User Management

The User Management allows an nJAMS Administrator to manage users, roles, and permissions. The User Management is represented by a separate category:

User management

When you start from scratch there’s one user and one role available. During installation the nJAMS Installer creates an Administrator account. Usually the account name of the nJAMS Administrator is ‘admin’, but you can name the Administrator account as you like.

An nJAMS Administrator account cannot be removed.

Manage user

When creating a user you must supply a user name (which will act as the login id) and a password. Optionally a comment can be added and a time interval that constraints the new user’s validity can be configured.

For roles imported from a directory service via LDAP, the DN is also shown.

To access users navigate to User Management > Users:

Select user management

Select a user from the list and you can manage this account:

Select user
  1. Create a new nJAMS account
  2. Edit an existing user
  3. Assign a predefined view for the user
  4. Define a one-time password for the user
  5. Assign one or more roles to the user
  6. See more details of the selected user
  7. Delete the selected user

The following steps are required to create an usable account:

  1. Add a user
  2. Assign the user at least one role
  3. Grant permissions to the role
  4. Define a password
Add user:

  1. Click on ADD to create a new user account and enter a username. The other fields are optional.

    Add user
    Attribute Description
    Username Name of the account (mandatory)
    First name First name of the user
    Last name Last name of the user
    Email Email address
    Comment Enter a comment for this account
    Valid from, Set a time interval inside the account is valid
    Valid to  

When you click on SAVE the account will be created:

User created
  1. The account can be edited at any time; the username can also be changed.
Assign roles:

It is required to assign at least one role to the user. Permissions can only be granted to roles, so a user must be assigned to at least one role.

  1. Click on ASSIGN ROLES to assign roles to the user:

    Assign roles

    Select the role ‘defenders’ and click on ASSIGN. The user is now assigned to the role ‘defenders’.
Grant and revoke permissions:
 

You can grant permissions on domain objects to a role, respectively revoke permissions from a role. Assigned user to that role are therefore granted with these privileges.
Manage passwords:
 

When creating a user, an initial one-time password has to be created. The one-time password must be changed by the user after first login.

  1. Click on CREATE Password and an one-time password is generated.

    One time password

Submit this password to the user.

If nJAMS Server contains a valid connection to a SMTP server and an email address has been provided to the account, an email containing the one-time password is sent to the user.

Note

A user who was imported from a directory service can change neither the password, nor the name nor the email address in nJAMS Server.

The password can be changed either by the nJAMS Administrator or by the user using the “My Account” dialog. A logged in user has to navigate to ‘My Account’ as follows:

Enter My Account

Click on CHANGE PASSWORD on the following page:

My Account

Password retention:

You can change the password retention setting for newly created passwords in Administration > System Control > System configuration. Scroll down to section ‘User management’ and change setting for PasswordRetention:

0 newly created passwords will never expire (default).

<number of days> number of days after creation after which the password expires.

Manage roles

For managing roles, navigate to category roles:

Select role management

This will show a list of available roles:

role management
  1. Create a new role
  2. Edit an existing role
  3. Assign a predefined view for the role
  4. Assign Users to the role
  5. Grant / Revoke System Privileges to/from the role
  6. Grant / Revoke Object Privileges to/from the role
  7. See more details of the selected role
  8. Delete the role

Perform the following steps to introduce a new role:

  1. Add a role
  2. Define a predefined View to the role (optional)
  3. Assign users to the role
  4. Grant System Privileges to the role
  5. Grant Object Privileges to the role
Add roles:

  1. Click on ADD to create a new role and enter a name for the role. A comment is optional.

    Create role

Click on SAVE to create a new role.

Role created
  1. You can edit a role; changing the name of the role later on is possible.
Determine a View:
 

An nJAMS Administrator can specify a predefined view to users or roles. In case no view is specified - which is the default - the Default View is determined for the user, respectively role.

  1. Click on VIEW to specify a View for the selected role:

    View

This option is useful for a group of users that should use a common view for their daily work. For instance, there might be users who just want to check process executions and don’t need access to any further details. In this scenario an nJAMS Administrator can define a reduced custom layout and assign this view to the role for this group of users.

Note

The assignment of a view to a user overrides the assignment to a role.

Assume a user is part of a role that is in turn assigned to a specific view. In this case the user will consider the view that belongs to this role.

Now further assume that this user is additionally assigned to another view. In this case the user considers the view assigned specifically to this account, the view assigned to the role will be ignored.
Assign users:

A role can be assigned to users.

  1. Select role ‘defenders’ and click on ASSIGN USERS to assign users to that role:

    Assign users Users

Click on SAVE and the users are now assigned to that very role.
Grant System privileges:
 

An nJAMS Administrator can grant or revoke System privileges to a role.

What are System privileges?

  • A System privilege is the permission to perform a particular action.
  • A System privilege can be granted and revoked to/from particular roles.
  • System privileges are predefined by nJAMS Server or by extensions, i.e. nJAMS plugins.

What kind of System privileges are available?

System privilege Description
Administrator Allowed to administrate nJAMS Server. This is the highest privilege a role can have. There has to be at least one role provided with ‘administrator’ privilege. The ‘administrator’ privilege includes all other privileges described below.
Object authorization Allowed to authorize roles on domain objects. A domain object is an element that is available in the tree ‘Processes’, ‘Queries’ of the Main page. If members of a role should be allowed to authorize someone else to work with Objects, they need this System privilege.
Rules manager Allowed to define and manage Rules. A Rules Manager can enter category ‘Rules’ from the top menu.
Server operator Allowed to operate nJAMS Server (configure, start/stop components). Neither managing users, roles nor granting permissions are allowed. A Server Operator can enter category ‘Administration’ and manage all available categories, except User Management.
User manager Allowed to manage users, roles and granting, revoking permissions. A User Manager can enter category Administration > User Management.
See new main entries Allowed to see new incoming Objects in Tree and Result list that have not been granted with Object privileges.
View msg. processing Allowed to see progress of Message Processing in Administration > System Control.
Configure Argos Allowed to add, update, delete Argos dashboards.
View Argos Entitled to see Argos dashboards.

  1. Click on SYSTEM PRIVILEGES and you can grant or revoke permissions on the selected role:

    System privileges

    In this example the role is granted to act as Rules Manager and is allowed to define and manage Rules.
Grant Object privileges:
 

An nJAMS Administrator can grant or revoke Object privileges to a role.

What are Object privileges?

  • An Object privilege is the permission to work with particular nJAMS Objects (Processes, Queries).
  • An Object privilege can be granted and revoked to/from particular roles.
  • Object privileges are predefined by nJAMS Server or by extensions, i.e. nJAMS plugins.

What kind of Object privileges are available?

Object privilege Description
read

Allowed to read data of nJAMS Objects.

Members of a role that was granted to read log events of a particular Process execution can read all information this Process is logging in nJAMS.
write Allowed to create, update, delete Extracts and Traces on nJAMS Objects.
manage Allowed to manage Settings on Objects (retention, logmode, loglevel, etc.).

  1. Select a role and click on OBJECT Privileges. The following dialog opens:

    Object privileges
Show details:

  1. See further details of the selected role.

    Show details
Delete roles:

  1. Click on DELETE to remove a role.

    Note

    nJAMS Server will prevent you from deleting roles with references to existing users. Remove all members from the role first and delete the role afterwards.