i4connected Knowledgebase 5.6

Managing i4connected users and roles

Abstract

Check out this article and learn more details about working with i4connected users and roles.

For a better understanding of the new i4connected 5.6 security concept, the following tutorials will guide you through a hypothetical use-case in order to demonstrate how to set up a closed user group.

In many situations, you may need a closed group which is interacting in the i4connected system only with in a local area, in context of a certain site, area or organizational unit. Other situations, may require that some members of that closed group also need to see the whole content system but have no or limitted management permissions.

Due to the fully customizable i4connected security settings, a properly configured system can meet any expectations.

Tip

Before going through these tutorials please also read the i4connected Role management article, in order to properly understand the security concept introduced by the i4connected 5.6 version.

Adding a new Default Front-End role

The first step in setting up you user group is definition of a Default Front-End role.

A Front-End role is a hard-coded permission combining a set of login authorizations, that all new users require in order to be able to access the i4connected portal.

In order to make sure that new users aren't restricted from accessing the i4connected portal, having a Front-end role set as Default will simplify the work of a system administrator, as follows:

  1. In the administration section of the i4connected portal, navigate to the Roles panel.

  2. In the Roles panel click the Add toolbar button.

    Note

    The Add roles function is available only for users having the Configure security permission enabled.

    Add_role_button.jpg
  3. In the Add role panel proceed with the following settings:

    Portaluserrole.jpg
    1. Type in the new Role name.

    2. Make sure that the Is privileged toggle button is set to No.

    3. Toggle the Is default button to Yes.

      Note

      All new users will automatically receive all default roles, sparing the system administrator from further manual work.

    4. Toggle the Role type selector to Front-end role type.

  4. Click the Save button and check the Roles list. The new created role is visible in the list view.

    Front-end_role_listed.jpg
Adding Function roles

After setting up the Default Front-End role, we need to proceed with defining a set of Function roles.

A Function role is a fully customizable role allowing the system administrator to enable any of the listed permissions. Function roles are usually non-default, hence the system administrator would need to manually assign them to users, as we shall see in the upcoming sections of this article.

To properly distribute user's permissions and restrictions, the system administrator should add multiple Function roles customizing them as desired.

This tutorial demonstrates how to define two general Function roles that most of the systems might need:

  • GlobalAdmin role which will enable SuperAdministrator rights to user, allowing him / her access over the entire content.

  • LocalAdmin role which will enable the user with administrator rights over a certain entity and its users.

Adding a GlobalAdmin role
  1. In the administration section of the i4connected portal, navigate to the Roles panel.

  2. In the Roles panel click the Add toolbar button.

    Note

    The Add roles function is available only for users having the Configure security permission enabled.

    Add_role_button.jpg
  3. In the Add role panel proceed with the following settings:

    Add_Global_Admin.jpg
    1. Type in the new Role name.

    2. Make sure that the Is privileged toggle button is set to Yes.

      Note

      As we are currently defining a super-administrator role, we want to make sure that the user having this role assigned will not encounter any limitations, that are usually implied by items marked as privileged.

    3. Make sure that the Is default toggle button is set to No.

    4. Toggle the Role type selector to Function role type.

    5. Mark all permission categories check-boxes.

  4. Click the Save button and check the Roles list. The new created role is visible in the list view.

    GlobalAdmin_listed.jpg
Adding a LocalAdmin role
  1. In the administration section of the i4connected portal, navigate to the Roles panel.

  2. In the Roles panel click the Add toolbar button.

    Note

    The Add roles function is available only for users having the Configure security permission enabled.

    Add_role_button.jpg
  3. In the Add role panel proceed with the following settings:

    Add_local_admin.jpg
    1. Type in the new Role name.

    2. Make sure that the Is privileged toggle button is set to No.

    3. Make sure that the Is default toggle button is set to No.

    4. Toggle the Role type selector to Function role type.

    5. Expand the System category and mark the check-box of Manage shared tiles and Manage personal tiles permissions.

      System_category.jpg
    6. Expand the Security category and mark the check-box of View users, Users and Change password permissions.

      Security.jpg
    7. Expand the Sites and areas category and mark the check-box of View sites and areas and Manage sites and areas permission.

      Sites_and_areas_category.jpg

      Note

      These permissions are hierarchical relevant, hence they will become effective as soon as the user is assigned to a specific hierarchical entity.

      For more details please also refer to the i4connected Security management articles.

    8. Expand the Organizational units category and mark the check-box of View organizational units and Manage organizational units permissions.

      Org_Units_category.jpg

      Note

      These permissions are hierarchical relevant, hence they will become effective as soon as the user is assigned to a specific hierarchical entity.

      For more details please also refer to the i4connected Security management articles.

    9. Expand the Devices category and mark the check-box of View devices, Manage devices, View adapters and Manage adapters permissions.

      DEvcie_s_category.jpg

      Note

      These permissions are hierarchical relevant, hence they will become effective as soon as the user is assigned to a specific hierarchical entity.

      For more details please also refer to the i4connected Security management articles.

    10. Mark the entire Signals permissions category.

      Signlas.jpg
    11. Mark the entire Events permissions category.

      Events_category.jpg
    12. Mark the entire Reports permission category.

      Reports_category.jpg
  4. Click the Save button and check the Roles list. The new created role is visible in the list view.

    LocalAdmin_listed.jpg
Assigning a Front-End role to the i4connected Default page

As indicated in the i4connected Administrative tools section, pages can be available or hidden for users, based on their role assignments. The system administrator is required to assign roles to pages, hence making sure that all users sharing at least one role with a page, will be allowed to view and access it.

Warning

Even though a new user has been automatically granted with a Default Front-End role it does not mean that this user will be allowed to start working in the i4connected portal. To avoid such situations, the i4connected Default page should be available for all system users.

This tutorial will guide you through the steps needed to make the default project page visible to all system users:

  1. In the administration section of the i4connected portal, navigate to the Page List panel.

  2. Select the Default page in order to make it available for all system users.

    Open_page.jpg
  3. In the Edit page panel proceed as follows:

    Edit_page_panel.jpg
    1. Click on the Roles selector.

    2. Browse through the list of roles in the Select role panel.

    3. Select your Default Front-End role, defined as described in the "Adding a new Default Front-End role" tutorial.

      Select_roles_panel.jpg
    4. Click the Select button.

  4. After adding your Default Front-End role click the Save button of the Edit page panel. As a result, all new users will have access to the default project page, where various tiles can be made available, also on roles assignemnts, aswe shall see in the upcoming tutorial.

Making tiles visible for users on role basis

Each project page can display a customizable amount of tiles that can be grouped and distributed by choice. This tutorial describes the steps that a system administrator needs to do in order to distribute tiles to the system users, on basis of role assignments.

  1. Click the Edit tiles toolbar button.

    Edit_tile_button.jpg
  2. When the page tiles are displayed in edit mode, click on the pen symbol of the tile you need to update.

    Click_to_edit.jpg
  3. In the Edit tile panel proceed as follows:

    Edit_tile.jpg
    1. Make sure that the Tile type toggle button is set to Shared.

    2. Click on the Roles selector.

    3. Browse through the list of roles in the Select role panel.

    4. Select your Default Front-End role, defined as described in the "Adding a new Default Front-End role" tutorial.

      Select_roles_panel.jpg
    5. Click the Select button.

  4. After adding your Default Front-End role click the Save button of the Edit tile panel.

  5. Now, all new system users will be able to access the Overview tile on the Default project page. These steps need to be organised for all the tiles on all the pages in order to ensure a logical distribution of tiles visibility.

Adding a new user and checking if user can login

This tutorial explains how to create a new i4connected user and check what the user can see after logging in for the first time.

  1. In the administration section of the i4connected portal, navigate to the Users panel.

  2. Click the Add toolbar button.

    Add_user_button.jpg
  3. In the Add user panel make sure to fill in at least the mandatory settings:

    Add_user.jpg

    Tip

    More details about the Add user panel settings can be found in this article.

    1. Fill in the User name.

    2. Fill in the user's Password.

    3. Fill in the Password confirmation.

    4. Fill in the user's First name.

    5. Fill in the user's Last name.

    6. Fill in the user's Email address.

    7. Filll in other optional information about the new user, such as Addressing title, Phone and Fax numbers, Address, Language and Time zone.

  4. After filling in all the new user's information click the Save button.

  5. The user creation is confirmed by the system and the User details panel is opened automatically. In this view, notice that the Roles tile already displays one role. In our case, the role created in the "Adding a new Default Front-End role" tutorial has been assigned to our new user.

    Tip

    All the roles having the Is default option enabled will be automatically assigned to all new users,

    Role_automatically_assigned.jpg
  6. Logout of the system and login with the new created user credentials.

    Login_as_new_user.jpg
  7. The new user is successfully logged into i4connected portal. Due to the page and tile role assignments organised during the previous tutorials, the new user can see and access them.

Updating a user's roles and permissions globally

After we have previously created a basic user having only the Default Front-End role assigned, we can update the user and provide him with more permissions.

This tutorial will guide you through a set of simple steps required to set a new user as LocalAdministrator.

  1. In the administration section of the i4connected portal, navigate to the Users panel.

  2. Select the User that should be updated.

  3. In the User details panel click on the Roles tile.

    User_details_Roles_tiler.jpg
  4. In the Roles panel click on the Change toolbar button.

    Notice

    Notice that one role is already available, even though previous changes did not occur in this area. The existing role is the Default Fron-End role that was attributed to the user, by default, after his / her creation.

    Change_roles.jpg
  5. In the Select roles panel, the system administrator can chose from the list of roles and consequently click the Select button.

    Add_LocalAdmin_role.jpg
  6. The Roles panel will be updated with all the added roles.

    Roles_added_globally.jpg

Tip

The Roles panel also allows the system administrator to add new roles to be assigned to the currently selected user, by clicking the Add toolbar button.

Add_roles.jpg

When adding a new role you can guide your steps on basis of the previously described steps under the "Adding a new Function role" tutorial.

Updating a user's roles with linked roles

Users having limited rights can see in the list of roles only the roles that have been globally assigned to them, as described in the previous tutorial. However, it may be the case when the user needs to provide himself or other users with a different set of roles. In order to enable a solution for these situations, the linked roles functionality can be used.

Note

For a better understanding of the linked roles functionality we have prepared a hypothetical situation, when a user with rights to view and manage other users from his / her own organization, needs to provide to a colleague the rights to manage reports.

However, our user does not have this permission enabled, hence he or she cannot work with reports.

As this user is granted with manage users permission and it is his / her responsibility to grant roles to other users, the system administrator can set the reports management role available for assignment, without providing the user with the actual permission to manage reports himself / herself.

List of roles before updating the user roles

As this tutorial demonstrates, our user manager reponsible is not able to grant his colleagues with report management permissions:

  1. Login with the user that is responsible with other users permissions management.

  2. Navigate to the Users panel. The list of users displays the currently logged in user and all other users available in the same organization.

    Users_list.jpg
  3. Select a listed user in detailed view mode and click on the Roles tile.

    User_Gunter.jpg
  4. In the Roles panel of the selected user click on the Change button.

    Roles_of_Gunter.jpg
  5. The Select roles panel displays all the roles that the currently logged in user has. As we deal with a limited rights user, the list does not contain the needed reports management role.

    Report_roles_not_available.jpg
System administrator updates the user's roles
  1. Login as a system administrator and navigate to the Users panel.

  2. Select the user having the responsibility to manage other user roles.

  3. In the User details panel click on the Roles tile.

  4. Click the Link button of the role card that should be updated with other linked roles.

    Link_button.jpg
  5. In the Link roles panel chose the roles that the user should have available but not actually own from permissions point of view. In our case we shall select the ReportRole role.

    Link_roles_panel.jpg
  6. Click the Select button to apply the changes.

  7. The selected role in the Roles panel is updated and displays the direct link relation.

    Directly_linked_roles.jpg
  8. Further on, the system administrator can also establish an indirect link relation, by opening the Roles panel.

  9. In this view, the system administrator selects the role that has been previously directly linked, by clicking the Link button. In our case, we shall select the ReportRole.

    Select_link_button.jpg
  10. In the Link panel chose another role that will be linked to the selected role. We shall go for the ReportScheduler role.

    Link_another_role.jpg
  11. Click the Select button.

  12. Now, the role that is assigned to our user manager responsible has a Direct link relation to the ReportRole and an Indirect link relation to the ReportScheduler role.

    Direct_and_Indirect_link_relations.jpg
List of roles after linking roles

Lets see if our user manager responsible can now grant his colleagues with the possibility to manage reports:

  1. Login with the user that is responsible with other users permissions management.

  2. Navigate to the Users panel. The list of users displays the currently logged in user and all other users available in the same organization.

    Users_list.jpg
  3. Select a listed user in detailed view mode and click on the Roles tile.

    User_Gunter.jpg
  4. In the Roles panel of the selected user click on the Change button.

    Roles_of_Gunter.jpg
  5. The Select roles panel displays all the roles that the currently logged in user has along with the roles that the system administrator has linked for him / her.

    Report_roles_available.jpg
Assigning users with roles in context of hierarchical entities

Hierarchical entities such as Sites, Areas and Organizational Units allow effective permissions assignments, as follows:

  1. In the administration section of the i4connected portal, navigate to the Sites panel.

  2. Select the Site where a new user should be added.

    Select_Site.jpg
  3. In the Site details panel click the Users tile.

    Users_of_site.jpg
  4. In the Site role assignments panel click the Add toolbar button.

    Add_site_role_assignments.jpg
  5. In the Site role assignments panel click on the Select User selector, while the Select existing user toggle button is active.

    Select_user.jpg
  6. In the Select Users panel chose the user to be assigned to this Site, either by scrolling through the list of by using the filter option.

    Chose_user.jpg
  7. As soon as the user has been selected, the Site role assignments panel is updated with the list of potential roles to be assigned to the user,, in context of the selected Site.

    Warning

    Until no roles are selected from the list, all the Site's effective permissions will remain as "Deny".

    NO_effective_permissions.jpg
  8. Chose the desired role(s) and follow up the Effective permissions list.

    Note

    The Hierarchical Entity role assignments panel allows the selection of multiple roles. However, it is dully notable that these roles and permissions will ONLY be effective in context of the selected hierarchical entity. For more details, please also visit our Role assignments article.

    With_effective_permissions.jpg
  9. When all the desired roles and effective permissions have been assigned, click the Select button.

  10. The Site role assignments list of users displays the added user indicating also the attributed user roles.

    Role_assigned.jpg

    Note

    Please note that the user will be notified via Email about the Hierarchical Entity role assignemnt operation that the system administrator processed.

    Email_notification.jpg
Copying user settings

This tutorial explains how to the settings of a user to another user, with the minimum amount of effort.

Warning

The Copy user settings action cannot be undone after applying the copied roles and assignments.

  1. In the administration section of the i4connected portal, navigate to the Users panel.

  2. Select the User that should be updated with another user's settings.

  3. In the User details panel click the Copy user toolbar button.

    Note

    The Copy user settings button is available only for users having the Users permission enabled.

    Copy_user_button.jpg
  4. In the Copy user settings panel the following selections can be done:

    Copy_user_settings_panel.jpg
    1. Click the selector to chose the user to copy settings from. The Select users panel allows possibility to chose one user whose settings will be parsed to the currently selected user.

      Copy_settings_from.jpg
    2. As soon as the user is selected, the Roles area is updated to display the roles of the chosen user. The Copy roles option can be toggled to Yes or No.

      Copy_roles.jpg
    3. The Assignments area features all the i4connected entities carring roles or permission settings involving Sites, Areas, Organizations, Devices, Signals and Adapters. By togglinge the Yes / No butons the system administrator candecide which entity role assignments to copy.

      Assignments.jpg
    4. The Assignments copy behavior can be set to either Merge or Replace.

      Merge behaviour will add the copied assignments roles to the current user's roles and the Replace behaviour will completely remove the roles of the user, adding only the copied ones.

      Assignments_copy_behaviour.jpg
  5. Click the Apply button to proceed with the copy action.

  6. In the Confirm user settings panel the system administrator is required to manually type in the provided confirmation code and click the Apply button.

    Confirm_user_settings.jpg
  7. By checking the updated user details panel all the copied roles and assignments are made available.

Locking and unlocking users

This guide explains how to lock and unlock an i4connected user from the administration section of the portal.

Any user can be locked out of the i4connected portal either by intentionally locking the selected user from the administration section or if the user tries to log in using the wrong password more than five times in a row. The administration section of the i4connected portal provides the simplest solution for locking and/or unlocking any user:

  1. In the administration section of the i4connected portal, navigate to the Users panel.

  2. Select the user requiring locking or unlocking.

  3. In the User details panel notice the Lock selected user(s) and Unlock selected user(s) toolbar buttons.

    Note

    The Lock / Unlock user button is available only for users having the Users permission enabled.

  4. To lock a user click the Lock selected user(s) button.

    Note

    No further confirmation is expected. The user will be locked as soon as the Lock user button is selected.

    Lock_user_button.jpg

    Lock user button

  5. The user will now be locked out of the i4connected portal. The lock symbol in the Locked Out column confirms the action.

    lock_symbol.jpg

    Example of the Locked user symbol

  6. To unlock a user, simply select it from the list and click the Unlock selected user(s) button.

    Note

    The user will be unlocked without any further confirmation.

    Unlock_user.jpg

    Unlock user button