One of our goals at OpenSRS is to enable resellers to manage all aspects of the domains in their accounts to ensure they can service their end customers appropriately. We provide a multitude of tools that allow resellers to do this efficiently. Here, we aim to explain how to best utilize each of these tools.
Domain management tools available to all OpenSRS resellers:
We advise resellers to exclusively use the tools listed above to manage the domain names in their account. We also encourage resellers to familiarize themselves with the Reseller Control Panel, as the legacy control panel will be deprecated by the end of 2015.
In addition to these tools, OpenSRS provides an End User Management Interface. This tool allows registrants to manage certain aspects of their domain name without having to engage the reseller.
Resellers have the option to make the End User Management Interface available to their end customers or they can direct end customers who are trying to manage their domains through the interface to the reseller’s own web-portal (See"Providing end users with access to the End User Management Interface" section in this document).
As the name suggests, the End User Management Interface is not intended for reseller use. Resellers should be managing domains through the Reseller Control Panel, API or 3rd party software. These tools will provide all the domain management options available in the End User Management Interface, plus many more. There are some exceptions (e.g. .CA registrant changes) and for those, we encourage resellers to contact OpenSRS support for the time being. We are making changes to the Reseller Control Panel and you will be able to make these changes in the near future.
Domain management options within the End User Management Interface
Registrants will be able to manage the following details of their domains through this interface:
- Registrant contact information (name, address, phone, email)
- Admin, Tech and Billing contact information (name, address, phone, email)
- Nameserver settings
- Additional domain attribute information, such as Nexus, Registrant IDs, etc.
- Authcodes (transfer password) - retrieve and reset (this functionality can be disabled on a per-reseller level). See "End User Management Interface options in the Reseller Control Panel" section in this document.
- Change profile password
- Create sub user for a single domain (this functionality will be deprecated in the near future)
- Move domains to a new or other existing profile (this functionality will be deprecated in the near future)
Providing end users with access to the End User Management Interface
Resellers are in charge of whether or not their end users can access this interface. When registering and transferring a name or when creating a new profile, resellers need to insert a username and password that will give their end users access to the End User Management Interface.
Once the username and password have been set, for security reasons, resellers will no longer be able to obtain a clear text password from OpenSRS. If an end user ever requires a new set of credentials for a profile, the reseller can send a password reset link for that domain to the owner or admin email address of any domain associated with that user profile. This functionality is available through the Reseller Control Panel (see Profile management options in the Reseller Control Panel section in this document) and the API using the SEND_PASSWORD command End User Management Interface and profile management options when using our API section in this document).
Resellers can opt-in to allow end users to retrieve a password for a profile themselves without having to engage the reseller. This setting can be managed in the Reseller Control Panel under Account Settings > Branding > End-User Management Interface (MWI) - Edit (click on Help in the edit dialogue to learn more). If this functionality is enabled, users who try to log in to the End User Management Interface and who do not have valid credentials will be presented with a link that allows for a password reset. An email to the owner or admin email address of this domain will be triggered and it will allow the user to reset the password and regain access to that profile. Please note that an end user will gain access toall domainsassociated with a profile. We strongly advise that you only enable the “Forgot Password?” link for profiles that do not include domains of multiple customers.
Use of Registrant Profiles
OpenSRS uses the concept ofRegistrant Profilesto organize end user access to the End User Management Interface. Whenever a reseller inserts a domain into OpenSRS, via registration or transfer, the domain will be associated with aRegistrant Profile. A profile is identified by a username, and it has a password that is required to access the End User Management Interface. A profile can contain one or multiple domain names. The domains in a profile can share a single owner or admin email address or have different owner or admin email addresses across domains.
The person who has access to a given profile will have access toall the domains associated with that profile. In case the reseller wishes to extend the End User Management Interface to their end customers, it is important for profiles to only contain those domains which a specific end user is authorized to access. Profiles should never span the domains of multiple customers.
In this context it is important to once again emphasize that the End User Management Interface has not been designed nor is it intended to facilitate the management of domains by the reseller. Unless a reseller has disabled the interface entirely for their account, we strongly advise against associating all domains in a reseller account with a single profile. Any end user gaining access to that profile would gain access to all the domains in this profile. Resellers should only use our Reseller Control Panel, API or 3rd party software to manage domains on behalf of their clients.
In the Reseller Control Panel, profiles are not exposed as a separate object. Instead they are always tied to a domain name.
When registering or transferring a name in OpenSRS, resellers can create a new profile for this domain, or associate the domain to an existing profile by selecting another domain within that existing profile (see how).
To reset the password for a given profile, a reset password link can be sent to the owner or admin from thedomain detailsview (go to theActionsdrop down menu in the Reseller Control Panel and selectSend Password to OwnerorSend Password to Admin). For security concerns, existing passwords are not exposed in the Reseller Control Panel. If a password has been lost, it needs to be reset using the method outlined above.
Managing domains by profile:
We realize that when we reset passwords for the End User Management Interface, some domain names were split up from its original profile. To correct this, we are introducing additional functionality to the Reseller Control Panel that will allow those domains to be merged into the profile it belonged to (see how).
To find all domains associated with an existing profile, a search filter in the domains list allows resellers to insert any domain and display all other domains within the same profile.
Existing domains can be merged into a different profile (new or existing) from the domain list view by selecting the “Merge Domains into Profile” bulk action. This feature is important when organizing multiple domains which belong to a single registrant into a single profile.
End User Management Interface options in the Reseller Control Panel
Resellers can disable access to the interface for their end users altogether. The appropriate setting can be found underAccount Settings-Branding-End User Management Interface - Give End-Users Access to MWI. It will allow resellers to insert a forwarding URL where all end users trying to access the interface will be directed to.
Resellers can also disable the ability for their end users to access the authcode of their domains through the End User Management Interface. This setting is available underAccount Settings-Branding-End User Management Interface - Show Auth Code to End-Users. Please note that resellers will still be able to provide the authcode to their end users through the Reseller Control Panel.
When registering or transferring domains using the OpenSRS API, resellers are required to set a username and password or associate it with an existing profile. This is required even if you do not plan on using the End User Management Interface. The commands to register and transfer domains allow to set username and password as a part of this transaction. If you wish to assign an existing domain to a new profile, the CHANGE OWNERSHIP command will allow you to set a new username and password for this new profile.
The API will also allow you to reset the password for an existing profile using the SEND_PASSWORD command. This command will send a password reset link to the owner or admin contact of a domain. However, this command will not allow you to specify a new password on behalf of your customer. If you have the current valid password for a profile, the CHANGE PASSWORD command will allow you to set a new password. For security reasons, there is no command available in the API or elsewhere that would allow you to retrieve an existing password.
When using the API, it is best practice to not use username and password to authenticate transactions for individual domains. This legacy authentication method has been replaced by reseller level authentication using your API key. However, when authenticating transactions through your API key you need to ensure that the end user who is requesting a change has been properly authenticated by your system before submitting an API command.
The following API commands will still require a username and password:
- CHANGE PASSWORD
Here are some best practice recommendations for using our API if youdo notplan on extending the End User Management Interface to your end customers:
- you should disable the End User Management Interface entirely for your reseller account (see "End User Management Interface options in the Reseller Control Panel" section in this document).
- you should use randomized usernames and passwords to create profiles.
- you should not use the End User Management Interface username and password to authenticate your customers in your own systems, or pass through username and password to authenticate individual requests to our API. Instead, you should solely use reseller level authentication via API key. If you are not sure which authentication method you currently use, please contact us email@example.com get further information and advice.
If you plan to give your end customers access to the End User Management Interface, we recommend the following:
- passwords should have a minimum length of 10 characters (will be required after September 9, 2015)
- randomize password generation, and not use the same or similar passwords for all profiles
- you should organize domains into profiles by customer, so that your customer has access to all their domains in a single profile
- you should not use username and password to authenticate API commands unless the specific command requires it (see above), and instead solely use reseller level authentication via API key.
End User Management Interface and Profile Management Options when using 3rd party software
Several 3rd party software vendors such as WHMCS or Parallels/Odin offer domain management plugins that interface with OpenSRS. Those plugins typically do not extend the End User Management Interface to end customers. The software would take care of managing usernames and passwords, and would not expose those to the users. There is no option to change or reset user passwords through 3rd party software.
If you use 3rd party software, we recommend that you disable the End User Management Interface for your reseller account to avoid unwarranted access (see "End User Management Interface options in the Reseller Control Panel" section in this document).
As always, if you have any questions or concerns please contact support at firstname.lastname@example.org.