Users#

Administration.Security

The list of users is available by selecting Users on the landing page of the Security entity.

The Users page displays general information on the specific user. In addition it enables you to execute all the operations that can be performed on a specific user. The Details view will display some or all of the following page sections:

Details - displays general information on the user.
Roles - displays information on the roles to which the user belongs.
Features - displays information on the features to which the user has access.
Data Groups - displays information on the data groups to which the user belongs.
Access Tokens - displays information on the access tokens that the user has generated.
Devices - displays information on the devices used by the user to access the system and which they registered upon logging in.

Creating a User#

User.Create

To create a user in the application, you open the Users page and select Create on the top ribbon:

Provide the Account name for the user as defined in the Active Directory.
Optionally provide a Name and an Email Address (if an email address is defined, it must be well formed). If not provided, the information will be retrieved from the Active Directory.

Warning

To ensure proper user validation, some Security Portal operations require email addresses to be unique.
Optionally, specify the Primary Role of the user. If a Primary Role is specified, the user will be automatically added to that Role as part of this transaction.
Specify whether the account refers to an Integration User. An Integration User is typically used for equipment integration in order to relax some functional restrictions like forcing the user to be checked-in at the resource.

Info

If the Integration User property is set to true, the Enable Step Certification Requirements will not be available. For more information, see Create Step.
Specify whether the user is Enabled in the system (it defaults to true). A user that is not Enabled will not be allowed to log in to the system.
Optionally, define an Auto-Lock Timeout, in seconds:
- If not defined, it takes the default value as stored in the configuration of the application, which is stored in the path /Cmf/Guis/Configuration/Common/Security/AutoLockTimeout/.
- If defined as 0, the Auto-Lock Timeout user session never times out.
Optionally provide the following information:
- PIN - a personal identification number that can be used in combination with the token for keyboard wedge used identification and authentication (can be alphanumeric and letters used must be capitalized).
- Token - the user token in case that a keyboard wedge device is configured for user identification and authentication.
Optionally specify the Authentication Strategy that should be followed by the Security Portal.

Note

This setting only applies if the Security Portal is configured with more than one Authentication Strategy.
Optionally provide a Password - an alphanumeric string to ensure private access to the system.
Specify if the user will be prompted to change the password on the next log in.

Note

This setting is only applicable when the environment is configured to use the Security Portal with a local Authentication Strategy.
Select Create to complete the transaction.

Warning

There is currently no support for non-ASCII characters in user account names.

Editing a User#

User.Edit

To edit a user, you need to:

Open the Users page.
Select the user you want to edit.
Select Edit on the top ribbon.
Make the necessary changes.
Select Save to commit the data to the database.

Deleting a User#

User.Delete

To delete a user, you need to:

Open the Users page.
Select the user you want to delete.
Select Delete on the top ribbon.
Select Delete to commit the data to the database.

Assigning Roles to a User#

Role.Edit

To assign one or more Roles to a user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Assign button.
Select the desired Roles for the user - note that only the Roles that the user does not belong to are shown.
Select Assign to complete the operation.

Unassigning Roles from a User#

Role.Edit

To unassign one or more Roles from a user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Roles you want to unassign from the user and select the Unassign button.
Select Unassign to complete the operation.

Copying Roles from Another User#

Role.Edit

To copy the Roles that another user possesses and assign them to the selected user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Copy dropdown button and select Copy Roles From Another User.
Select the user from which the Roles will be copied to the current user.
Select Copy to complete the operation.

Warning

There is an option to replace the current Roles with the one being copied. Use this with caution since the existing Roles will no longer be assigned to the current user.

Copying User Roles to Other Users#

Role.Edit

To copy the Roles that one user possesses to one or more Users, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Copy dropdown button and select Copy User Roles to Other Users.
Select the users that will receive the Roles of the current user.
Select Copy to complete the operation.

Warning

There is an option to replace the current Roles with the ones being copied. Use this with caution since the existing Roles will no longer be assigned to the other users.

Creating Access Tokens for a User#

User.ShowPersonalAccessToken

A user can create any number of Access Tokens that will allow the user to use the LightBusinessObjects assembly (Cmf.LightBusinessObjects.dll), which is made available to make external calls to the Critical Manufacturing REST APIs from outside the GUI. For more information, see Light Business Objects (LBOs) ⧉.

User.CreatePersonalAccessToken

To create one or more Access Tokens for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Access Tokens section.
Select the Create button.
Select a Name for the Access Token.
Select a predefined number of days for token expiration or select a custom Expiration Date.
Select an authorized Scope if there is a need to channel the usage of the Access Token for a specific defined scope. These Scopes can be defined through the Roles page and the use of the Is OAuth Scope flag.
Select Create to complete the operation.
The Access Token will be shown and the user can then copy the generated string for later use.

Warning

The generated string is only fully visible in this step. If it is not copied and stored in a separate location, it will not be available again.
Selecting Close will close the window and the Access Token will be displayed in the list of tokens.

Info

After the Access Token is created, the four last digits of the Access Token should be stored in the database and visible in the list of tokens in the Access Tokens section of the current user.

Revoking Access Tokens for a User#

User.RevokePersonalAccessToken

A user can revoke any number of Access Tokens from the same section in the Users page. To revoke one or more Access Tokens for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Access Tokens section.
Select one or more Access Tokens that you want to revoke and select the Revoke button.
Verify the details of the Access Token that you want to revoke.
Select Revoke to complete the operation and the Access Token will be removed.

Registering Devices for a User#

You can register specific devices that can be used to authenticate a User (a smartphone, laptop or any other device with built-in or connected authenticators) and access them in the Devices section of the User page. For more information on how to register a device, see Webauthn.