This topic details how the enPortal administrator can configure each element of User management. First, we present the concepts of establishing the basic User organization. Then we detail usage of the specific administration tools and interfaces. The primary elements of the User management are Domains, Users, and Roles.
Provisioning is how you create Users and Roles in enPortal, and then provide the appropriate targeted information to them. This section provides guidelines on what to consider when planning the organization of the AppBoard/enPortal system.
When users are created they must be grouped into one or more Domains. The primary purpose of a Domain is to provide an independent namespace of users. An unlimited set of Domains can be defined in a single system.
A special Domain called System is reserved. This Domain is locked and can not be modified. It contains a single User named administrator. This User is always granted permission for all components in the system. You cannot add or remove Users from the System Domain.
Within a Domain, the user IDs must be unique. However, identical User IDs can exist in different domains. The following diagram illustrates an example of domains and users:
As a first step in determining your User organization, determine if separate Domains need to be created so that users from one Domain would access the system independently from users in the other Domain. For example, a managed service provider may want to group customers into separate Domains if they will be completely independent of one another in how they use the system.
After creating each Domain, you will then assign one or more Roles to each Domain. These Roles will dictate the system content that is available to Users in that Domain. When a Role is assigned to a Domain, then all Users belonging to that Domain inherit the Role. New Users added later to the Domain would then automatically inherit these assignments.
Roles are a hierarchical mechanism used to organize Domains and Users. Roles are the primary basis by which capabilities are managed, preferences are stored, and content is secured. The following is an example of a Role hierarchy. Notice that the NOC role contains two sub-roles: Managers and Operators.
Individual Users or entire Domains can be assigned to a single Role or to many Roles.
Allowing Users or Domains to be assigned to multiple Roles provides each User the ability to switch his or her interaction with the system. For example, Bob may need to access the system using the Role of NOC Manager in order to access the necessary tools to isolate and replicate a problem. After identifying the problem, he could switch to the Role of Administrator in order to access the rights necessary to correct the problem.
When a Domain is assigned to a Role, all Users within the Domain are automatically assigned to the Role as well. This allows administrators to add new Users to a Domain and have Roles automatically assigned without having to take the time to assign individual security to the new User.
When configuring the Roles to create in the system, first consider the Roles of an organization and decide which User(s) will be assigned to each Role. Each Role will control which tabs are displayed after a user successfully logs in. This is accomplished by the system administrator assigning content in the system to one or more Roles.
The hierarchical nature of Roles allows for subroles to be nested under Roles, however, inheritance is not implicit. Each Role is unique and only provides access to the content directly assigned to it. When a subrole is assigned to a User(s), the User(s) will not automatically inherit access to the content of the parent Role. Additionally, the User(s) is only permitted to log in to the system in the subrole but not in the parent Role.
As you prepare to design your organizational structure, you should consider:
Once you understand the content that will be available, you can set up the User organization to properly deliver that content to the appropriate Users. Complete the following steps to configure the system:
The following steps provide a guideline in setting up a User organization:
With the aid of a company organization chart, the following questions will assist in ensuring a smooth and sensible implementation for your organization:
User management is made up of three elements: Domains, Users, and Roles. Used together, these elements provide a flexible means of organizing Users and provisioning the appropriate content to those Users. This User organization is the foundation upon which content management and other system features are built. In enPortal, provisioning is achieved by assigning Roles to Users and/or Domains.
Provisioning in enPortal is accomplished by performing the following steps:
A Domain is a grouping of Users.
Perform the following steps to create an enPortal Domain:
Perform the following steps to modify an enPortal Domain:
Perform the following steps to delete an enPortal Domain:
The password policy can be set for an individual domain by specifying a custom password policy for the domain. The password policy specified for a domain takes precedence over the system policy.
The setting in the domain password policy will affect only the users in the domain. If domain’s users are managed by external LDAP and you allow for passwords to be changed (subject to the limitation in the note below), it is strongly recommended that the domain policy matches that of LDAP because most of the LDAPs do not give good error messages when user’s password failed its policy.
Perform the following steps to assign a domain password policy.
Once you have created a Domain, you must create a User in the Domain.
A User is a named member of a Domain who has unique credentials for logging in to enPortal.
Perform the following steps to create an enPortal User:
Perform the following steps to modify an enPortal User:
Perform the following steps to delete an enPortal User:
Roles are the mechanism through which content in enPortal is assigned to Users.
Perform the following steps to create an enPortal Role:
Roles are hierarchical in enPortal. In addition to creating Roles, you can also create sub-roles. The terms parent and child are used when referring to the relationship between roles. All Roles with sub-roles are parent Roles. Sub-roles are considered child Roles of their parent Role(s). If a sub-role is assigned to a Domain or User, the Domain or User will inherit the assignments and security of the parent Roles. However, the User(s) is only permitted to log in to the system in his/her sub-role — a User is not permitted to log in to the system in the parent Role(s).
The portalAdministration Role is the only Role in enPortal that provides full administrative privileges. When you install enPortal, a User called administrator in the domain System is the only User assigned to this Role. This Role can be assigned to one or more additional Users by any member of the portalAdministration Role. All members of the portalAdministration Role are granted full permissions for all components and actions in enPortal. Any Users who are assigned sub-roles under the portalAdministration Role also have full administrative privileges.
Once you have created a Role, you must assign content to the Role. This will provide information to any User who logs in to enPortal under that Role. To create content please follow the instruction specified in this Content Creation page.
Folders present tabs of information to Users when they login to enPortal. The enPortal administrator provides Folders to Users by provisioning them to Roles. Perform the following steps to assign one or more Folders to a Role:
Once you have created a User and a Role, and assigned content to the Role, the final step is to assign the Role to the User. The User will then be presented the appropriate folders when logging in to the system under that Role. You can assign Roles to either Users or Domains, using the same process. The only difference is that assigning the Role to the Domain will assign it to all current and future Users in the Domain.
A User can have more than one Role assigned in enPortal. If a User has multiple Roles, the default Role will be assigned to the User after login. A Role chooser will be presented in the upper banner. The User can use the Role chooser to switch to a different Role. This effectively logs the User out of enPortal and logs the User back in under the new Role. A User can only have one Role selected at any current time and will see only the content provisioned to that current Role.
Perform the following steps to assign Roles to a User or Domain:
When you assign a Role to a Domain, the Role is inherited by all Users in that Domain. When you assign a Role to a User, the Role is assigned directly to only that User.
Perform the following steps to see if a Role assignment is direct or inherited:
A tutorial walk-through of the the basic enPortal provisioning screens is available at Provisioning Quick Start.
The sections above detail how to use enPortal’s provisioning tools to manage Domains, Users, and Roles inside of enPortal. Some organizations already have an LDAP server in place to manage Users and Roles. In this case, enPortal can map to the existing LDAP configuration and rely on LDAP for externally managing this information. For instructions on configuring LDAP with enPortal, see enPortal LDAP Configuration.
enPortal provides a simple REST web service to facilitate the provisioning of existent content to existent roles. Three basic operations are supported:
To assign or remove multiple content paths to a role the service must be called multiple times.
The general form of the Web Service URL is: