--- alias: user-guide-security-users description: "This documentation outlines how to manage users within the system, including creating, editing, deleting, assigning roles, and generating access tokens" --- # Users :lock: Administration.**Security** ## Users Overview The list of users is available by selecting **Users** on the landing page of the **Security** entity. ![security_user_list][security_user_list] The **Users** page displays general information on the specific user, such as: * **User** - the name of the user. * **Account** - the Account associated with the user. * **Last Login On** - the date and time of the user's most recent login, displayed in the format `MM/DD/YYYY` and `hh:mm AM/PM` (12-hour format). * **Last Login From** - the IP address or host name of the machine from which the user last logged in. * **Roles** - the number of Roles associated to the user. * **Features** - the number of Features to which the user has access. * **Data Groups** - the number of Data Groups to which the user belongs. In addition, this page enables you to execute all the operations that can be performed on a specific user. When you select a specific user, the **Details** view will display some or all of the following page sections: * **Details** - displays general information on the user. * **Roles** - displays information on the Roles to which the user belongs. * **Features** - displays information on the Features to which the user has access. * **Data Groups** - displays information on the Data Groups to which the user belongs. * **Access Tokens** - displays information on the Access Tokens that the user has generated. * **Public Keys** - displays information on the Public Keys that the user has added. * **Devices** - displays information on the Devices used by the user to access the system and which they registered upon logging in. ![security_user_page_details_view][security_user_page_details_view] ## Default System Users Critical Manufacturing MES provides a set of default users that support system execution, authentication mechanisms, and access to the environment. The following users are available by default: * **Administrator** - the only default user who can log in through the user interface. This user provides access to the environment after installation, ensuring that there is at least one user able to access and configure the system. * **MES** - the MES user is created to allow authentication using client credentials for the client that is shipped by default with Critical Manufacturing MES. It is used as part of the authentication mechanism for system-provided clients. * **System** - used to associate actions that are performed by the system. It does not represent a real user, but rather an internal identity used for system-executed actions. Examples include migration scripts, upgrade-related operations, timers, scheduling, and other operations performed automatically by the system. !!! info Similar to the MES user, additional default users are created by installed applications. These users serve the same authentication purpose and are automatically created with a name that matches the corresponding application. ## Creating a User :lock: User.**Create** To create a user in the application, you open the **Users** page and select **Create** on the top ribbon: 1. Provide the Account name for the user as defined in the Active Directory. 2. Optionally provide a Name and an Email Address (if an email address is defined, it must be well formed). If not provided, the information will be retrieved from the Active Directory. !!! warning To ensure proper user validation, some Security Portal operations require email addresses to be unique. 3. Optionally, specify the Primary Role of the user. If a Primary Role is specified, the user will be automatically added to that Role as part of this transaction. !!! warning For a new user to log in to MES, they must be assigned the `MES` OAuth Role (or belong to the `Administrator` role). Without it, the user will receive a message error at login. See [[user-guide-security-roles#creating-a-role]] for more information on OAuth Scope Roles. 4. Specify whether the account refers to an Integration User. An Integration User is typically used for equipment integration in order to relax some functional restrictions like forcing the user to be checked-in at the resource. !!! info If the Integration User property is set to `true`, the Enable Step Certification Requirements will not be available. For more information, see [[user-guide-create-step]]. 5. Specify whether the user is Enabled in the system (it defaults to `true`). A user that is not Enabled will not be allowed to log in to the system. 6. Optionally, define an Auto-Lock Timeout, in seconds: * If not defined, it takes the default value as stored in the configuration of the application, which is stored in the path `/Cmf/Guis/Configuration/Common/Security/AutoLockTimeout/`. * If defined as `0`, the Auto-Lock Timeout user session never times out. 7. Optionally provide the following information: * PIN - a personal identification number that can be used in combination with the token for keyboard wedge used identification and authentication (can be alphanumeric and letters used must be capitalized). * Token - the user token in case that a keyboard wedge device is configured for user identification and authentication. 8. Optionally specify the Authentication Strategy that should be followed by the Security Portal. !!! note This setting only applies if the Security Portal is configured with more than one Authentication Strategy. 9. Optionally provide a Password - an alphanumeric string to ensure private access to the system. 10. Specify if the user will be prompted to change the password on the next log in. !!! note This setting is only applicable when the environment is configured to use the Security Portal with a local Authentication Strategy. 11. Select **Create** to complete the transaction. !!! warning There is currently no support for non-ASCII characters in user account names. ![security_user_create][security_user_create] ## Editing a User :lock: User.**Edit** To edit a user, you need to: 1. Open the **Users** page. 2. Select the user you want to edit. 3. Select **Edit** on the top ribbon. 4. Make the necessary changes. 5. Select **Save** to commit the data to the database. ![security_user_edit][security_user_edit] ## Deleting a User :lock: User.**Delete** To delete a user, you need to: 1. Open the **Users** page. 2. Select the user you want to delete. 3. Select **Delete** on the top ribbon. 4. Select **Delete** to commit the data to the database. ![security_user_delete][security_user_delete] ## Assigning Roles to a User :lock: Role.**Edit** To assign one or more **Roles** to a user, you need to: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Roles** section. 3. Select the **Assign** button. 4. Select the desired **Roles** for the user - note that only the **Roles** that the user does not belong to are shown. 5. Select **Assign** to complete the operation. ![security_user_assign_roles][security_user_assign_roles] ## Unassigning Roles from a User :lock: Role.**Edit** To unassign one or more **Roles** from a user, you need to: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Roles** section. 3. Select the **Roles** you want to unassign from the user and select the **Unassign** button. 4. Select **Unassign** to complete the operation. ![security_user_unassign_roles][security_user_unassign_roles] ## Copying Roles from Another User :lock: Role.**Edit** To copy the **Roles** that another user possesses and assign them to the selected user, you need to: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Roles** section. 3. Select the **Copy** dropdown button and select Copy Roles From Another User. 4. Select the user from which the **Roles** will be copied to the current user. 5. Select **Copy** to complete the operation. !!! warning There is an option to replace the current Roles with the one being copied. Use this with caution since the existing Roles will no longer be assigned to the current user. ![security_role_copy_from][security_role_copy_from] ## Copying User Roles to Other Users :lock: Role.**Edit** To copy the **Roles** that one user possesses to one or more **Users**, you need to: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Roles** section. 3. Select the **Copy** dropdown button and select Copy User Roles to Other Users. 4. Select the users that will receive the **Roles** of the current user. 5. Select **Copy** to complete the operation. ![security_role_copy_to][security_role_copy_to] !!! warning There is an option to replace the current Roles with the ones being copied. Use this with caution since the existing Roles will no longer be assigned to the other users. ## Creating Access Tokens for a User :lock: User.**ShowPersonalAccessToken** A user can create any number of **Access Tokens** that will allow the user to use the LightBusinessObjects assembly (`Cmf.LightBusinessObjects.dll`), which is made available to make external calls to the Critical Manufacturing REST APIs from outside the GUI. For more information, see [Light Business Objects (LBOs)](https://developer.criticalmanufacturing.com/business/lightbusinessobjects/). :lock: User.**CreatePersonalAccessToken** To create one or more **Access Tokens** for a user, follow these steps: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Access Tokens** section. 3. Select the **Create** button. 4. Select a Name for the **Access Token**. 5. Select a predefined number of days for token expiration or select a custom **Expiration Date**. 6. Select an authorized Scope if there is a need to channel the usage of the **Access Token** for a specific defined scope. These Scopes can be defined through the **Roles** page and the use of the **Is OAuth Scope** flag. 7. Select **Create** to complete the operation. ![security_user_create_access_token_step_one][security_user_create_access_token_step_one] 8. The **Access Token** will be shown and the user can then copy the generated string for later use. ![security_user_create_access_token_step_two][security_user_create_access_token_step_two] !!! warning The generated string is only fully visible in this step. If it is not copied and stored in a separate location, it will not be available again. 9. Selecting **Close** will close the window and the **Access Token** will be displayed in the list of tokens. !!! info After the Access Token is created, the four last digits of the Access Token should be stored in the database and visible in the list of tokens in the Access Tokens section of the current user. ## Revoking Access Tokens for a User :lock: User.**RevokePersonalAccessToken** A user can revoke any number of **Access Tokens** from the same section in the **Users** page. To revoke one or more **Access Tokens** for a user, follow these steps: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Access Tokens** section. 3. Select one or more **Access Tokens** that you want to revoke and select the **Revoke** button. 4. Verify the details of the **Access Token** that you want to revoke. 5. Select **Revoke** to complete the operation and the **Access Token** will be removed. ![security_user_revoke_access_token][security_user_revoke_access_token] ## Adding a Public Key for a User :lock: User.**ShowPublicKeys** A user can add any number of **Public Keys** that allow authentication and external calls to the Critical Manufacturing REST APIs from outside the GUI. Public keys are generated externally as part of a public/private key pair. Only the public key must be added to the user in the application. The corresponding private key must be kept secure by the client application or user, as it is used to prove ownership of the public key during authentication. :lock: User.**AddPublicKey** To add one or more **Public Keys** for a user, follow these steps: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Public Keys** section. 3. Select the **Add** button. 4. Select a Name for the **Public Key**. 5. Input the **Public Key** string. 6. Optionally, select an **Expiration Date**. 7. Select an authorized Scope, if needed, to restrict the usage of the **Public Key** to a specific defined scope. These scopes can be defined through the **Roles** page by using the **Is OAuth Scope** flag. 8. Select **Add** to complete the operation. !!! info For user public keys, the corresponding private key length must be longer than 4096 bits for RSA and 256 bits for ECC. ## Revoking a Public Key for a User :lock: User.**RevokePublicKey** A user can revoke any number of **Public Keys** from the same section in the **Users** page. Revoking a public key removes it from the user account and prevents the corresponding **Private Key** from being used for authentication. To revoke one or more **Public Keys** for a user, follow these steps: 1. Open the **Users** page. 2. Select the user and in the **Details** view navigate to the **Public Keys** section. 3. Select one or more **Public Keys** that you want to revoke and select the **Revoke** button. 4. Verify the details of the **Public Key** that you want to revoke. 5. Select **Revoke** to complete the operation and the **Public Key** will be removed. !!! info After a **Public Key** is revoked, the corresponding **private key** can no longer be used to authenticate against the system. Revoking the **Public Key** from the application does not remove the corresponding **private key** from the user or client application. ## Registering Devices for a User You can register specific devices that can be used to authenticate a **User** (a smartphone, laptop or any other device with built-in or connected authenticators) and access them in the Devices section of the **User** page. For more information on how to register a device, see [Webauthn](../../../operationguide/system-administration/security/security-portal/security-portal-strategies/security_portal_strategy_webauthn.md). [security_user_list]: ../images/security_user_list.png [security_user_page_details_view]: ../images/security_user_page_details_view.png [security_user_create]: ../images/security_user_create.png [security_user_edit]: ../images/security_user_edit.png [security_user_delete]: ../images/security_user_delete.png [security_user_assign_roles]: ../images/security_user_assign_roles.png [security_user_unassign_roles]: ../images/security_user_unassign_roles.png [security_user_create_access_token_step_one]: ../images/security_user_create_access_token_step_one.png [security_user_create_access_token_step_two]: ../images/security_user_create_access_token_step_two.png [security_user_revoke_access_token]: ../images/security_user_revoke_access_token.png [security_role_copy_from]: ../images/security_role_copy_from.png [security_role_copy_to]: ../images/security_role_copy_to.png