Skip to main content
Version: 2023

Users

Introduction to users

The Users screen contains an overview of all users and user-related information, such as group memberships, effective rights and session logs. To grant a user access to a Thinkwise application, the user needs to be added to the Intelligent Application Manager first.

Add users

To add a new user:

menu Authorization > Users > tab Form > tab User

Add new user Add a new user

Add general user information

menu Authorization > Users > tab Form > tab User > group General

  1. If necessary, add a Tenant.

  2. The User id is the login name of the user. Depending on the Authentication type, this could be the Windows domain user, database user, Kerberos user or an identifying name.

  3. The Visitor field can be checked to indicate whether a user is an external visitor of the application (as opposed to an internal or hired employee).

Add an email, telephone number, company, ID

menu Authorization > Users > tab Form > tab User > group User info

Here you can provide additional user information, such as the company a user belongs to and the company-specific employee ID.

Add a start and end date

menu Authorization > Users > tab Form > tab User > group Period

Specify a period to set a start and end date for a user. Access to all applications will automatically be denied when the end date is reached.

Configure user preferences

menu Authorization > Users > tab Form > tab User > group User preferences

Here you can specify the default language and time zone for the user and which level of user preferences should be available. For information about copying, importing, and exporting user preferences, see User preferences.

  1. Select a Configuration or create a new configuration using the pop-up. Available configurations are:

    • None - No user preferences are stored and the user preferences ribbon is hidden.
    • Resize - Users can collapse and expand their menu and ribbon. Furthermore, they can change the sort sequence and column width in a grid view.
    • Move - Resize plus the option to configure their own start objects and set the sort sequence of all subjects.
    • OnOff - All options except for changing screen types.
    • Complete - All user preferences options are available to the user.

  2. Select an Application language.

  3. Select the Time zone that should be used for a user. The default is 'Etc/UTC'. It is also possible to add time zone claim mappings for users through OpenID Connect provisioning.

Authentication

menu Authorization > Users > tab Form > tab User > group Authentication

The Thinkwise Platform provides various authentication types: RDBMS, Windows, Kerberos, IAM and External.

  • IAM authentication is intended to simplify the administration of large numbers of Intelligent Application Manager users. IAM authentication users are only registered in the Intelligent Application Manager and not in the database. During login, the account details are validated in the Intelligent Application Manager. The password is securely stored in the IAM database. The task Update password can be used by an administrator to set or update this password.

  • External provides authentication for Azure Active Directory.

note

To specify a different authentication type for an application database, set the Authentication extended property of the application in IAM.

Country, location, and department

menu Authorization > Users > tab Master data

This tab contains information about the user's country, location or department. This information is also available in the IAM analysis tools.

User tags

Main administrator

menu Authorization > Users > tab User tags

On the tab User tags, you can maintain information about users that is not already available in the Intelligent Application Manager.

When you copy a user, the tags will be copied with it.

Login and password

Exclude from maximum amount of sessions

A user can only have a limited number of concurrent sessions in a specific application. This limit is set for all users in IAM. See Applications.

Service accounts are subject to this limit by default. However, you can allow a service account an unlimited number of sessions for any application to which it has rights. Other users' sessions are still limited.

To remove this limit for a service account:

menu Authorization > Users > tab Form > tab User > group Login

  1. Select Exclude from max. # sessions.

Two-factor authentication

menu Authorization > Users > tab Form > tab User > group Login

  1. In field Login verification, select if a user is required to use two-factor authentication:

    • Password - the user logs in with a password only.
    • Password and SMS - the user logs in with a password and a code that is sent by SMS. For additional settings, see Indicium SMS configuration or Web GUI SMS configuration.
    • Password and email - the user logs in with a password and a code that is sent by email. For additional settings, see Emails.
    • Password and TOTP token - the user logs in with a password and a code that is generated by a TOTP authenticator

TOTP

If TOTP authentication is used, the user receives a secret key code on first login. This code needs to be registered in a TOTP authenticator app, like Google Authenticator or Microsoft Authenticator, by entering the key or scanning the QR code. If the user has successfully registered their TOTP device, the TOTP device registered checkbox will be checked.

Every time the user wants to log in, they need to enter the time-based code generated by the TOTP authenticator app. To allow a fallback to email-based two-factor authentication, for example if the user does not have access to their smartphone, check the Allow fallback to email option.

The Reset TOTP device task can be used to reset the TOTP secret key, for example when a user's smartphone is stolen.

Initial password (RDBMS)

menu Authorization > Users > tab Form > tab User > group Password

For RDBMS authentication you can specify an Initial password. This password is used to generate a script for creating users on the database. It can be used to keep track of the initial password and communicate this password to the users. This password cannot be used to log on to the application. Make sure to clear this field after RDBMS users are created or the password for IAM users is updated.

The system keeps track of how often a password is changed or reset (Changed/forgotten count). This number is incremented every time the user requests a new password or changes their password, and when the password is changed by the administrator.

Allow change password

To allow a user to change their own password:

menu Authorization > Users > tab Form > tab User > group Password

  1. Select the checkbox Allow change.

    See also the Universal GUI User manual.

Allow change password Allow change password

Password expiration period

To set the expiration period for an application's password:

menu Settings > Global settings

  1. Enter a number of days in the field Password expires in (days).

This setting is used in the expiration policy you can set for a user.

Password expiration Number of expiration days for a password

Password expiration policy

To set the expiration policy for a user:

menu Authorization > Users > tab Form > group Password

  1. Make sure to select the checkbox Allow change. This allows a user to change the password from the user interface.

  2. Select an Expiration policy:

    • Force expired - The user needs to change the password on the next login.
    • Default expiration policy - After the number of days specified, the user needs to change the password. If the field Password expires in (days) is empty, passwords with Default expiration policy will never expire.
    • Never expires - Use this for service accounts that never need to expire and have no user available to change the password.

Password expiration policy Password expiration policy

Password strength

To set the minimum password strength for IAM authenticated users:

menu Settings > Global settings

The following calculation is used to determine the password strength:

  • The total password length gives up to 3 points (at 10 characters)
  • Two uppercase characters and two lowercase characters gives 0.6 points
  • Two numbers gives 0.6 points
  • Two symbols gives 0.8 points

Setting the minimum password strength to 5 will require the user to match all the password requirements. Setting the minimum password strength to 4 allows the user to skip either symbols, numbers or varying casing.

When the user attempts a password change and the password strength is insufficient, the user will be notified of the shortcomings of the desired password.

Password strength requirements for RDBMS accounts or Windows accounts is delegated to the database server or active directory.

E-mails for reset password and two-factor authentication

Indicium

When users set or reset their password, or log in with two-factor authentication, Indicium needs to send an email with a new token.

note

If a user has not set a password yet, they can set it via email using the link 'Forgot your password' on the login page.

To configure Indicium's email service in IAM:

menu Settings > Global settings > tab Email service

  1. Enter the required settings for the email service:

    • Email protocol
    • Server address
    • Server port
    • Use SSL
    • User name
    • Password

  2. Configure the templates for password reset and two-factor authentication. See Templates for e-mail (IAM/Indicium).

  3. Make sure the users' email addresses are configured in IAM. See Add users.

Templates for reset password en two-factor authentication

Indicium

For each supported application language, templates for Password reset and Two factor token are available. Each template for each supported language contains a default text. In IAM, you can deviate from this text where necessary.

menu Settings > Global settings > tab Email templates

  1. Enter or change the required data for each template that you want to use:

    • Template
    • Application language
    • Default - if a user's language does not exist, Indicium will send an email in the language marked as default for that template type.
    • From address - the sender's email address.
    • From name - the sender's name.
    • Title - the email's subject.
    • Email body - the text for the email body.
Tips
  • It is possible to delete templates that you do not need. For example, if you do not want to specify or maintain a template for each language, you can delete all other languages and only keep a default language.
  • To enter the sender's From address and From name in all the templates at once: select the templates, select Extra > Update from the context menu, then select and set the column values.

email templates Templates for password reset and two-factor authentication

User preferences

Main administrator

menu Authorization > Users > tab User preferences

This tab contains the stored user preferences of the selected user. For example, the language and time zone. See Configure user preferences.

User preferences

Copy user preferences from another user

Main administrator

You can copy the user preferences of a user account to another user account if it is in the same IAM environment. If a preference setting already exists, this value will NOT be changed.

tip

If the user accounts are in different IAM environments, you can first export the user preferences from the source environment, and then import them into the target environment.

menu Authorization > Users

To copy user preferences from one user's account to another:

  1. In the grid, select the target user account to which you want to copy the preferences.
  2. Execute the task Re-apply user preferences Copy preferences.
  3. In the dialog box, select the option Copy. The field To user is prefilled.
  4. Select the From tenant and From user information of the user account from which you want to copy the preferences.
  5. Click Execute. The user preferences of the To user are overwritten with the user preferences of the From user.

Export user preferences

You can export the user preferences of a user account to a JSON file. This file contains all the information that is included on the tab User preferences.

To export user preferences to a JSON file:

menu Authorization > Users

  1. In the grid, select the user account of which you want to download the preferences.
  2. Execute the task Export user preferences Download preferences.
  3. In the dialog box, specify the Model, Branch, and Application from which you want to download the data.
  4. Click Execute. The user preferences of the selected user are downloaded to your computer.

Import user preferences

You can import user preferences from a JSON file and apply them to a user account. This JSON file contains all the information that is included on the tab User preferences. Such a JSON file is generated when you export user preferences.

To import user preferences from a JSON file:

menu Authorization > Users

  1. In the grid, select the target user account to which you want to import the preferences.
  2. Execute the task Re-apply user preferences Copy preferences.
  3. In the dialog box, select the option Import. The fields To user and To tenant are prefilled.
  4. Select the Model, Branch, and Application to which you want to import the data.
  5. Upload the JSON file that contains the user preferences.
  6. Click Execute. The user preferences of the To user are overwritten by the preferences in the JSON file.

Assign an administrator role to a user

To assign an administrator role to a user:

menu Authorization > Users > tab Administrators

See also Administrator roles.

Add a user to a user group

To add a user to a user group:

menu Authorization > Users > tab User groups

See also User groups.

Overview of effective user rights

An overview is available of all the effective access types that a user has.

To get a better understanding of the effective access type:

menu Authorization > Users > tab Effective user rights

  1. Execute the task Explain explain.

    The reason for the effective access type is explained in a pop-up. See also Access types.

Push a notification to users

Universal GUI

You can push notifications to users in two ways:

This tab shows active notifications for both types:

menu Analysis > Notifications > tab Notifications

  • Pending notifications remain visible until they have been shown to the user or until their expiration date.
  • You can set the number of expired or sent notifications that should remain visible in the menu Settings > Global settings > group User > field Notification retention (items). Deselect the prefilter Pending pending to see those.

In addition, you can add, edit and delete notifications that should be sent to a user without a system flow. Indicium uses the required data to send the notification to the specified user as soon as they are logged in.

notifications Example notification

Logs

Session log

menu Authorization > Users > tab Session log

This is a log of all the sessions for the selected user. An overview of the sessions for all the users is available from the Analysis menu.

Two-factor log

menu Authorization > Users > tab Two-factor log

This is a log of when a user is logged in using SMS, email or TOTP two-factor authentication. An overview of the sessions for all the users is available from the menu Analysis.

Open ID log

menu Authorization > Users > tab Log actions

This tab contains a user's Open ID login actions. See OpenID.

Was this page helpful?

Happy React is loading...