• 30 Apr 2024
  • Dark
  • PDF


  • Dark
  • PDF

Article summary

This content article applies to IAP release version 2023.2 and later.

A user is an entity that comes from an external AAA System such as LDAP. Users may be a member of any number of groups and through group membership may be assigned any number of roles.

Itential Automation Platform (IAP) provides the ability to assign roles directly to users. Also, with IAP groups, administrators are able to manage user membership.

All operations within IAP are associated with a user. User roles, whether directly assigned or inherited from a group, determine what the user can see and do within IAP. The final permission set of a user will be a combination of permissions granted to all the roles assigned to the user, or to any groups in which the user is a member.

Managing Users

Users are accounts from an external system. Therefore, it is not possible to create a new user within IAP. Instead, IAP will create the user record when someone has successfully logged in using the user’s AAA system credentials.

Use Authorization to see a list of users IAP has encountered and to manage their permissions.

  1. Login to IAP as Administrator (a user with the Pronghorn.admin role).
  2. Navigate to Admin Essentials > Authorization.
  3. Select Users from the sidenav menu.
  4. Locate the user in the list. Optionally, filter the list by typing in the Search field and pressing Enter.
  5. Select the appropriate user from the list to view.
  6. Click the pencil icon to edit attributes, as desired.
  7. Edit Roles and Groups, as desired.
  8. Click Save to finalize your changes.

Roles assigned by Groups are grayed out (disabled). This indicates the assignment is inherited.

Figure 1: Admin Essentials - Authorization

Configuring Role Assignments for Users

There are two ways to assign users to roles:

  • Directly
  • By group membership

To assign roles directly to a user:

  1. Select Roles from the menu.
  2. Locate the role you wish to assign. You can filter the list by typing in the column header text box.
  3. Add or remove a role assignment using the checkbox.

Roles assigned by Groups are grayed out (disabled). This indicates the assignment is inherited.

Figure 2: Edit User Roles and Groups


Configuring Group Membership for Users

External group memberships for users are managed by the external AAA system and cannot be edited in IAP. A user may only be added or removed from IAP Groups within Authorization. Addition or removal of AAA groups must be performed in the AAA system and will be noticed by IAP the next time the user logs in.

To change the IAP Groups to which a user belongs:

  1. Click the Groups menu option.
  2. Find the group in the list. You can filter the list by typing in the column header textbox.
  3. Add or remove group membership using the checkbox.

AAA-managed group memberships will be grayed out (disabled), indicating the membership is not editable in IAP.

Figure 3: Authorization Groups


Active Login Session Management

Itential offers the ability to view which users have active login sessions in IAP 2023.2 and to forcibly log out selected users.

Viewing the Users Table

To view the Admin Essentials → Authorization → Users table, you must have permission for the authorization.getAccounts method. This allows you to access the page, view the list of users, and see their login status (Figure 1).

Login Status

The indicator circles under the Active column header denote the login status of each user:

  Blue - User is currently logged in.

  Red - User who is deactivated.

  Grey - User who is not logged in.

Figure 4: User Status Indicators
Figure 4

Filter Users

The Users table can be filtered by login status using the popover menu in the top-right (Figure 2). Click the vertical ellipsis () to display two filter toggles that:

  • Show Active Users Only - Only recently active users are shown in the table.
  • Show Deactivated Users - Only deactivated users are shown in the table.

Figure 5: Filter Users Table
Figure 5

Force Logout

Itential allows administrators to forcefully logout all or selected users with a simple click. Admins must have permission for the Authorization.forceLogout method.

Click the checkboxes to select users and then click the Log Out button icon at the top to forcefully log out all selected users (Figure 3).

Figure 6: Forced Logout
Figure 6

Earlier Release Versions

For documentation of this feature specific to earlier release versions of IAP, click here.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.