Managing Users and Groups

From Informer 4 Wiki

You can create Informer users and groups or import them from LDAP repositories. Regardless of source, you are free to assign permissions to any user or group principal.

Informer Users and Groups can come from one of two sources:

• Internal Users and Groups : created from and maintained within Informer. Complete details are stored in the local Informer database and managed internally.

• External Users and Groups : maintained in an external in LDAP, Active Directory, or custom repository. Informer maintains a reference to the repository and relevant principal records. Changes made to principals in an external source are reflected immediately within Informer.

For information on referencing external repositories for user and group management, please see the LDAP section of this chapter.

Contents 1 Users 2 Groups 3 Managing Group and User Relationships 4 Using LDAP and Active Directory 4.1 LDAP Attribute Mappings 5 Root Permissions 6 Object Permissions 7 User Impersonation

Users

The Users tab in the Security Module provides user search functionality across all user repositories. Provide the filters you require and click Search. The Users Listing displays qualifying users with their associated Full Name, Title, Informer Username, and Source (Local for internal users, External otherwise).

To create a new internal user, click the New User action in the Users Home action bar to pop the New User dialog. The dialog prompts for the following:

• First Name : first name of the new user

• Last Name : last name of the new user

• Display Name : display name within Informer

• Title : title of the new user

• Email Address : email address of the new user, used for scheduled reports and notifications

• Username : Informer username for the new user

• Password / Retype Password : Informer password for the new user

• Internal ID : legacy placeholder for external unique identifiers in previous versions of Informer. Unless already in use, it is suggested you forego Internal ID for the more descriptive and manageable User Defined Fields.

• Time Zone : time Zone for the new user. System default defers to the setting provided in Admin > System Settings

• Active Status : status of the new user. Active users can log in, inactive users cannot.

• <All User Defined Fields> : allows for entry related to User Defined Fields.

Click Save to save user details. Your new user is now defined in Informer.

Click a Full Name value inside the users listing to view associated User Details. The user details page allows the ability to view and edit all values associated with a user save those which are maintained by the external repository. To change the password for an internal user, click the New Password action on the user detail page to pop the New Password dialog.

Delete a user by clicking the Delete action in the User Details page, or by selecting one or more records on the Users Home page and clicking the Delete button in the Users Listing menu bar. Note you can only delete internal users.

Groups

The Groups tab in the Security Module provides group search functionality across all user repositories. Provide a name filter if you require and click Search. The Groups Listing displays qualifying groups with their associated Group Name and Source (Local for internal users, External otherwise).

To create a new internal group, click the New Group action in the Groups Home action bar to pop the New Group dialog. The dialog prompts only for a Group Name and Group Description. Click Save to save group details. Your new group is now defined in Informer. Click a Group Name value inside the groups listing to view associated Group Details.

Delete a Group by clicking the Delete action in the Group Details action bar, or by selecting one or more records on the Groups Home page and clicking the Delete button in the Groups Listing menu bar. Note you can only delete internal groups.

Managing Group and User Relationships

A user can belong to many groups and a group can contain many users. You can add users to groups individually on the User Detail page or in bulk on the Group Detail page. You can manage an external group as if it were local, adding and removing external and local users. Note that modifications made to external groups and users only affect Informer; the application does not write modifications to your external source.

Informer will not allow you to remove an external from their assigned external groups, though you can add external users to groups they do not belong to inside LDAP. You can also add local users to external groups, external users to local groups, etc., though it is not considered best practice to modify external group memberships.

Using LDAP and Active Directory

Informer can authenticate against multiple LDAP and Active Directory user repositories, meaning users can log in with their network username and password, and site administrators do not have to maintain an additional user data base for use only in Informer.

To create a reference to LDAP or Active directory, browse to the LDAP Reporsitories tab in the Security module and click the New Repository action in the action bar to open the New User Repository dialog. Provide the following:

• URL : location of your LDAP server, e.g. ldap://ldap.mydomain.com

• Type : select LDAP or Active Directory

• Username DN : the username Informer will use to search the LDAP Repository. Leave blank for anonymous searching.

• Password : the password for the username Informer will use to search the LDAP Repository. Leave blank for anonymous searching.

• Root DN : the root DN name of the subtree you will be searching for informer users.

• Search Paths : list of LDAP directories and associated filters to search for users and groups. If left blank, the entire tree is searched starting at the provided Root DN. To add a new search path, click the Add New Search path to open the New LDAP Search path dialog. Define your search path as subtree or top-level only, provide a filter and a Search DN. Click Save to save and close the dialog. You can add multiple search paths.

• Group Class : class for retrieving groups. If left blank, Informer uses objectclass=group

• User Class : class for retrieving groups. If left blank, Informer uses objectclass=group

• Page Size : use paging if there is a result size limit on your LDAP server. Size 0 is unlimited.

Click Save to save and close the New LDAP Repository dialog, Informer now maintains a reference to your LDAP Repository. Click the repository name in the repositories listing To view and edit details.

LDAP Attribute Mappings

With a successful connection to a repository, you can map external attributes to user properties for use within Informer. To edit the default user attribute values, double click inside the User Attribute Mappings, provide the appropriate value, and click Save.

You can also support custom attributes. To add a new custom attribute, click the Add button in the custom attributes listing to open the Map an LDAP Attribute dialog. Custom attributes add custom user fields to each Informer user from the LDAP repository which maps to a specific LDAP attribute value. Click Save to add your new attribute.

Root Permissions

Informer uses cascading permissions to determine if a particular user has access to a particular feature. This determination is made at the most granularly defined access value. Meaning, if a user belongs to a group which does not have access to delete reports, you can override that permission and allow that feature access to that particular user. These global permission defaults are managed on the Root Permissions tab in the Security module.

The two implicit principals, Everyone and Owner, are defined by default in Root Permissions. Add a user or group to the Users or Groups panel by typing in the Add a user or group textbox, or by searching through the popup principal search dialog. To modify permission values, select the principal to change, and their defined permissions are displayed in the Edit Permissions table.

The Edit Permissions table displays the implied permission assigned to the selected principal. To override a permission, click Edit in the menu bar to enable the Grant and Deny checkboxes. The inherited permission displays as a disabled checkbox. To override the inherited permission, click the enabled checkbox. Select Full Control to apply all associated permissions Grant. When you finish editing, click Save in the Edit Permissions menu bar to apply your new settings.

To remove a principal from the Root permissions set, thereby assigning that principal the default inherited permission, select the principal name in the Users or Groups panel and click remove. You cannot remove the two implied principals.

Object Permissions

Each securable object in Informer contains a Permissions action in the action bar of its associated detail page. Whereas Root Permissions defines what a user can do globally within the system, each individual system object can override this setting. For example, a user may be granted the ability to create Live Excel spreadsheets through the Root Permissions panel, but you can restrict that user and others from doing so on a specific report.

Browse to an Informer object, such as a report, and click the Permissions action in the menu bar to open the Manage Permissions dialog for that object. Much like the Root Permissions page, the Manage Permissions dialog allows you to select specific permissions for specific principals.

Object permissions also define what specific reporting data a user is allowed to access within Informer. This data security is accomplished through assigning object permissions on datasources, mappings, and properties. For example, if you only want your HR user group to have access to the SSN field in a Person table, you would:

1. Browse to the SSN property detail page
2. Open its Manage Permissions dialog
3. Select the Everyone principal and deny access to all permissions
4. Add the HR group to the principals panel through type-ahead or search
5. Select the HR principal and grant access to all permissions
6. Save and close the Manage Permissions dialog.

User Impersonation

Impersonating an Informer user allows you to view their effective permissions as you browse through the application. To impersonate a user, browse to their User Detail Page and click Impersonate in the action bar.

Once you begin impersonating a user, your login session loses all your previous permissions and groups, and you gain those of the selected user. You must log out to stop impersonation.