Managing Users
To manage user accounts, select the Users tab. User accounts are listed by account name. and selecting one of the accounts will display user details, user memberships and the effective permissions of the user.
User details
The details section at the top of the right-hand panel allows you to configure full name, contact details and other properties related to the user account.
Status
This field displays the status of the user, Active, Locked or Inactive.
Locked
Accounts are locked if you have Account Protection enabled, and the user fails to log in a number of times in a row. You can unlock accounts using the Unlock User button in the toolbar.
_Inactive_Accounts become inactive when they own collateral like reports when you delete them. Instead of deleting all the owned collateral, the account is deleted but the user profile remains as owner of the collateral.
Account type
Account type determines the identity authority of the account.
External
External accounts are replicated from and authenticated by an external authority, such as WSS or a database. (The precise authentication method is defined in the system configuration file, security service section). This account type is suitable for users who have an account with the underlying system that OmniFi is attached to.
External accounts are suitable for users that have individual accounts with a supported external authority, and should be allowed to query or modify data in the underlying data provider, e.g. TRM.
Credential management for external accounts is performed with the external authority. Credentials provided by the user are used as-is when accessing the underlying data source.
Password
Password accounts are native OmniFi accounts, and authenticated without involvement of any 3rd party authority.
This account type is suitable for users who don’t have individual accounts with the underlying data provider, such as READ users, or for any kind of user of data provider where you can configure Account Mapping in OmniFi Administration.
Credentials for password accounts are managed within OmniFi, in either the User Administration page, the OmniFi Administration application or by the user, using the My Account page.
OpenId
OpenId accounts are authenticated by an OIDC authority. OIDC is a modern and secure identity management protocol implemented by numerous vendors like Microsoft, Google, Auth0. Account mappings are required for OpenId accounts to access underlying data sources.
You can onboard as many different OIDC identity providers as you need in the system configuration file (refer to the technical documentation for more information).
Windows
The Windows account type uses Kerberos authentication with a Windows domain to authenticate the user. This is a very secure way of authenticating users. You can configure Account Mapping in OmniFi Administration to provide access to data sources to Windows account users.
Verify your license agreements
Users that don't have individual accounts and licenses with the underlying data provider aren't generally allowed to directly use APIs, or access and modify information in the data provider. Make sure to carefully consult your license agreements with the vendor of the data source to make sure your setup is compatible with the license terms.
Password
Password and Confirm password are enabled for Password accounts. To change the account password, enter the same password in both fields and save the user.
Issuer and Subject
The Issuer and Subject fields are used with OpenId accounts, and maps the OmniFi account to an OIDC identity defined by the OIDC Issuer and the OIDC account's unique identifier (Subject).
Select the OIDC authority from the Issuer drop-down and enter the user's unique identifier in the Subject field. Note that some OIDC authorities, like Microsoft Entra, use separate identities per enrolled app to protect the OIDC account's global identity. Refer to your OIDC authorities documentation and the configuration of that authority in the system configuration file for more information on the format of the Subject field.
License type
Most OmniFi users will have a FULL license. There are however exceptions, where some users will only be able to run test cases during a test project. These users should be assigned a TEST RUN license.
License key
The license key is supplied by SkySparc, individually per account, during onboarding.
Member Of
The Member Of tab shows all the selected user's memberships recursively, i.e. all groups that the user belongs to, at any level.
The Member Via column displays the immediate parent group that links to the displayed parent (Name). If the user is an immediate member of the displayed parent, Member Via is empty, and the relationship can be deleted using the delete button at the far right of the row.
If the user is a member of a group because of relations with more than one intermediate groups, all groups are displayed on the same row.
In the example above, Administrator is member of Back Office Group and Admin, which in turn are all member of the All group. This is displayed on the last row, indicating that Management is member of All via multiple relations.
If Administrator is also a direct member of All, this relation is displayed on a separate row, that can be deleted.
Effective Permissions
The Effective Permissions tab displays all permissions assigned to the user, or any of its parent groups.
The Permitted By column shows the parent group or groups that provide the permission. If Permitted By is blank, the permission is assigned directly to the user.
If a permission is assigned via relation to multiple parent groups, all parent groups are shown in Permitted By on the same row.
Updated 3 months ago