity LoggingAll administrator actions logged with username and timestamp
Review FrequencyWeekly log review, quarterly access review
Anomaly DetectionMonitor for unusual login times, locations, or activity patterns
Audit Checklist:
  • Review all user accounts quarterly - disable unused accounts
  • Verify each user still requires their assigned permissions
  • Check for accounts of departed employees
  • Review recent administrator actions in logs
  • Verify no shared accounts exist
  • Confirm password rotation compliance
  • Check for failed login attempts (potential attacks)
  • Document all findings and remediation actions

Multi-Factor Authentication (MFA)

Enhanced Login Security

AvailabilityDepends on ColdFusion version and third-party integrations
RecommendationImplement MFA for all administrator accounts
Options• LDAP/Active Directory integration with MFA
• SSO providers (SAML, OAuth)
• VPN with MFA as access layer
• Custom authentication filters
MFA Implementation Approaches:
  • Network Level: Require VPN with MFA before accessing admin port
  • Web Server: Apache/IIS authentication modules with MFA
  • Directory Integration: LDAP/AD with built-in MFA support
  • Proxy/Gateway: Reverse proxy requiring MFA before CF admin

Integration with Enterprise Directory

LDAP / Active Directory Integration

Benefits• Centralized user management
• Single sign-on capability
• Automated account provisioning/deprovisioning
• Group-based role assignment
• Enterprise password policies enforced
ConfigurationMap AD/LDAP groups to ColdFusion administrator roles
Best Practice: When using directory integration, disable local ColdFusion accounts except for emergency "break-glass" administrative account stored securely offline.
LDAP Integration Example Mapping
LDAP/AD Group to ColdFusion Role Mapping
==========================================

Active Directory Groups → CF Admin Roles:

AD Group: "CF-Admins-Full"
  → ColdFusion Role: Administrator (Full Access)
  → Members: Senior infrastructure team (2-3 people)

AD Group: "CF-Admins-Database"
  → ColdFusion Role: Database Administrator
  → Members: DBA team (3-5 people)

AD Group: "CF-Developers"
  → ColdFusion Role: Application Developer
  → Members: Development team (10-15 people)

AD Group: "CF-Support-ReadOnly"
  → ColdFusion Role: System Monitor
  → Members: Support team, offshore support (5-10 people)

AD Group: "CF-Security-Team"
  → ColdFusion Role: Security Administrator
  → Members: InfoSec team (2-3 people)

Benefits:
✓ User leaves company → AD account disabled → CF access auto-revoked
✓ Role changes → Update AD group membership only
✓ Password policies → Managed centrally in AD
✓ MFA → Configured once in AD, applies everywhere
✓ Audit trail → AD logs combined with CF logs

Emergency Access:
  Local CF account: "emergency_admin"
  Stored in: Sealed envelope in safe
  Used for: AD outage or emergency access
  Review: Quarterly password rotation

Common Issues & Solutions

User Cannot Login After Creation

Symptom: Newly created user gets "Invalid credentials" error when logging in
Solutions:
  • Verify username entered correctly (case-sensitive)
  • Confirm password meets complexity requirements
  • Check that user account is enabled (not disabled)
  • Verify user has at least one role assigned
  • Restart ColdFusion if user was just created
  • Check for special characters in username/password
  • Review administrator logs for authentication errors

User Has No Access to Any Sections

Symptom: User can login but sees empty administrator or "Access Denied" errors
Solutions:
  • Verify user has at least one role assigned
  • Check that assigned role has permissions configured
  • Confirm role assignments saved properly
  • Review role permissions to ensure they include desired access
  • Test with different role to isolate permission issue
  • Check for typos in custom role configuration

Lost Administrator Access

Symptom: All administrator accounts locked or forgotten, cannot access admin
Recovery Steps:
  • Stop ColdFusion service
  • Edit neo-security.xml configuration file
  • Reset administrator password or re-enable account
  • Use password reset utility if available (CF2021+)
  • Restore from configuration backup if available
  • Contact Adobe Support with server license info
  • Document incident and update password management procedures

LDAP Integration Not Working

Symptom: Users cannot login with AD/LDAP credentials
Solutions:
  • Verify LDAP server connection (host, port, SSL)
  • Check LDAP bind credentials are correct
  • Confirm DN (Distinguished Name) format matches your directory
  • Test LDAP query returns expected groups/users
  • Verify group membership in AD/LDAP
  • Check firewall allows LDAP traffic (port 389 or 636 for SSL)
  • Review ColdFusion logs for LDAP connection errors
  • Test with LDAP browser tool to verify directory structure

Security Documentation Template

Administrator Access Documentation
COLDFUSION ADMINISTRATOR ACCESS CONTROL
========================================
Server: production-cf01.company.com
Last Updated: 2025-10-27
Owner: Infrastructure Team

ADMINISTRATOR USERS
-------------------
Username         | Name              | Role                | Created    | Last Login
-----------------|-------------------|---------------------|------------|------------
john.doe         | John Doe          | Administrator       | 2024-01-15 | 2025-10-26
jane.smith       | Jane Smith        | Administrator       | 2024-01-15 | 2025-10-25
bob.jones        | Bob Jones         | Database Admin      | 2024-03-20 | 2025-10-27
sarah.wilson     | Sarah Wilson      | Security Admin      | 2024-06-10 | 2025-10-24
mike.chen        | Mike Chen         | System Monitor      | 2024-08-15 | 2025-10-27
emergency_admin  | Emergency Account | Administrator       | 2024-01-15 | Never

ROLE DEFINITIONS
----------------
Administrator:
  - Full access to all sections
  - User management
  - Security configuration
  - Assigned to: john.doe, jane.smith

Database Administrator:
  - Data Sources section
  - Database-related caching
  - Read-only system info
  - Assigned to: bob.jones

Security Administrator:
  - Security section
  - User Manager
  - Sandbox configuration
  - Assigned to: sarah.wilson

System Monitor:
  - Read-only access to logs
  - Server monitoring
  - Performance metrics
  - Assigned to: mike.chen

ACCESS REVIEW LOG
------------------
Date       | Reviewer    | Actions Taken
-----------|-------------|-----------------------------------------------
2025-10-27 | Jane Smith  | Quarterly review - no changes needed
2025-07-15 | John Doe    | Removed tom.brown (departed employee)
2025-04-20 | Jane Smith  | Added mike.chen with System Monitor role
2025-01-15 | John Doe    | Quarterly review - all accounts verified

EMERGENCY ACCESS PROCEDURES
----------------------------
Emergency Account: emergency_admin
Location: Sealed envelope in server room safe
Access Required: Two senior team members (dual control)
Usage: AD/LDAP outage or loss of all other administrator access
Post-Use: Change password immediately, document usage

INTEGRATION
-----------
Directory: Active Directory (ad.company.com)
Authentication: LDAP over SSL (port 636)
Group Mapping: See LDAP Integration section above
MFA: Required via VPN (Cisco AnyConnect + Duo)

NEXT REVIEW DUE
---------------
Date: 2026-01-27 (quarterly)
Responsible: Infrastructure Team Lead

Related Resources

Security - AdministratorAdministrator login and password security settingsSecurity - Sandbox SecurityFile system and resource access restrictionsColdFusion Administrator ReferenceComplete administrator guide and settings reference