- 30 Apr 2024
-
DarkLight
-
PDF
Users
- Updated on 30 Apr 2024
-
DarkLight
-
PDF
This content article applies to IAP release version 2023.2 and later.
A user is an entity that comes from an external AAA System such as LDAP. Users may be a member of any number of groups and through group membership may be assigned any number of roles.
Itential Automation Platform (IAP) provides the ability to assign roles directly to users. Also, with IAP groups, administrators are able to manage user membership.
All operations within IAP are associated with a user. User roles, whether directly assigned or inherited from a group, determine what the user can see and do within IAP. The final permission set of a user will be a combination of permissions granted to all the roles assigned to the user, or to any groups in which the user is a member.
Managing Users
Users are accounts from an external system. Therefore, it is not possible to create a new user within IAP. Instead, IAP will create the user record when someone has successfully logged in using the user’s AAA system credentials.
Use Authorization to see a list of users IAP has encountered and to manage their permissions.
- Login to IAP as Administrator (a user with the
Pronghorn.admin
role). - Navigate to Admin Essentials > Authorization.
- Select Users from the sidenav menu.
- Locate the user in the list. Optionally, filter the list by typing in the Search field and pressing Enter.
- Select the appropriate user from the list to view.
- Click the pencil icon to edit attributes, as desired.
- Edit Roles and Groups, as desired.
- Click Save to finalize your changes.
Roles assigned by Groups are grayed out (disabled). This indicates the assignment is inherited.
Figure 1: Admin Essentials - Authorization
Configuring Role Assignments for Users
There are two ways to assign users to roles:
- Directly
- By group membership
To assign roles directly to a user:
- Select Roles from the menu.
- Locate the role you wish to assign. You can filter the list by typing in the column header text box.
- Add or remove a role assignment using the checkbox.
Roles assigned by Groups are grayed out (disabled). This indicates the assignment is inherited.
Figure 2: Edit User Roles and Groups
Configuring Group Membership for Users
External group memberships for users are managed by the external AAA system and cannot be edited in IAP. A user may only be added or removed from IAP Groups within Authorization. Addition or removal of AAA groups must be performed in the AAA system and will be noticed by IAP the next time the user logs in.
To change the IAP Groups to which a user belongs:
- Click the Groups menu option.
- Find the group in the list. You can filter the list by typing in the column header textbox.
- Add or remove group membership using the checkbox.
AAA-managed group memberships will be grayed out (disabled), indicating the membership is not editable in IAP.
Figure 3: Authorization Groups
Active Login Session Management
Itential offers the ability to view which users have active login sessions in IAP 2023.2 and to forcibly log out selected users.
Viewing the Users Table
To view the Admin Essentials → Authorization → Users table, you must have permission for the authorization.getAccounts
method. This allows you to access the page, view the list of users, and see their login status (Figure 1).
Login Status
The indicator circles under the Active column header denote the login status of each user:
● Blue - User is currently logged in.
● Red - User who is deactivated.
● Grey - User who is not logged in.
Figure 4: User Status Indicators
Filter Users
The Users table can be filtered by login status using the popover menu in the top-right (Figure 2). Click the vertical ellipsis (⋮) to display two filter toggles that:
- Show Active Users Only - Only recently active users are shown in the table.
- Show Deactivated Users - Only deactivated users are shown in the table.
Figure 5: Filter Users Table
Force Logout
Itential allows administrators to forcefully logout all or selected users with a simple click. Admins must have permission for the Authorization.forceLogout
method.
Click the checkboxes to select users and then click the Log Out button icon at the top to forcefully log out all selected users (Figure 3).
Figure 6: Forced Logout
Earlier Release Versions
For documentation of this feature specific to earlier release versions of IAP, click here.