Users and Groups
Overview
You can create any number of users and user groups for Universal Controller, and you can assign any user to any user group.
The roles and permissions that you assign each user and group determines the level of access to Universal Controller functions.
You can assign any role and permission to any user or any user group. If you assign a user to a group, the user inherits all roles and permissions assigned to that group.
See LDAP Settings for information on how to set up Universal Controller to use LDAP authentication for:
Default Users and Groups
Default User
The default Universal Controller user is ops.admin. It is assigned to one of the default Universal Controller groups, Administrator Group.
Default Groups
There are two default groups:
- Administrator Group has access to all Controller functions; by default, it is assigned the ops.admin role, which has permissions on all Controller functions.
- Everything Group has access to all functions that do not require the ops.admin role.
Adding a User
Note
You must have administrative permissions to add users.
By default, a new user has no permissions. Until permissions are granted, a user can log into the Universal Controller user interface and view options in the Services, but cannot perform any tasks.
Step 1 |
From the Administration navigation pane, select Security > Users. The Users list displays a list of all currently defined users. |
---|---|
Step 2 |
Enter/select Details for a new user, using the field descriptions below as a guide.
To display more of the Details fields on the screen, you can either:
|
Step 3 |
Optionally, assign one or more roles to the user, assign the user to a group, or assign permissions to this user. |
Step 4 |
Click a Save button. The user is added to the database, and all buttons and tabs in the User Details are enabled. |
Note
To open an existing record on the list, either:
- Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
- Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
- Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).
User Details
The following details identifies the roles and permissions required to read and update user details.
Roles | Permissions | Fields |
---|---|---|
|
|
|
|
|
|
|
|
|
The following User Details is for an existing user. See the field descriptions, below, for a description of all fields that display in the User Details.
User Details Field Descriptions
The following table describes the fields, buttons, and tabs that display in the User Details.
Field Name |
Description |
---|---|
Details |
This section contains detailed information about the user. |
User ID |
Log in ID for this user. |
Password |
Password of this user. Note The hint for this field, as well as the information icon, will display any current characteristics and restrictions for Passwords as defined in Password Settings. |
First Name |
First name of this user. |
Middle Name |
Middle name of this user. |
Last Name |
Last name of this user. |
Name |
Automatically generated from the First Name and Last Name of this user. |
|
Email address of this user. |
Password Requires Reset |
If enabled, the user will be prompted to reset the password at next login. |
Locked Out |
If enabled, locks out the user. This field is enabled automatically if the maximum number of successive failed login attempts has been reached by the user. |
Login Method |
Login method(s) that the user can authenticate with. You can use the Ctrl key to select multiple methods. Only one of Standard or Standard / Authenticator App (TOTP) can be selected, not both.
|
Time Zone |
Time zone of this user. When this user logs in, all scheduling times will be shown in the user's time zone, unless the trigger specifies a different time zone. |
Title |
Business title of this user. |
Department |
Business department of this user. |
Manager |
Business manager of this user. |
Business Phone |
Business phone number of this user. |
Mobile Phone |
Mobile phone number of this user. |
Web Browser Access |
Specifies whether or not the user can log in to the user interface.
|
Command Line Access |
Specifies whether or not the user can log in to the Universal Controller Command Line Interface (CLI).
|
Web Service Access |
Specifies whether or not the user can log in to the Universal Controller RESTful Web Services API.
|
Active |
If enabled, the user ID is active and the user can log in. If disabled, the user is deactivated; the user will not appear in user lists and cannot be used for access to the Controller. |
Personal Access Tokens | This section contains assorted detailed information about the applications that will access the Universal Controller Web Service APIs using the personal access token. |
Expiration | Specifies when the personal access token expires. If left unspecified, the token never expires. |
User Impersonation | This section specifies the users that can be impersonated by this user on Universal Controller Web Service requests. |
Allowed Impersonation Users | Specifies the users that can be impersonated by this user using the X-Impersonate-User HTTP header on Web Service requests. User impersonation requires the ops_user_impersonate role. Users with the ops_admin role can impersonate any user and do not need to specify Allowed Impersonation Users. |
Metadata |
This section contains Metadata information about this record. |
UUID |
Universally Unique Identifier of this record. |
Updated By |
Name of the user that last updated this record. |
Updated |
Date and time that this record was last updated. |
Created By |
Name of the user that created this record. |
Created |
Date and time that this record was created. |
Buttons |
This section identifies the buttons displayed above and below the User Details that let you perform various actions. |
Save |
Saves a new user record in the Controller database. |
Save & New |
Saves a new record in the Controller database and redisplays empty Details so that you can create another new record. |
Save & View |
Saves a new record in the Controller database and continues to display that record. |
New |
Displays empty (except for default values) Details for creating a new record. |
Update |
Saves updates to the record. |
Delete |
Deletes the current record. |
Refresh |
Refreshes any dynamic data displayed in the Details. |
Close |
For pop-up view only; closes the pop-up view of this user. |
Tabs |
This section identifies the tabs across the top of the User Details that provide access to additional information about the user. |
User Roles |
Allows you to assign roles to this user. |
Member of Groups |
Allows you to assign this user to one or more groups. Note Universal Controller only supports a user being a member of 1,000 groups or less. |
Permissions |
Allows you to assign permissions to this user. |
Adding a Group
Note
You must have administrative privileges to add groups.
A group is a collection of users. You can assign privileges and roles to groups or users. You can also assign groups to other groups.
Any user assigned to a group inherits all roles and permissions assigned to that group.
Step 1 |
From the Administration navigation pane, select Security > Groups. The Groups list displays a list of all currently defined groups. |
---|---|
Step 2 |
Enter/select Details for a new group, using the field descriptions below as a guide.
To display more of the Details fields on the screen, you can either:
|
Step 3 |
Optionally, assign one or more roles to the group, assign members (users) to the group, assign other groups to this group, or assign permissions to this group. |
Step 4 |
Click a Save button. The group is added to the database, and all buttons and tabs in the Group Details are enabled. |
Note
To open an existing record on the list, either:
- Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
- Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
- Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).
Group Details
The following Group Details is for an existing group. See the field descriptions, below, for a description of all fields that display in the Group Details.
Group Details Field Descriptions
The following table describes the fields, buttons, and tabs that display in the Group Details.
Field Name |
Description |
---|---|
Details |
This section contains detailed information about the group. |
Name |
Name of this group. |
Parent |
Name of this group's parent group, if any. |
Description |
Description of this record. Maximum length is 255 characters. |
Email address for this group. |
|
Manager |
Universal Controller user that is the manager of this group. |
Control Navigation Visibility |
Indication of whether or not to control the visibility of navigation pane entries in the Controller Services, via the Navigation Visibility field, for members of this Group. If Control Navigation Visibility is not checked (the default selection), all entries are visible. |
Navigation Visibility |
If Control Navigation Visibility is enabled; Drop-down list of all Navigator entries. Note If a new Navigation Visibility entry becomes available (for example, when a new Universal Task type has been created) after an administrator has configured the Navigation Visibility feature for a Group, you must explicitly add that new entry to the configuration. If a newly created Universal Task type does not appear as an entry in the Navigation Visibility drop-down list, confirm that the Universal Template has at least one field defined, perform the Refresh Navigation Tree operation, and refresh the Group Details (or refresh the Groups list). When a Universal Template is deleted, any Navigation Visibility configuration with a reference to its corresponding Universal Task type entry will automatically have that entry removed. |
Metadata |
This section contains Metadata information about this record. |
UUID |
Universally Unique Identifier of this record. |
Updated By |
Name of the user that last updated this record. |
Updated |
Date and time that this record was last updated. |
Created By |
Name of the user that created this record. |
Created |
Date and time that this record was created. |
Buttons |
This section identifies the buttons displayed above and below the Group Details that let you perform various actions. |
Save |
Saves a new group record in the Controller database. |
Save & New |
Saves a new record in the Controller database and redisplays empty Details so that you can create another new record. |
Save & View |
Saves a new record in the Controller database and continues to display that record. |
New |
Displays empty (except for default values) Details for creating a new record. |
Update |
Saves updates to the record. |
Copy |
Creates a copy of this Group, which you are prompted to rename. |
Delete |
Deletes the current record. |
Refresh |
Refreshes any dynamic data displayed in the Details. |
Close |
For pop-up view only; closes the pop-up view of this group. |
Tabs |
This section identifies the tabs across the top of the Group Details that provide access to additional information about the user. |
Group Roles |
Allows you to assign roles to this group. |
Group Members |
Allows you to assign users to this group. Note Universal Controller only supports a user being a member of 1,000 groups or less. |
Child Groups |
Allows you to assign other groups to this group. |
Permissions |
Allows you to assign permissions to this group. |
Additional Details
For information on how to access additional details - such as Metadata and complete database Details - for Users and Groups (or any type of record), see Records.
Assigning Users to Groups
You can assign users to groups from a User record and from a Group record.
Step 1 |
Open the User or Group record. |
---|---|
Step 2 |
Click the Group Members tab. |
Step 3 |
For a User, either:
|
Step 4 |
To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list. |
Step 5 |
To assign a User to a Group, move the User/Group from the Collection window to the List window:
To unassign the User to a Group, move the User/Group from the List window to the Collection window:
|
Step 6 |
Click Save. |
Navigation Visibility for Users and Groups
Users with the ops.admin role or the ops_user_admin role can control, via the Control Navigation Visibility and Navigation Visibility fields in the Group Details for a Group, which entries in the Controller Services are visible to users in that Group.
The following conditions apply to navigation visibility
User in Multiple Groups |
If a user belongs to multiple Groups, and for any of those Groups the Control Navigation Visibility is not enabled, Navigator visibility for that user is not controlled. |
---|---|
User in Multiple Groups |
If a user belongs to multiple Groups, and for all of those Groups navigation visibility has been deselected for one or more entries, the visible entries from all Groups will be merged. That is, if an entry is not visible to users in Group A, but the entry is visible to users in Group B, the entry will be visible to any user belonging to both Groups. |
Navigation Pane |
If all entries in a folder of a navigation pane (for example, the Tasks folder in the Automation Center navigation pane) are not visible to a Group, that folder does not display for any user in that Group. |
Navigation Pane |
If all entries in a navigation pane are not visible to a Group, that navigation pane does not display for any user in that Group. |
Automation Center Navigation Pane |
If a Group does not have visibility to one or more entries in the configurable Automation Center navigation pane, those entries are not available for configuration for any user in that Group. |
Trigger Types / Task Types |
If a Group does not have visibility to a specific Trigger type or Task type, that Trigger type or Task type does not display in the New drop-down menu on the All Triggers list or the All Tasks list for any user in that Group. |
Universal Task Types |
Dynamically created Universal Task type entries are available for selection / deselection in the Navigation Visibility field. |
User Roles |
The role selections for any user override any navigation visibility selections for any Group in which that user is a member. |
User Roles |
Navigation visibility selections for a Group do not apply to any users in the Group with the ops_admin role. |
Deleting a User
Attempts to delete a user will be prohibited under the following circumstances:
- User is currently assigned as the manager for user(s).
- User is currently assigned as the manager for group(s).
- User currently associated with enabled trigger(s).
- User currently assigned as the execution user for trigger(s).
- User currently assigned as the execution user for active task instance(s).
- User currently assigned as the visible to for bundle(s).
If deletion of a user is allowed, the following information associated with the user record also will be deleted:
- User roles.
- User permissions.
- Group memberships.
- User's filters.
- User's pinned filter preferences.
- User's layout preferences.
- User's navigation preferences.
- User's reports (reports made visible only to that user).
- User's user preferences.
- User's dashboards.
Impersonating a User
Users with the ops_admin role, the ops_user_admin role, or the ops_user_impersonate role are able to specify an X-Impersonate-User HTTP header, in additional to their authentication header/parameter, when invoking Universal Controller Web Service APIs.
The X-Impersonate-User HTTP header is specified as the User Id of the user to be impersonated.
Users with the ops_admin role can impersonate any user.
Users with only the ops_user_admin role or the ops_user_impersonate role must explicitly declare which users can be impersonated in the Allowed Impersonation Users field.