Users
Each user account is assigned to one or more teams. Membership in a respective team determines the individual functions to which the user has access.Ā In the menuĀ UsersĀ āĀ UsersĀ you will find a list of all user accounts created in the system.
The following information is displayed for each account:
User name
Name: The content of this field is composed of the separate fields āFirst nameā and āNameā.
The most important address data of a user
Member of the following teams: All of the teams that the user belongs to.
Logins: The number of logins for a user since their creation.
Last login: Date of the last login.
Failed attempts to login: Number of consecutive failed login attempts.
Login expiry date: With limited time accounts, the date when the login expires will be displayed. The account can be used up until the day before expiration.
Suspended until: After a defined number of consecutive failed login attempts, the user account will be blocked automatically for likewise a defined period.
Can login? If a login has expired or it has been deactivated by ābrute forceā protection, then a red lamp will be displayed.
If you are missing information, open the dialog for changing the display by clicking onĀ ViewĀ and activate the desired column.
You have the following editing options:
By clicking on the user name, you can open the detail view of a user and for example view information on team affiliation and available rights (the information detail page lists ACL rights as well as rights to layouts).
By clicking on the login expiry date, you open a dialog, in which you can change the login expiry date. Members of the system administrator team can furthermoreĀ change the password expiry date or deactivate the login, i.e. block a user from accessingĀ EFS. If blocked users try to log in, they will be asked to contact the person responsible for theĀ EFSĀ installation.
Clicking on theĀ Send passwordĀ icon opens the dialog for sending an e-mail containing a link for setting a new password.
You can delete user accounts that have not yet expired and are not owner of a team.
Creating user account
To create a new account, click on theĀ Create user accountĀ button. Specify the language in which the admin area is to be shown for the new user. Enter the initial password for the new user twice. On their first login new users are automatically requested to change their password.
Select the team to which the new user should be added. The team affiliation defines the rights of the users.
Select the userās primary team. Among other things, the primary team is always automatically granted read and write rights for projects created by this user.
The āOrganizationā field indicates to which accounting organization the new user belongs.
If the wrong organization is indicated, please contact the person responsible for the installation.
If you hold the right āorgadminā, you can alter the accounting organization yourself.
Choose the expiry date of the account.
You can optionally select the time zone to be displayed in the āLocal dateā field of the left-hand menu.
You may store additional information in the section āAdditional dataā.
Define the next editing steps:
You can have the password displayed on the next page, e.g. in order to copy it to a notification mail.
If you wish to add more accounts afterwards, tick the corresponding checkbox: Only then will a blank āCreate user accountā form be opened directly.
Confirm by clicking onĀ Create user account.
The account will be created.
TheĀ Generate passwordĀ function will help you to generate a good password: When you click on theĀ Generate a passwordĀ link a randomly generated password is issued in a pop-up window. If you click on this it will automatically be transferred to the entry fields.
Account names and e-mail addresses of users must be unambiguous. In the case that an account name or an e-mail address is already being used by another user, a corresponding error message will be displayed.
Importing user accounts
If you wish to create a larger number of user accounts, you can utilize the import function. This function is located in theĀ UsersĀ āĀ User importĀ menu.
In order to use this function, you need write rights toĀ cr_teamaccount.
Please proceed as follows to perform the import:
reate a table in CSV format containing the staff data. For example, you can create such a table in MS Excel and then save it in CSV format. The file must have the following structure.
Column | Content |
---|---|
Column 1 | Account name |
Column 2 | First name (optional) |
Column 3 | Last name (optional |
Column 4 | E-mail address |
Column 5 | Password (optional) |
Column 6 | The date on which the account is to expire (optional, format: DD.MM.YYYY) |
Column 7 | The ID of the primary team for the account |
Ā
The first row of the CSV file may optionally contain the column headings. How to upload the file:
Select the correct file.
If required, select the appropriate character set.
If the first row of the CSV file contains the column headings, the corresponding checkbox must be ticked.
The following properties are defined en bloc for all new accounts:
Field | Meaning |
---|---|
Additional teams for all user accounts to import | All teams that exist on the installation are available for selection. |
Country | Default preallocation: Germany. |
Time zone | Default preallocation: Universal Time (UTC/GMT). |
Language | The language used in the admin area. |
Organization | Accounting organization |
Confirm by clicking onĀ Import.
Specifying temporal limitations for user accounts
In principle, user accounts always have an expiry date, and they are automatically deactivated after expiring. This measure aims primarily at improving safety in the admin area: This reduces the risk of an out of use user account being hacked and used unwittingly. At the same time this standardization makes the administration of large user teams and collective installations easier: Setting the expiry dates carefully when creating accounts saves you from having to ātidy upā old accounts manually later.
Accounts without a time limit can only be created by administrators with a root account. Normally only our support and customers with their own server have root accounts.
For owners of a root account, an additional checkbox entitled āSet time limit for user account ā is displayed in the form above (Figure 17.4), which must be deactivated to cancel the time limit.
By clicking on the login expiry date in the user list, you open a dialog, in which you can change the login expiry date.
If you wish inactive admin accounts to be expired after a given time of inactivity too, please contact support for the setup of appropriate policies. Expired accounts can no longer log into EFS. To re-enable an expired account, an admin account with sufficient user administrative rights is required.
Changing user account data
With the necessary rights, you can view the account data of other users, correct their data if required, and send them a link for resetting the password.
Via the user list, owners of root accounts can access the account data by just clicking on the desired user. ViaĀ Change user data, you can access the edit dialog. ViaĀ Send password, you can access the dialog for resetting the password.
With read rights for the ACL rightĀ org_groupadmin, you can open your teams and access the account data of the team members. With read rights, you can change the account data or send a link for resetting the password.
Sending a link for resetting the password by e-mail
With the necessary access rights, you can send your users links for resetting their passwords.
If you have a root account, search for the desired user in the user list. Then, open the dispatch dialog via theĀ Send passwordĀ icon.
If you have read rights forĀ org_groupadmin, open the desired team, click on the appropriate team member and choose theĀ Send passwordĀ button.
The text of the mail is predefined. In the dispatch dialog, only the basic contact data are displayed.
Checking user accounts for brute force suspension
The admin area has protection against brute force attacks, i.e. hacking of an account using automated, rapidly consecutive entries of possible passwords. There is only a limited number of incorrect entries possible; exceeding this value will deactivate the staff account for a predetermined period. The person logging in will then see an error message, in which the remaining waiting period will be displayed.
By default the account will be suspended after six incorrect entries, the waiting period is 30 minutes. A suspended account can be reactivated by the system administrator (root team) or by a user with write rights toĀ groupadmin.
If you have leased your own installation and you would like to have the values changed, please contact support.
Checking suspended accounts
If a user reports that his or her account was suspended, or if you suspect that a brute force attack has occurred, you can check this in the overview of theĀ UsersĀ menu:
The failed login attempts and the remaining time on suspended accounts are listed in the columns āFailed attempts to loginā and āSuspended untilā.
The number of logins and the date of the last successful login are also displayed.
Further details on individual login processes, such as the exact time and the IP address, can be found in the login log, provided you hold the relevant rights.
Reactivating suspended accounts
A suspended account can be reactivated prematurely by the system administrator (root team) or by a user with write rights to āgroupadminā. By clicking on the red marked end date for the suspension period, the suspension will be reverted.
Delegating the administration of user accounts
You can delegate the administration of the user accounts of a specific organization. This is the purpose of the ACL rightĀ org_groupadmin: If you assign this right, instead of the more general rightĀ groupadmin, to a user team, its members can access all user accounts of their own organization.
With read rights, they can view the account data of the users of their own organization.
With write rights, they can manage the users of their own organization (e.g extend accounts, edit account data, or delete accounts).
Teams
Within a team there are normal members (member), administrators (admin) and owners (owner). These statuses determine the operations a team member may perform within their team. Team statuses have no effect on rights within user administration or on object or function rights inĀ EFS Survey.Ā In general, you can simply ignore the statuses within teams. Exception: If you wish to delete an account of someone who is a team owner, you must first transfer leadership to another team member, before you can delete the account.
Statuses
Status | Description |
---|---|
Owner | To receive the highest ranking status of āownerā, you must either create your own team, or another āownerā must assign a team to you. As an āownerā you can:
|
Admin | With the status āadminā, you can execute all āownerā functions, except the deletion of team. |
Member | Anyone with the āmemberā status can leave the team at anytime. They can also view the list of member and the list of team resources. |
Creating teams
With theĀ groupadminĀ ACL right, you can create and configure new teams.
Switch to theĀ UsersĀ āĀ TeamsĀ menu.
Click on theĀ Create teamĀ button.
The following details are required:
Team name: This is used in surveys in the standard URL. If you create a team entitled āTest account for student internsā, projects for members of this team will be created under the URLĀ http://www.mydomain.com/sc/Test_account_-Ā for_student_interns/something/. As umlauts and blank spaces are not permitted in URLs, EFS automatically replaces impermissible characters upon team creation.
Team title: Internal name.
Description: Serves internal purposes as well.
When creating a new team, you can define the owner. You have a choice of yourself as the creating administrator and the team āAdministratorā.
Assign access rights to the desired areas of EFS to the new team. It will then receive write rights to the corresponding area rights.
In the drop-down list āRights templateā, you can select a user-defined rights template. By default no rights template has been selected.
A list of the teams you have created is displayed under the caption āWhich teams shall receive free access to the new team?ā. If you grant an existing team access to the new team, the existing team will see the new team in user administration.
Click on theĀ Create teamĀ button to confirm the operation.
Now you have created a new team that moreover does not have any members and no ACL rights (except those for areas defined in step 4), unless you did not expressly choose any in step 5. Your next steps are to:
Create accounts and assign them to this team as a primary group.
Configure the ACL rights of the team.
Change owner of the team, in case one of the newly created users should be owner of the team.
Editing teams
You can edit all teams in which you have owner status. ChooseĀ UsersĀ āĀ TeamsĀ and click on a team name in the list.Ā The edit form is divided into three sections:
Section | Functionality |
---|---|
Team details | General meta information on the team, such as creation date, total number of members and owners. Special function: Notify team via e-mail. Depending on the status within the team, either all or some functions will be displayed:
|
List of members | Who is currently a member of the team? |
Rights of the team (whole system) | What are the rights of this team in EFS? (ACL rights) |
Adding members
Click on theĀ Add membersĀ button in the detail view of your selected team. A list of users in the system appears from which you can select new members. If you wish to add a certain user to your team, you can easily locate them using the āSearchā function above the list of members.
Once located, select the user by ticking the checkbox in the āAddā column. Now just click on theĀ Add memberĀ button to add the user to your team.
Members added are initially assigned the status āMemberā.
Viewing the staff list and editing memberships
The list of the members contains all members of the team. The list has its own search function which searches the fields āAccount nameā, āE-mailā, āNameā and āRightsā. Furthermore, you have the option to extend the view to include other available information. You can do this by clicking onĀ ViewĀ and making your choice from the available database fields.
The drop-down list provides you with the following editing options:
Set right of member: Changes the status to āMember rightsā.
Set right of admin: Changes the status to āAdministrator rightsā.
Delete from team: The member will be deleted from the team.
Export user data: An Excel file will be generated, which includes the data of the selected members.
Write e-mail: The standard mail form opens, and you can write to the selected team members.
Deleting teams
To delete a team you must have owner rights (UsersāĀ List of teamsĀ ā {Selected team} āĀ Delete team). This deletes all team members from the team. The team cannot be restored.
Deleting a team does not necessarily delete the pertinent account. An account is only deleted if the user is no longer a member of any other team after the team has been deleted.
Changing team info
To change the title, name and description of the selected team, navigate toĀ UsersĀ āĀ TeamsĀ āĀ {Selected team} āChange teamĀ info. This function is useful, if you have selected a team name which leads to unattractive URLs.
Transferring leadership
To change leadership for a team, navigate toĀ UsersĀ āĀ TeamsĀ ā {Selected team} āĀ ChangeĀ ownership. To do so, you must have the owner status in the team.Ā You are thus transferring the leadership to another team member. It is irrelevant whether this person is an admin or a simple member in your team. As an owner may not leave their team, you must transfer leadership if you wish leave your own team.
Leaving teams
TheĀ Leave teamĀ function removes you from the list of members for the selected team. You may not leave the team if you are the team owner. You must firstĀ Change owner.
Viewing and changing the ACL rights of a team
In the āRights of the team (whole system)ā section you can see the ACL rights for the selected team, i.e. which functions it can access.
With the right āgroupadminā, you can edit the rights configuration. To open the corresponding dialog, click on theĀ Change rights of this teamĀ button.
You can also subsequently assign a rights template to the selected team. To open the corresponding dialog, click on theĀ Assign rights templateĀ button. In order to be able to use this function, you must belong to an admin team or hold admin rights in the selected team. In addition, you need an access right for the desired rights template.
Granting Read rights to a specific team to other teams
As the owner of a user team you can grant read rights to your team to other selected admin teams. The members of authorized teams can then see the team in question in theĀ TeamsĀ menu, select it and view the available information.
If you are the owner of a staff team, you can find in theĀ UsersĀ āĀ TeamsĀ menu aĀ Change rightsĀ icon in the āActionā column. Click on it.
A dialog opens in which you activate the checkbox in the column āGrant access rightsā, which enables you to grant read rights to your team to one or several other teams. You have a choice of all the teams available on the installation, not only those to which you belong.
After that, confirm by clicking onĀ Save.
Exchange teams
In order to create a new exchange team you need the rightĀ exchange_teamsĀ as well as sufficient edit rights for the teams to be selected. Click on theĀ Create exchange teamĀ button in theĀ Exchange teamsĀ menu.
Enter the name into the āTeam nameā field. You can use the characters a-z, 0-9, _ and -.
In the select box labeled āMembers with upload rightsā you can specify one or more teams whose members are to have read and write rights for their own files only. You do not already need to specify teams when creating the exchange team: You can always assign user teams to an exchange team at a later stage. The steps required are explained in the following chapter.
In the select box labeled āMembers with change rightsā you can specify one or more teams whose members will be allowed to change the files of all team members.
Confirm your entries by clicking onĀ Create team.
Admin Teams
EFS can be configured to have special admin teams (āpoolsā) for complex university setups, allowing admin users to create ad-hoc teams and invite other admin users to their team for collaboration. If you would like to use this feature, please contact support.
Assigning teams and rights administration
InĀ EFS, users are assigned rights according to their team affiliation. This means that instead of assigning individual users to an exchange team you assign access rights for the files of an exchange team to one or more user teams. You may choose from different rights configurations:
Upload right: Equivalent to the right āreadā to the exchange team. The members of a team with upload rights may upload and download files. They may, however, change or delete only their own files.
Change right: Equivalent to the right āwriteā to the exchange team. The members of a team with change rights can upload and download files and may change or delete all files of their exchange team.
If you assign the rights āreadā and āwriteā to a user team, the members of this team will have all rights to the exchange team and all upload and change rights. However, they will be ignored for the function āSend info mail to teamā. This configuration is useful, for example, for teams of project managers who are not involved in the daily operations.
In order to subsequently assign one or more user teams to an exchange team or to change the initial settings, proceed as follows:
Locate the exchange team in the overview and click on theĀ RightsĀ icon.
This opens the dialog for rights administration familiar from otherĀ EFSĀ menus. Assign read and/or write rights for the respective exchange team to the desired user teams as required.
Confirm your selection by clicking onĀ Change rights.
Viewing the History
All important changes and actions executed using EFS Secure Exchange functions are logged. This allows you to subsequently check whether an action has been carried out and which user is responsible for this action. It is possible, for example, to reconstruct which users downloaded a particular file. In order to view the list of changes, switch to theĀ UsersāĀ Exchange teamsĀ āĀ HistoryĀ menu.
For every change that has occurred the following information is listed:
Column heading | Meaning |
---|---|
Date of change | Date and time of change |
Affected team | The team affected by the change. |
Changes | Short description of the change carried out. |
Changed by | Name of the staff member who carried out the change. |
By clicking on theĀ ViewĀ button you can, as usual, display a section that allows you to specify whether the various table columns are to be shown or hidden. After you have confirmed by clicking onĀ SubmitĀ the table will be expanded accordingly. The column headings are clickable links: By clicking on a column heading you can resort the table according to the contents of the respective column.Ā You can search the history using the usual simple and extended search functions.
Simple search: The fields āChangesā and āChanged byā are searched for the term you entered.
Extended search: In addition to the keyword search in the fields āChangesā and āChanged byā you can also specify a certain change period or limit the display to the changes of a particular team. By clicking on theĀ ResetĀ button you can undo these restrictions.
Ā© 2024 Tivian XI GmbH