Overview

You can create any number of users and user groups for Universal Controller, and you can assign any user to any user group.

The roles and permissions that you assign each user and group determines the level of access to Universal Controller functions.

You can assign any role and permission to any user or any user group. If you assign a user to a group, the user inherits all roles and permissions assigned to that group.

See LDAP Settings for information on how to set up Universal Controller to use LDAP authentication for:

Default Users and Groups

Default User

The default Universal Controller user is ops.admin. It is assigned to one of the default Universal Controller groups, Administrator Group.

Default Groups

There are two default groups:

Administrator Group has access to all Controller functions; by default, it is assigned the ops.admin role, which has permissions on all Controller functions.
Everything Group has access to all functions that do not require the ops.admin role.

Adding a User

Note

You must have administrative permissions to add users.

By default, a new user has no permissions. Until permissions are granted, a user can log into the Universal Controller user interface and view options in the Services, but cannot perform any tasks.

Step 1	From the Administration navigation pane, select Security > Users. The Users list displays a list of all currently defined users. To the right of the list, User Details for a new user displays.
Step 2	Enter/select Details for a new user, using the field descriptions below as a guide. Required fields display an asterisk ( * ) after the field name. Default values for fields, if available, display automatically. To display more of the Details fields on the screen, you can either: Use the scroll bar. Temporarily hide the list above the Details. Click the New button above the list to display a pop-up version of the Details.
Step 3	Optionally, assign one or more roles to the user, assign the user to a group, or assign permissions to this user.
Step 4	Click a Save button. The user is added to the database, and all buttons and tabs in the User Details are enabled.

Note

To open an existing record on the list, either:

Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).

User Details

The following details identifies the roles and permissions required to read and update user details.

Roles	Permissions	Fields
ops_admin ops_user_admin	Read any user. Edit any user.	All
ops_service	Read any user.
none	Read its own user record (details). Read its own Role, Permissions, and Member of Groups (group membership), but cannot read any Group record. Update specific fields in its own details (see Fields).	First Name Middle Name Last Name Email Time Zone Title Department Business Phone Mobile Phone

The following User Details is for an existing user. See the field descriptions, below, for a description of all fields that display in the User Details.

User Details Field Descriptions

The following table describes the fields, buttons, and tabs that display in the User Details.

Field Name	Description
Details	This section contains detailed information about the user.
User ID	Log in ID for this user.
Password	Password of this user. Note The hint for this field, as well as the information icon, will display any current characteristics and restrictions for Passwords as defined in Password Settings.
First Name	First name of this user.
Middle Name	Middle name of this user.
Last Name	Last name of this user.
Name	Automatically generated from the First Name and Last Name of this user.
Email	Email address of this user.
Password Requires Reset	If enabled, the user will be prompted to reset the password at next login.
Locked Out	If enabled, locks out the user. This field is enabled automatically if the maximum number of successive failed login attempts has been reached by the user.
Login Method	Login method(s) that the user can authenticate with. (You can use the Ctrl key to select both methods.) Options: Standard Single Sign-On
Time Zone	Time zone of this user. When this user logs in, all scheduling times will be shown in the user's time zone, unless the trigger specifies a different time zone.
Title	Business title of this user.
Department	Business department of this user.
Manager	Business manager of this user.
Business Phone	Business phone number of this user.
Mobile Phone	Mobile phone number of this user.
Web Browser Access	Specifies whether or not the user can log in to the user interface. Options: System Default - User restriction for logging in to the user interface is based on the current system default value of the System Default Web Browser Access Universal Controller system property. Yes - User is not restricted from logging in to the user interface. No - User is restricted from logging in to the user interface.
Command Line Access	Specifies whether or not the user can log in to the Universal Controller Command Line Interface (CLI). Options: System Default - User restriction for logging in to the CLI is based on the current system default value of the System Default Command Line Access Universal Controller system property. Yes - User is not restricted from logging in to the CLI. No - User is restricted from logging in to the CLI.
Web Service Access	Specifies whether or not the user can log in to the Universal Controller RESTful Web Services API. Options: System Default - User restriction for logging in to the Universal Controller Web Services is based on the current system default value of the System Default Web Service Access Universal Controller system property. Yes - User is not restricted from logging in to the Universal Controller Web Services. No - User is restricted from logging in to the Universal Controller Web Services.
Active	If enabled, the user ID is active and the user can log in. If disabled, the user is deactivated; the user will not appear in user lists and cannot be used for access to the Controller.
Personal Access Tokens	This section contains assorted detailed information about the applications that will access the Universal Controller Web Service APIs using the personal access token.
Expiration	Specifies when the personal access token expires. If left unspecified, the token never expires.
User Impersonation	This section specifies the users that can be impersonated by this user on Universal Controller Web Service requests.
Allowed Impersonation Users	Specifies the users that can be impersonated by this user using the X-Impersonate-User HTTP header on Web Service requests. User impersonation requires the ops_user_impersonate role. Users with the ops_admin role can impersonate any user and do not need to specify Allowed Impersonation Users.
Metadata	This section contains Metadata information about this record.
UUID	Universally Unique Identifier of this record.
Updated By	Name of the user that last updated this record.
Updated	Date and time that this record was last updated.
Created By	Name of the user that created this record.
Created	Date and time that this record was created.
Buttons	This section identifies the buttons displayed above and below the User Details that let you perform various actions.
Save	Saves a new user record in the Controller database.
Save & New	Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.
Save & View	Saves a new record in the Controller database and continues to display that record.
New	Displays empty (except for default values) Details for creating a new record.
Update	Saves updates to the record.
Delete	Deletes the current record.
Refresh	Refreshes any dynamic data displayed in the Details.
Close	For pop-up view only; closes the pop-up view of this user.
Tabs	This section identifies the tabs across the top of the User Details that provide access to additional information about the user.
User Roles	Allows you to assign roles to this user.
Member of Groups	Allows you to assign this user to one or more groups. Note Universal Controller only supports a user being a member of 1,000 groups or less.
Permissions	Allows you to assign permissions to this user.

Adding a Group

Note

You must have administrative privileges to add groups.

A group is a collection of users. You can assign privileges and roles to groups or users. You can also assign groups to other groups.

Any user assigned to a group inherits all roles and permissions assigned to that group.

Step 1	From the Administration navigation pane, select Security > Groups. The Groups list displays a list of all currently defined groups. To the right of the list, Group Details for a new group displays.
Step 2	Enter/select Details for a new group, using the field descriptions below as a guide. Required fields display an asterisk ( * ) after the field name. Default values for fields, if available, display automatically. To display more of the Details fields on the screen, you can either: Use the scroll bar. Temporarily hide the list above the Details. Click the New button above the list to display a pop-up version of the Details.
Step 3	Optionally, assign one or more roles to the group, assign members (users) to the group, assign other groups to this group, or assign permissions to this group.
Step 4	Click a Save button. The group is added to the database, and all buttons and tabs in the Group Details are enabled.

Note

To open an existing record on the list, either:

Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).

Group Details

The following Group Details is for an existing group. See the field descriptions, below, for a description of all fields that display in the Group Details.

Group Details Field Descriptions

The following table describes the fields, buttons, and tabs that display in the Group Details.

Field Name	Description
Details	This section contains detailed information about the group.
Name	Name of this group.
Parent	Name of this group's parent group, if any.
Description	Description of this record. Maximum length is 255 characters.
Email	Email address for this group.
Manager	Universal Controller user that is the manager of this group.
Control Navigation Visibility	Indication of whether or not to control the visibility of navigation pane entries in the Controller Services, via the Navigation Visibility field, for members of this Group. If Control Navigation Visibility is not checked (the default selection), all entries are visible.
Navigation Visibility	If Control Navigation Visibility is enabled; Drop-down list of all Navigator entries. You can manually select and deselect any entry on the list. You also can click Check All above the list to make all Navigator entries visible to users in this Group, or click Uncheck All above the list to hide all Navigator entries from users in this Group. Note If a new Navigation Visibility entry becomes available (for example, when a new Universal Task type has been created) after an administrator has configured the Navigation Visibility feature for a Group, you must explicitly add that new entry to the configuration. If a newly created Universal Task type does not appear as an entry in the Navigation Visibility drop-down list, confirm that the Universal Template has at least one field defined, perform the Refresh Navigation Tree operation, and refresh the Group Details (or refresh the Groups list). When a Universal Template is deleted, any Navigation Visibility configuration with a reference to its corresponding Universal Task type entry will automatically have that entry removed.
Metadata	This section contains Metadata information about this record.
UUID	Universally Unique Identifier of this record.
Updated By	Name of the user that last updated this record.
Updated	Date and time that this record was last updated.
Created By	Name of the user that created this record.
Created	Date and time that this record was created.
Buttons	This section identifies the buttons displayed above and below the Group Details that let you perform various actions.
Save	Saves a new group record in the Controller database.
Save & New	Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.
Save & View	Saves a new record in the Controller database and continues to display that record.
New	Displays empty (except for default values) Details for creating a new record.
Update	Saves updates to the record.
Copy	Creates a copy of this Group, which you are prompted to rename.
Delete	Deletes the current record.
Refresh	Refreshes any dynamic data displayed in the Details.
Close	For pop-up view only; closes the pop-up view of this group.
Tabs	This section identifies the tabs across the top of the Group Details that provide access to additional information about the user.
Group Roles	Allows you to assign roles to this group.
Group Members	Allows you to assign users to this group. Note Universal Controller only supports a user being a member of 1,000 groups or less.
Child Groups	Allows you to assign other groups to this group.
Permissions	Allows you to assign permissions to this group.

Additional Details

For information on how to access additional details - such as Metadata and complete database Details - for Users and Groups (or any type of record), see Records.

Assigning Users to Groups

You can assign users to groups from a User record and from a Group record.

Step 1	Open the User or Group record.
Step 2	Click the Group Members tab. For a User, a list of all groups to which the user is assigned displays: For a Group, a list of all users assigned to the group displays.
Step 3	For a User, either: Click New to create a Group and automatically assign the User to it. Click Edit to display an Edit Members pop-up that allows you to assign the User to existing Groups. For a Group, either: Click New to create a User and automatically assign it to the Group. Click Edit to display an Edit Members pop-up that allows you to assign existing Users to the Group.
Step 4	To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list.
Step 5	To assign a User to a Group, move the User/Group from the Collection window to the List window: To move a single entry, double-click it or click it once and then click the > arrow. To move multiple entries, Ctrl-click them and then click the > arrow. To move all entries, click the >> arrow. To unassign the User to a Group, move the User/Group from the List window to the Collection window: To move a single entry, double-click it or click it once and then click the < arrow. To move multiple entries, Ctrl-click them and then click the < arrow. To move all entries, click the << arrow.
Step 6	Click Save.

Navigation Visibility for Users and Groups

Users with the ops.admin role or the ops_user_admin role can control, via the Control Navigation Visibility and Navigation Visibility fields in the Group Details for a Group, which entries in the Controller Services are visible to users in that Group.

The following conditions apply to navigation visibility

User in Multiple Groups	If a user belongs to multiple Groups, and for any of those Groups the Control Navigation Visibility is not enabled, Navigator visibility for that user is not controlled.
User in Multiple Groups	If a user belongs to multiple Groups, and for all of those Groups navigation visibility has been deselected for one or more entries, the visible entries from all Groups will be merged. That is, if an entry is not visible to users in Group A, but the entry is visible to users in Group B, the entry will be visible to any user belonging to both Groups.
Navigation Pane	If all entries in a folder of a navigation pane (for example, the Tasks folder in the Automation Center navigation pane) are not visible to a Group, that folder does not display for any user in that Group.
Navigation Pane	If all entries in a navigation pane are not visible to a Group, that navigation pane does not display for any user in that Group.
Automation Center Navigation Pane	If a Group does not have visibility to one or more entries in the configurable Automation Center navigation pane, those entries are not available for configuration for any user in that Group.
Trigger Types / Task Types	If a Group does not have visibility to a specific Trigger type or Task type, that Trigger type or Task type does not display in the New drop-down menu on the All Triggers list or the All Tasks list for any user in that Group.
Universal Task Types	Dynamically created Universal Task type entries are available for selection / deselection in the Navigation Visibility field.
User Roles	The role selections for any user override any navigation visibility selections for any Group in which that user is a member.
User Roles	Navigation visibility selections for a Group do not apply to any users in the Group with the ops_admin role.

Deleting a User

Attempts to delete a user will be prohibited under the following circumstances:

User is currently assigned as the manager for user(s).
User is currently assigned as the manager for group(s).
User currently associated with enabled trigger(s).
User currently assigned as the execution user for trigger(s).
User currently assigned as the execution user for active task instance(s).
User currently assigned as the visible to for bundle(s).

If deletion of a user is allowed, the following information associated with the user record also will be deleted:

User roles.
User permissions.
Group memberships.
User's filters.
User's pinned filter preferences.
User's layout preferences.
User's navigation preferences.
User's reports (reports made visible only to that user).
User's user preferences.
User's dashboards.

Impersonating a User

Users with the ops_admin role, the ops_user_admin role, or the ops_user_impersonate role are able to specify an X-Impersonate-User HTTP header, in additional to their authentication header/parameter, when invoking Universal Controller Web Service APIs.

The X-Impersonate-User HTTP header is specified as the User Id of the user to be impersonated.

Users with the ops_admin role can impersonate any user.

Users with only the ops_user_admin role or the ops_user_impersonate role must explicitly declare which users can be impersonated in the Allowed Impersonation Users field.