Users and Groups

Overview

You can create any number of users and user groups for Universal Controller, and you can assign any user to any user group.

The roles and permissions that you assign each user and group determines the level of access to Universal Controller functions.

You can assign any role and permission to any user or any user group. If you assign a user to a group, the user inherits all roles and permissions assigned to that group.

See LDAP Settings for information on how to set up Universal Controller to use LDAP authentication for:

Default Users and Groups

Default User

The default Universal Controller user is ops.admin. It is assigned to one of the default Universal Controller groups, Administrator Group.

Default Groups

There are two default groups:

  • Administrator Group has access to all Controller functions; by default, it is assigned the ops.admin role, which has permissions on all Controller functions.
  • Everything Group has access to all functions that do not require the ops.admin role.

Adding a User

Note

You must have administrative permissions to add users.

By default, a new user has no permissions. Until permissions are granted, a user can log into the Universal Controller user interface and view options in the Services, but cannot perform any tasks.
 

Step 1

From the Administration navigation pane, select Security > Users. The Users list displays a list of all currently defined users.
 
To the right of the list, User Details for a new user displays.
 

Step 2

Enter/select Details for a new user, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

To display more of the Details fields on the screen, you can either:

  • Use the scroll bar.
  • Temporarily hide the list above the Details.
  • Click the New button above the list to display a pop-up version of the Details.

Step 3

Optionally, assign one or more roles to the user, assign the user to a group, or assign permissions to this user.

Step 4

Click a Save button. The user is added to the database, and all buttons and tabs in the User Details are enabled.

Note

To open an existing record on the list, either:

  • Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
  • Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
  • Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).

User Details

The following details identifies the roles and permissions required to read and update user details.

RolesPermissionsFields
  • ops_admin
  • ops_user_admin
  • Read any user.
  • Edit any user.
  • All
  • ops_service
  • Read any user.

  • none
  • Read its own user record (details).
  • Read its own Role, Permissions, and Member of Groups (group membership),
    but cannot read any Group record.
  • Update specific fields in its own details (see Fields).
  • First Name

  • Middle Name

  • Last Name

  • Email

  • Time Zone

  • Title

  • Department

  • Business Phone

  • Mobile Phone


The following User Details is for an existing user. See the field descriptions, below, for a description of all fields that display in the User Details.


 

User Details Field Descriptions

The following table describes the fields, buttons, and tabs that display in the User Details.
 

Field Name

Description

Details

This section contains detailed information about the user.

User ID

Log in ID for this user.

Password

Password of this user.

Note

The hint for this field, as well as the information icon, will display any current characteristics and restrictions for Passwords as defined in Password Settings.

First Name

First name of this user.

Middle Name

Middle name of this user.

Last Name

Last name of this user.

Name

Automatically generated from the First Name and Last Name of this user.

Email

Email address of this user.

Password Requires Reset

If enabled, the user will be prompted to reset the password at next login.

Locked Out

If enabled, locks out the user. This field is enabled automatically if the maximum number of successive failed login attempts has been reached by the user.

Login Method

Login method(s) that the user can authenticate with. You can use the Ctrl key to select multiple methods. Only one of Standard or Standard / Authenticator App (TOTP) can be selected, not both.
 
Options:

  • Standard
  • Single Sign-On
  • Standard / Authenticator App (TOTP)

Time Zone

Time zone of this user. When this user logs in, all scheduling times will be shown in the user's time zone, unless the trigger specifies a different time zone.

Title

Business title of this user.

Department

Business department of this user.

Manager

Business manager of this user.

Business Phone

Business phone number of this user.

Mobile Phone

Mobile phone number of this user.

Web Browser Access

Specifies whether or not the user can log in to the user interface.
 
Options:

  • System Default - User restriction for logging in to the user interface is based on the current system default value of the System Default Web Browser Access Universal Controller system property.
  • Yes - User is not restricted from logging in to the user interface.
  • No - User is restricted from logging in to the user interface.

Command Line Access

Specifies whether or not the user can log in to the Universal Controller Command Line Interface (CLI).
 
Options:

  • System Default - User restriction for logging in to the CLI is based on the current system default value of the System Default Command Line Access Universal Controller system property.
  • Yes - User is not restricted from logging in to the CLI.
  • No - User is restricted from logging in to the CLI.

Web Service Access

Specifies whether or not the user can log in to the Universal Controller RESTful Web Services API.
 
Options:

  • System Default - User restriction for logging in to the Universal Controller Web Services is based on the current system default value of the System Default Web Service Access Universal Controller system property.
  • Yes - User is not restricted from logging in to the Universal Controller Web Services.
  • No - User is restricted from logging in to the Universal Controller Web Services.

Active

If enabled, the user ID is active and the user can log in. If disabled, the user is deactivated; the user will not appear in user lists and cannot be used for access to the Controller.

Personal Access Tokens This section contains assorted detailed information about the applications that will access the Universal Controller Web Service APIs using the personal access token. 
Expiration Specifies when the personal access token expires. If left unspecified, the token never expires.
User Impersonation

This section specifies the users that can be impersonated by this user on Universal Controller Web Service requests. 

Allowed Impersonation Users

Specifies the users that can be impersonated by this user using the X-Impersonate-User HTTP header on Web Service requests.

User impersonation requires the ops_user_impersonate role.

Users with the ops_admin role can impersonate any user and do not need to specify Allowed Impersonation Users. 

Metadata

This section contains Metadata information about this record.

UUID

Universally Unique Identifier of this record.

Updated By

Name of the user that last updated this record.

Updated

Date and time that this record was last updated.

Created By

Name of the user that created this record.

Created

Date and time that this record was created.

Buttons

This section identifies the buttons displayed above and below the User Details that let you perform various actions.

Save

Saves a new user record in the Controller database.

Save & New

Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.

Save & View

Saves a new record in the Controller database and continues to display that record.

New

Displays empty (except for default values) Details for creating a new record.

Update

Saves updates to the record.

Delete

Deletes the current record.

Refresh

Refreshes any dynamic data displayed in the Details.

Close

For pop-up view only; closes the pop-up view of this user.

Tabs

This section identifies the tabs across the top of the User Details that provide access to additional information about the user.

User Roles

Allows you to assign roles to this user.

Member of Groups

Allows you to assign this user to one or more groups.

Note

Universal Controller only supports a user being a member of 1,000 groups or less.

Permissions

Allows you to assign permissions to this user.

Adding a Group

Note

You must have administrative privileges to add groups.

A group is a collection of users. You can assign privileges and roles to groups or users. You can also assign groups to other groups.

Any user assigned to a group inherits all roles and permissions assigned to that group.
 

Step 1

From the Administration navigation pane, select Security > Groups. The Groups list displays a list of all currently defined groups.
 
To the right of the list, Group Details for a new group displays.
 

Step 2

Enter/select Details for a new group, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

To display more of the Details fields on the screen, you can either:

  • Use the scroll bar.
  • Temporarily hide the list above the Details.
  • Click the New button above the list to display a pop-up version of the Details.

Step 3

Optionally, assign one or more roles to the group, assign members (users) to the group, assign other groups to this group, or assign permissions to this group.

Step 4

Click a Save button. The group is added to the database, and all buttons and tabs in the Group Details are enabled.

Note

To open an existing record on the list, either:

  • Click a record in the list to display its record Details below the list. (To clear record Details below the list, click the New button that displays above and below the Details.)
  • Clicking the Details icon next to a record name in the list, or right-click a record in the list and then click Open in the Action menu that displays, to display a pop-up version of the record Details.
  • Right-click a record in the a list, or open a record and right-click in the record Details, and then click Open In Tab in the Action menu that displays, to display the record Details under a new tab on the record list page (see Record Details as Tabs).

Group Details

The following Group Details is for an existing group. See the field descriptions, below, for a description of all fields that display in the Group Details.
 

Group Details Field Descriptions

The following table describes the fields, buttons, and tabs that display in the Group Details.
 

Field Name

Description

Details

This section contains detailed information about the group.

Name

Name of this group.

Parent

Name of this group's parent group, if any.

Description

Description of this record. Maximum length is 255 characters.

Email

Email address for this group.

Manager

Universal Controller user that is the manager of this group.

Control Navigation Visibility

Indication of whether or not to control the visibility of navigation pane entries in the Controller Services, via the Navigation Visibility field, for members of this Group. If Control Navigation Visibility is not checked (the default selection), all entries are visible.

Navigation Visibility

If Control Navigation Visibility is enabled; Drop-down list of all Navigator entries.
 
You can manually select and deselect any entry on the list. You also can click Check All above the list to make all Navigator entries visible to users in this Group, or click Uncheck All above the list to hide all Navigator entries from users in this Group.
 

Note

If a new Navigation Visibility entry becomes available (for example, when a new Universal Task type has been created) after an administrator has configured the Navigation Visibility feature for a Group, you must explicitly add that new entry to the configuration.

If a newly created Universal Task type does not appear as an entry in the Navigation Visibility drop-down list, confirm that the Universal Template has at least one field defined, perform the Refresh Navigation Tree operation, and refresh the Group Details (or refresh the Groups list).

When a Universal Template is deleted, any Navigation Visibility configuration with a reference to its corresponding Universal Task type entry will automatically have that entry removed.

Metadata

This section contains Metadata information about this record.

UUID

Universally Unique Identifier of this record.

Updated By

Name of the user that last updated this record.

Updated

Date and time that this record was last updated.

Created By

Name of the user that created this record.

Created

Date and time that this record was created.

Buttons

This section identifies the buttons displayed above and below the Group Details that let you perform various actions.

Save

Saves a new group record in the Controller database.

Save & New

Saves a new record in the Controller database and redisplays empty Details so that you can create another new record.

Save & View

Saves a new record in the Controller database and continues to display that record.

New

Displays empty (except for default values) Details for creating a new record.

Update

Saves updates to the record.

Copy

Creates a copy of this Group, which you are prompted to rename.

Delete

Deletes the current record.

Refresh

Refreshes any dynamic data displayed in the Details.

Close

For pop-up view only; closes the pop-up view of this group.

Tabs

This section identifies the tabs across the top of the Group Details that provide access to additional information about the user.

Group Roles

Allows you to assign roles to this group.

Group Members

Allows you to assign users to this group.

Note

Universal Controller only supports a user being a member of 1,000 groups or less.

Child Groups

Allows you to assign other groups to this group.

Permissions

Allows you to assign permissions to this group.

Additional Details

For information on how to access additional details - such as Metadata and complete database Details - for Users and Groups (or any type of record), see Records.

Assigning Users to Groups

You can assign users to groups from a User record and from a Group record.

Step 1

Open the User or Group record.

Step 2

Click the Group Members tab.
 
For a User, a list of all groups to which the user is assigned displays:
 

 
For a Group, a list of all users assigned to the group displays.
 

Step 3

For a User, either:

  • Click New to create a Group and automatically assign the User to it.
  • Click Edit to display an Edit Members pop-up that allows you to assign the User to existing Groups.


 
For a Group, either:

  • Click New to create a User and automatically assign it to the Group.
  • Click Edit to display an Edit Members pop-up that allows you to assign existing Users to the Group.

Step 4

To filter the Users/Groups listed in the Collection window, enter characters in the text field above the Name column. Only Users/Groups containing that sequence of characters will display in the list.

Step 5

To assign a User to a Group, move the User/Group from the Collection window to the List window:

  1. To move a single entry, double-click it or click it once and then click the > arrow.
  2. To move multiple entries, Ctrl-click them and then click the > arrow.
  3. To move all entries, click the >> arrow.

To unassign the User to a Group, move the User/Group from the List window to the Collection window:

  1. To move a single entry, double-click it or click it once and then click the < arrow.
  2. To move multiple entries, Ctrl-click them and then click the < arrow.
  3. To move all entries, click the << arrow.

Step 6

Click Save.

Navigation Visibility for Users and Groups

Users with the ops.admin role or the ops_user_admin role can control, via the Control Navigation Visibility and Navigation Visibility fields in the Group Details for a Group, which entries in the Controller Services are visible to users in that Group.

The following conditions apply to navigation visibility

User in Multiple Groups

If a user belongs to multiple Groups, and for any of those Groups the Control Navigation Visibility is not enabled, Navigator visibility for that user is not controlled.

User in Multiple Groups

If a user belongs to multiple Groups, and for all of those Groups navigation visibility has been deselected for one or more entries, the visible entries from all Groups will be merged. That is, if an entry is not visible to users in Group A, but the entry is visible to users in Group B, the entry will be visible to any user belonging to both Groups.

Navigation Pane

If all entries in a folder of a navigation pane (for example, the Tasks folder in the Automation Center navigation pane) are not visible to a Group, that folder does not display for any user in that Group.

Navigation Pane

If all entries in a navigation pane are not visible to a Group, that navigation pane does not display for any user in that Group.

Automation Center Navigation Pane

If a Group does not have visibility to one or more entries in the configurable Automation Center navigation pane, those entries are not available for configuration for any user in that Group.

Trigger Types / Task Types

If a Group does not have visibility to a specific Trigger type or Task type, that Trigger type or Task type does not display in the New drop-down menu on the All Triggers list or the All Tasks list for any user in that Group.

Universal Task Types

Dynamically created Universal Task type entries are available for selection / deselection in the Navigation Visibility field.

User Roles

The role selections for any user override any navigation visibility selections for any Group in which that user is a member.

User Roles

Navigation visibility selections for a Group do not apply to any users in the Group with the ops_admin role.

Deleting a User

Attempts to delete a user will be prohibited under the following circumstances:

  • User is currently assigned as the manager for user(s).
  • User is currently assigned as the manager for group(s).
  • User currently associated with enabled trigger(s).
  • User currently assigned as the execution user for trigger(s).
  • User currently assigned as the execution user for active task instance(s).
  • User currently assigned as the visible to for bundle(s).

If deletion of a user is allowed, the following information associated with the user record also will be deleted:

  • User roles.
  • User permissions.
  • Group memberships.
  • User's filters.
  • User's pinned filter preferences.
  • User's layout preferences.
  • User's navigation preferences.
  • User's reports (reports made visible only to that user).
  • User's user preferences.
  • User's dashboards.

Impersonating a User

Users with the ops_admin role, the ops_user_admin role, or the ops_user_impersonate role are able to specify an X-Impersonate-User HTTP header, in additional to their authentication header/parameter, when invoking Universal Controller Web Service APIs.

The X-Impersonate-User HTTP header is specified as the User Id of the user to be impersonated.

Users with the ops_admin role can impersonate any user.

Users with only the ops_user_admin role or the ops_user_impersonate role must explicitly declare which users can be impersonated in the Allowed Impersonation Users field.