Users#

Administration.Security

The list of users is available by selecting Users on the landing page of the Security entity.

The Users page displays general information on the specific user. In addition it enables you to execute all the operations that can be performed on a specific user. The Details view will display some or all of the following page sections:

Details - displays general information on the user.
Roles - displays information on the roles to which the user belongs.
Features - displays information on the features to which the user has access.
Data Groups - displays information on the data groups to which the user belongs.
Access Tokens - displays information on the access tokens that the user has generated.
Public Keys - displays information on the public keys that the user has added.
Devices - displays information on the devices used by the user to access the system and which they registered upon logging in.

Creating a User#

User.Create

To create a user in the application, you open the Users page and select Create on the top ribbon:

Provide the Account name for the user as defined in the Active Directory.
Optionally provide a Name and an Email Address (if an email address is defined, it must be well formed). If not provided, the information will be retrieved from the Active Directory.

Warning

To ensure proper user validation, some Security Portal operations require email addresses to be unique.
Optionally, specify the Primary Role of the user. If a Primary Role is specified, the user will be automatically added to that Role as part of this transaction.
Specify whether the account refers to an Integration User. An Integration User is typically used for equipment integration in order to relax some functional restrictions like forcing the user to be checked-in at the resource.

Info

If the Integration User property is set to true, the Enable Step Certification Requirements will not be available. For more information, see Create Step.
Specify whether the user is Enabled in the system (it defaults to true). A user that is not Enabled will not be allowed to log in to the system.
Optionally, define an Auto-Lock Timeout, in seconds:
- If not defined, it takes the default value as stored in the configuration of the application, which is stored in the path /Cmf/Guis/Configuration/Common/Security/AutoLockTimeout/.
- If defined as 0, the Auto-Lock Timeout user session never times out.
Optionally provide the following information:
- PIN - a personal identification number that can be used in combination with the token for keyboard wedge used identification and authentication (can be alphanumeric and letters used must be capitalized).
- Token - the user token in case that a keyboard wedge device is configured for user identification and authentication.
Optionally specify the Authentication Strategy that should be followed by the Security Portal.

Note

This setting only applies if the Security Portal is configured with more than one Authentication Strategy.
Optionally provide a Password - an alphanumeric string to ensure private access to the system.
Specify if the user will be prompted to change the password on the next log in.

Note

This setting is only applicable when the environment is configured to use the Security Portal with a local Authentication Strategy.
Select Create to complete the transaction.

Warning

There is currently no support for non-ASCII characters in user account names.

Editing a User#

User.Edit

To edit a user, you need to:

Open the Users page.
Select the user you want to edit.
Select Edit on the top ribbon.
Make the necessary changes.
Select Save to commit the data to the database.

Deleting a User#

User.Delete

To delete a user, you need to:

Open the Users page.
Select the user you want to delete.
Select Delete on the top ribbon.
Select Delete to commit the data to the database.

Assigning Roles to a User#

Role.Edit

To assign one or more Roles to a user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Assign button.
Select the desired Roles for the user - note that only the Roles that the user does not belong to are shown.
Select Assign to complete the operation.

Unassigning Roles from a User#

Role.Edit

To unassign one or more Roles from a user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Roles you want to unassign from the user and select the Unassign button.
Select Unassign to complete the operation.

Copying Roles from Another User#

Role.Edit

To copy the Roles that another user possesses and assign them to the selected user, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Copy dropdown button and select Copy Roles From Another User.
Select the user from which the Roles will be copied to the current user.
Select Copy to complete the operation.

Warning

There is an option to replace the current Roles with the one being copied. Use this with caution since the existing Roles will no longer be assigned to the current user.

Copying User Roles to Other Users#

Role.Edit

To copy the Roles that one user possesses to one or more Users, you need to:

Open the Users page.
Select the user and in the Details view navigate to the Roles section.
Select the Copy dropdown button and select Copy User Roles to Other Users.
Select the users that will receive the Roles of the current user.
Select Copy to complete the operation.

Warning

There is an option to replace the current Roles with the ones being copied. Use this with caution since the existing Roles will no longer be assigned to the other users.

Creating Access Tokens for a User#

User.ShowPersonalAccessToken

A user can create any number of Access Tokens that will allow the user to use the LightBusinessObjects assembly (Cmf.LightBusinessObjects.dll), which is made available to make external calls to the Critical Manufacturing REST APIs from outside the GUI. For more information, see Light Business Objects (LBOs) ⧉.

User.CreatePersonalAccessToken

To create one or more Access Tokens for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Access Tokens section.
Select the Create button.
Select a Name for the Access Token.
Select a predefined number of days for token expiration or select a custom Expiration Date.
Select an authorized Scope if there is a need to channel the usage of the Access Token for a specific defined scope. These Scopes can be defined through the Roles page and the use of the Is OAuth Scope flag.
Select Create to complete the operation.
The Access Token will be shown and the user can then copy the generated string for later use.

Warning

The generated string is only fully visible in this step. If it is not copied and stored in a separate location, it will not be available again.
Selecting Close will close the window and the Access Token will be displayed in the list of tokens.

Info

After the Access Token is created, the four last digits of the Access Token should be stored in the database and visible in the list of tokens in the Access Tokens section of the current user.

Revoking Access Tokens for a User#

User.RevokePersonalAccessToken

A user can revoke any number of Access Tokens from the same section in the Users page. To revoke one or more Access Tokens for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Access Tokens section.
Select one or more Access Tokens that you want to revoke and select the Revoke button.
Verify the details of the Access Token that you want to revoke.
Select Revoke to complete the operation and the Access Token will be removed.

Adding a Public Key for a User#

User.ShowPublicKeys

A user can add any number of Public Keys that allow authentication and external calls to the Critical Manufacturing REST APIs from outside the GUI.

Public keys are generated externally as part of a public/private key pair. Only the public key must be added to the user in the application. The corresponding private key must be kept secure by the client application or user, as it is used to prove ownership of the public key during authentication.

User.AddPublicKey

To add one or more Public Keys for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Public Keys section.
Select the Add button.
Select a Name for the Public Key.
Input the Public Key string.
Optionally, select an Expiration Date.
Select an authorized Scope, if needed, to restrict the usage of the Public Key to a specific defined scope. These scopes can be defined through the Roles page by using the Is OAuth Scope flag.
Select Add to complete the operation.

Info

For user public keys, the corresponding private key length must be longer than 4096 bits for RSA and 256 bits for ECC.

Revoking a Public Key for a User#

User.RevokePublicKey

A user can revoke any number of Public Keys from the same section in the Users page. Revoking a public key removes it from the user account and prevents the corresponding Private Key from being used for authentication.

To revoke one or more Public Keys for a user, follow these steps:

Open the Users page.
Select the user and in the Details view navigate to the Public Keys section.
Select one or more Public Keys that you want to revoke and select the Revoke button.
Verify the details of the Public Key that you want to revoke.
Select Revoke to complete the operation and the Public Key will be removed.

Info

After a Public Key is revoked, the corresponding private key can no longer be used to authenticate against the system. Revoking the Public Key from the application does not remove the corresponding private key from the user or client application.

Registering Devices for a User#

You can register specific devices that can be used to authenticate a User (a smartphone, laptop or any other device with built-in or connected authenticators) and access them in the Devices section of the User page. For more information on how to register a device, see Webauthn.