Manage Users and Groups: Difference between revisions
| No edit summary | |||
| (75 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| This article describes how to use the Manage Users dialog to modify users, groups and permissions. | |||
| == Manage Users Dialog == | |||
| The Manage Users dialog is used to create and modify users and groups, and manage roles and permissions. Only users with ''[[Roles_and_Permissions#Global_and_Project_Roles|ManageUsers]]'' permission can use the Manage Users dialog. This page contains information how to use the User Management dialog. For more information how permissions work in conceptual level, please read [[Roles and Permissions]]. | |||
| User can be ''active'' or ''inactive''. Inactive users are not allowed to login and thus use their assigned permissions. Users can be inactivated both temporary or permanently to prevent them from login into the system. When using the built-in authentication, user not using the system anymore, need to be inactivated (as users cannot be deleted). When using the federated authentication, it's not necessary to inactivate users, because those users are anyways not able to login through the external authentication. | |||
| The dialog shows which users have a password defined. If user has a password, the user can authenticate via the built-in authentication method. If the SAML authentication is configured, users can also authenticate via it without a password in the QPR ProcessAnalyzer user management. If users are meant to authenticate only using the SAML, it's strongly recommended to remove the password from the user management to prevent the built-in authentication method. | |||
| All changes made in the Manage Users dialog are effective immediately. The bottom of the screen shows either ''Saving'' when saving is currently in progress and, ''Saved'' when saving changes is completed. Note that when making changes to your own roles or groups, in order for them to take effect, you should relogin to the system. | |||
| '''Effective permissions''' show the actual permissions that users have in the system. The effective permissions are calculated from permissions that are in the groups of the user and permissions that are assigned directly to the user. | |||
| ==  | == Creating User == | ||
| # | # In the '''Manage Users''' dialog, open the '''Users''' tab, and click '''Add user'''. | ||
| # Fill in '''Login name''' and optionally '''Full name''' and '''Email'''. Note that each user in the system must have a different login name. | |||
| # | # Click the '''Add user''' button. | ||
| #Click '''Add'''. | |||
| ==  | == Editing User Information == | ||
| # | # In the '''Manage Users''' dialog, open the '''Users''' tab. | ||
| # Select a user from the table and click the '''Edit''' button (or double-click the user in the table). | |||
| #Select the  | # Change the user information and click the '''Save''' button. | ||
| # | |||
| == Removing a User  | == Setting User Password == | ||
| #Select the user or the user group from the  | # In the '''Manage Users''' dialog, open the '''Users''' tab. | ||
| #Select the  | # Select a user from the left-side table and click '''Change password'''. | ||
| # | # Define a password for the user and confirm the password. | ||
| # Click the '''Change Password''' button. | |||
| == Removing User Password == | |||
| # In the '''Manage Users''' dialog, open the '''Users''' tab. | |||
| # Select a user (or several users) from the left-side table and click '''Remove password'''. | |||
| # Click the '''Remove''' button in the confirmation dialog. | |||
| It's recommended to remove password from users that switch to use the SAML authentication, and thus don't need to authenticate using the built-in method. | |||
| == Editing User Description == | |||
| # In the '''Manage Users''' dialog, open the '''Users''' tab. | |||
| # Select a user from the table and click '''Edit description'''. | |||
| # Change the user description and click the '''Save''' button. | |||
| == Creating Group == | |||
| # In the '''Manage Users''' dialog, open the '''Groups''' tab, and click '''Add group'''. | |||
| # Fill in '''Group name''' and optionally '''Group Email''' and '''Starting dashboard''' (more below). Note that each group in the system must have a different name. | |||
| # Click the '''Add group''' button. | |||
| == Editing Group Information == | |||
| # In the '''Manage Users''' dialog, open the '''Groups''' tab. | |||
| # Select a group from the table and click the '''Edit''' button (or double-click the group in the table). | |||
| # Following information of the group can be changed: '''Group name''', '''Group email''' and '''Starting dashboard''' (more below). | |||
| # Click the '''Save''' button. | |||
| The starting dashboard is defined using the following format: | |||
| * /<ProjectName>/<DashboardIdentifier> | |||
| * /<ParentProjectName>/<ChildProjectName>/<DashboardIdentifier> | |||
| Example starting dashboards: | |||
| * /Project 1/Dashboard 1 | |||
| * /Project 1/Project 2/Dashboard 1 | |||
| See how to define [[QPR_ProcessAnalyzer_Dashboard_Designer#Dashboard_General_Settings|dashboard identifiers]]. | |||
| == Editing Group Description == | |||
| # In the '''Manage Users''' dialog, open the '''Groups''' tab. | |||
| # Select a group from the table and click '''Edit description'''. | |||
| # Change the group description and click the '''Save''' button. | |||
| == Deleting Group == | |||
| # In the '''Manage Users''' dialog, open the '''Groups''' tab. | |||
| # Select the group you want to delete and click the '''Delete group''' button. | |||
| # In the confirmation dialog, click the '''Delete''' button. | |||
| Note that when a group is deleted, also its user memberships and roles (both project and global level) are deleted. | |||
| == Adding User to Groups == | |||
| # In the '''Manage Users''' dialog, open the '''Users''' tab. | |||
| # Select a user from the left-side table. | |||
| # In the '''User belongs to groups''' table, click the '''Add to group''' button. | |||
| # Select a group and '''Membership type''', and click the '''Save''' button. | |||
| Notes: | |||
| * You can edit an existing memberships by selecting it from the table and clicking the '''Edit''' button. | |||
| * You can delete an existing memberships by selecting it from the table and clicking the '''Delete''' button. | |||
| * You can cancel the editing by clicking the '''Cancel'' button. | |||
| * The ''Membership type'' is usually ''Member'' (other membership types are for legacy use cases). | |||
| * Note that a user can be added to a group only once. | |||
| == Adding Users to Group == | |||
| # In the '''Manage Users''' dialog, open the ''Groups'' tab. | |||
| # Select a group from the left-side table. | |||
| # In the '''Group contains users''' table, click the '''Add user to group''' button. | |||
| # Select a user and '''Membership type''', and click the '''Save''' button. | |||
| See also notes in the [[#Adding User to Groups|Adding User to Groups]] section. | |||
| == Assigning Project-Level Roles to Users and Groups == | |||
| # In the ''Manage Users'' dialog, open the ''Users'' tab (or '''Groups''' tab if assigning permissions to a group). | |||
| # Select a user/group from the left-side table. | |||
| # In the '''Project roles of user/group''' table, click the '''Assign role for project''' button. | |||
| # Select a project and '''Role''', and click the '''Save''' button. | |||
| Notes: | |||
| * You can edit an existing role assignment by selecting it from the table and clicking the '''Edit''' button. | |||
| * You can delete an existing role assignment by selecting it from the table and clicking the '''Delete''' button. | |||
| * You can cancel the role assignment editing by clicking the '''Cancel'' button. | |||
| * User can have several roles for a project. | |||
| == Assigning Global Roles to Users and Groups == | |||
| # In the ''Manage Users'' dialog, open the ''Users'' tab (or '''Groups''' tab if assigning permissions to a group). | |||
| # Select a user/group from the left-side table. | |||
| # In the '''Global roles of user/group''' section, check/uncheck one of the global role checkboxes. Changes are saved. | |||
| == Inactivating Users == | |||
| # In the '''Manage Users''' dialog, open the '''Users''' tab. | |||
| # Select one or several users to be inactivated from the left-side table, and click the '''Inactivate users''' button. | |||
| # In the confirmation dialog, click the '''Inactivate''' button. | |||
| In QPR ProcessAnalyzer, users cannot be deleted, so that the audit data is preserved (such as who created and updated objects). Instead, if user is not needed anymore, the user account needs to be inactivated, as inactive users cannot login to the system.  | |||
| Note that inactive users information cannot be changed, so the user needs to be activated first. | |||
| == Activating Users == | |||
| # In the '''Manage Users''' dialog, open the '''Inactive users''' tab. | |||
| # Select one or several users to be activated from the table, and click the '''Activate users''' button. | |||
| # In the confirmation dialog, click the '''Activate''' button. | |||
| == Checking User or Project Effective Permissions == | |||
| # In the '''Manage Users''' dialog, open the '''Effective permissions''' tab. | |||
| # Select either a project from the '''Project''' list or a user from the '''User''' list. | |||
| # Table is showing the effective permissions for the selected project or user. | |||
| When showing effective permissions for a project, the effective permissions table shows all users that have any permissions to the project. The checkboxes are showing the individual [[Roles_and_Permissions#Global_and_Project_Roles|permissions]] for each user. When showing effective permissions for a user, the effective permissions table shows all projects where the user has any permissions. The checkboxes are showing the individual [[Roles_and_Permissions#Global_and_Project_Roles|permissions]] for each project.  | |||
| == Prevent Removing Own Access == | |||
| QPR ProcessAnalyzer has a built-in protection mechanism to prevent users from inadvertently revoking their own access rights. If this were possible, the last administrator could inadvertently remove their own permissions, leaving no one able to manage permissions. To perform operations that are blocked for this reason, another administrator user is required. | |||
| The following operations are restricted (to mitigate the risk of self-removal of access rights): | |||
| * Users cannot inactivate their own user accounts. | |||
| * Users cannot remove the global adminstrator role assigned to themselves. | |||
| * Users cannot exit a user group if it has the global adminstrator role assigned, unless the user itself has the global administrator role. | |||
| * Users cannot remove the global adminstrator role from a group if they are members of that group, unless the user itself has the global administrator role. | |||
| * Users cannot delete groups with the global adminstrator role if they belong to those groups, unless the user itself has the global administrator role. | |||
| [[Category: QPR ProcessAnalyzer]] | [[Category: QPR ProcessAnalyzer]] | ||
Latest revision as of 12:44, 28 August 2025
This article describes how to use the Manage Users dialog to modify users, groups and permissions.
Manage Users Dialog
The Manage Users dialog is used to create and modify users and groups, and manage roles and permissions. Only users with ManageUsers permission can use the Manage Users dialog. This page contains information how to use the User Management dialog. For more information how permissions work in conceptual level, please read Roles and Permissions.
User can be active or inactive. Inactive users are not allowed to login and thus use their assigned permissions. Users can be inactivated both temporary or permanently to prevent them from login into the system. When using the built-in authentication, user not using the system anymore, need to be inactivated (as users cannot be deleted). When using the federated authentication, it's not necessary to inactivate users, because those users are anyways not able to login through the external authentication.
The dialog shows which users have a password defined. If user has a password, the user can authenticate via the built-in authentication method. If the SAML authentication is configured, users can also authenticate via it without a password in the QPR ProcessAnalyzer user management. If users are meant to authenticate only using the SAML, it's strongly recommended to remove the password from the user management to prevent the built-in authentication method.
All changes made in the Manage Users dialog are effective immediately. The bottom of the screen shows either Saving when saving is currently in progress and, Saved when saving changes is completed. Note that when making changes to your own roles or groups, in order for them to take effect, you should relogin to the system.
Effective permissions show the actual permissions that users have in the system. The effective permissions are calculated from permissions that are in the groups of the user and permissions that are assigned directly to the user.
Creating User
- In the Manage Users dialog, open the Users tab, and click Add user.
- Fill in Login name and optionally Full name and Email. Note that each user in the system must have a different login name.
- Click the Add user button.
Editing User Information
- In the Manage Users dialog, open the Users tab.
- Select a user from the table and click the Edit button (or double-click the user in the table).
- Change the user information and click the Save button.
Setting User Password
- In the Manage Users dialog, open the Users tab.
- Select a user from the left-side table and click Change password.
- Define a password for the user and confirm the password.
- Click the Change Password button.
Removing User Password
- In the Manage Users dialog, open the Users tab.
- Select a user (or several users) from the left-side table and click Remove password.
- Click the Remove button in the confirmation dialog.
It's recommended to remove password from users that switch to use the SAML authentication, and thus don't need to authenticate using the built-in method.
Editing User Description
- In the Manage Users dialog, open the Users tab.
- Select a user from the table and click Edit description.
- Change the user description and click the Save button.
Creating Group
- In the Manage Users dialog, open the Groups tab, and click Add group.
- Fill in Group name and optionally Group Email and Starting dashboard (more below). Note that each group in the system must have a different name.
- Click the Add group button.
Editing Group Information
- In the Manage Users dialog, open the Groups tab.
- Select a group from the table and click the Edit button (or double-click the group in the table).
- Following information of the group can be changed: Group name, Group email and Starting dashboard (more below).
- Click the Save button.
The starting dashboard is defined using the following format:
- /<ProjectName>/<DashboardIdentifier>
- /<ParentProjectName>/<ChildProjectName>/<DashboardIdentifier>
Example starting dashboards:
- /Project 1/Dashboard 1
- /Project 1/Project 2/Dashboard 1
See how to define dashboard identifiers.
Editing Group Description
- In the Manage Users dialog, open the Groups tab.
- Select a group from the table and click Edit description.
- Change the group description and click the Save button.
Deleting Group
- In the Manage Users dialog, open the Groups tab.
- Select the group you want to delete and click the Delete group button.
- In the confirmation dialog, click the Delete button.
Note that when a group is deleted, also its user memberships and roles (both project and global level) are deleted.
Adding User to Groups
- In the Manage Users dialog, open the Users tab.
- Select a user from the left-side table.
- In the User belongs to groups table, click the Add to group button.
- Select a group and Membership type, and click the Save button.
Notes:
- You can edit an existing memberships by selecting it from the table and clicking the Edit button.
- You can delete an existing memberships by selecting it from the table and clicking the Delete button.
- You can cancel the editing by clicking the 'Cancel button.
- The Membership type is usually Member (other membership types are for legacy use cases).
- Note that a user can be added to a group only once.
Adding Users to Group
- In the Manage Users dialog, open the Groups tab.
- Select a group from the left-side table.
- In the Group contains users table, click the Add user to group button.
- Select a user and Membership type, and click the Save button.
See also notes in the Adding User to Groups section.
Assigning Project-Level Roles to Users and Groups
- In the Manage Users dialog, open the Users tab (or Groups tab if assigning permissions to a group).
- Select a user/group from the left-side table.
- In the Project roles of user/group table, click the Assign role for project button.
- Select a project and Role, and click the Save button.
Notes:
- You can edit an existing role assignment by selecting it from the table and clicking the Edit button.
- You can delete an existing role assignment by selecting it from the table and clicking the Delete button.
- You can cancel the role assignment editing by clicking the 'Cancel button.
- User can have several roles for a project.
Assigning Global Roles to Users and Groups
- In the Manage Users dialog, open the Users tab (or Groups tab if assigning permissions to a group).
- Select a user/group from the left-side table.
- In the Global roles of user/group section, check/uncheck one of the global role checkboxes. Changes are saved.
Inactivating Users
- In the Manage Users dialog, open the Users tab.
- Select one or several users to be inactivated from the left-side table, and click the Inactivate users button.
- In the confirmation dialog, click the Inactivate button.
In QPR ProcessAnalyzer, users cannot be deleted, so that the audit data is preserved (such as who created and updated objects). Instead, if user is not needed anymore, the user account needs to be inactivated, as inactive users cannot login to the system.
Note that inactive users information cannot be changed, so the user needs to be activated first.
Activating Users
- In the Manage Users dialog, open the Inactive users tab.
- Select one or several users to be activated from the table, and click the Activate users button.
- In the confirmation dialog, click the Activate button.
Checking User or Project Effective Permissions
- In the Manage Users dialog, open the Effective permissions tab.
- Select either a project from the Project list or a user from the User list.
- Table is showing the effective permissions for the selected project or user.
When showing effective permissions for a project, the effective permissions table shows all users that have any permissions to the project. The checkboxes are showing the individual permissions for each user. When showing effective permissions for a user, the effective permissions table shows all projects where the user has any permissions. The checkboxes are showing the individual permissions for each project.
Prevent Removing Own Access
QPR ProcessAnalyzer has a built-in protection mechanism to prevent users from inadvertently revoking their own access rights. If this were possible, the last administrator could inadvertently remove their own permissions, leaving no one able to manage permissions. To perform operations that are blocked for this reason, another administrator user is required.
The following operations are restricted (to mitigate the risk of self-removal of access rights):
- Users cannot inactivate their own user accounts.
- Users cannot remove the global adminstrator role assigned to themselves.
- Users cannot exit a user group if it has the global adminstrator role assigned, unless the user itself has the global administrator role.
- Users cannot remove the global adminstrator role from a group if they are members of that group, unless the user itself has the global administrator role.
- Users cannot delete groups with the global adminstrator role if they belong to those groups, unless the user itself has the global administrator role.