Users (USER)

{"URL":["/*.*/awa/pa_view_USER"],"heroDescriptionIdentifier":"ice_intro_to_users","customCards":[{"id":"ice_defining_user_objects","title":"Defining User Objects","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users.htm","languages":["en-us"]},{"id":"ice_user_group_define","title":"Assigning Users to User Groups","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_user_groups.htm","languages":["en-us"]},{"id":"ice_duplicate_users","title":"Duplicating Users","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_rename_users","title":"Renaming Users","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_move_users","title":"Moving Users","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_activate_deactivate_users","title":"Activating or Deactivating Users","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_ldap_activate_deactivate","title":"Activating or Deactivating the LDAP Connection","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_delete_users","title":"Deleting Users","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users_WorkingWith.htm","languages":["en-us"]},{"id":"ice_SessionLog","title":"The User Session Log","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/obj_user_usersession.htm","languages":["en-us"]},{"id":"ice_users_related_information","title":"Related Information","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/AdministrationPerspective/AG_users.htm","languages":["en-us"]},{"id":"ice_administration_perspective","title":"The Administration Perspective","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/AWA/Admin/AdministrationPerspective.htm","languages":["en-us"]},{"id":"ice_Overview_AWI","title":"The User Interface","type":"customize","url":"https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/*.*/Automic%20Automation%20Guides/Content/_Common/GettingStarted/GS_OverviewAWI.htm","languages":["en-us"]}]}

A User object contains the configuration (the necessary personal data, password, rights, and so on) that an Automic Automation user needs to accomplish their tasks. As an administrator, you define User objects and assign them to the Client(s) to which they should have access.

The list of Users in Client 0 is slightly different to the lists in Clients 0001 to 9999 (the production Clients). In Client 0, this list contains all the Users defined in all the Clients in the system. The list of Users in a production Clients contains the Users in that Client only. You define Users in Client 0 and then move them to their respective Client(s). Moving Users is only possible from Client 0; the production Clients do not provide this function.

Users in Client 0

A fresh Automic Automation installation contains a default User in Client 0 that has all the rights and privileges on the system. Its credentials are as follows:

Name: UC
Department: UC
Password: UC

You log in to the system for the first time using these credentials.

Important!

Do not delete or rename this User. Without this User, you cannot administrate or operate the system.
Change the password for this User immediately after the installation.

Then, you can start creating more Users, moving them to other Clients and defining their authorizations and privileges. For more information, see User Management: Defining and Managing the Authorization System.

Administrator Users in Client 0 can add, edit, disable, rename, delete and duplicate the Users defined in any Client in the system. You can select just one User or you can select multiple Users and perform these actions in bulk.

Users in Clients 0001 to 9999

You can define administrator Users in the production Clients by assigning them the necessary privileges and authorizations (add, modify, delete, rename, duplicate, disable Users, and so forth).

Tip: You may need to work with many objects, lists and monitors simultaneously. To make your work easier, you can open them in different browser windows and arrange them side by side on your screen. For more information about this and other useful functions, see Opening and Arranging Multiple Views.

User Names

The name of a User object consists of the name and the department separated by a slash. The combination of name and department cannot exceed 200 characters.

Object Definition

Object class: System object
Object type/Short name: USER

This page includes the following:

Defining User Objects

The steps for defining User objects are the same as for any other object. A User definition is made up of the following pages:

Standard pages that are always available, no matter what type of object you are defining:

User-specific pages:

User page (described here)
User Groups page, see Assigning Users to User Groups when Defining User Groups
Automation Engine page
- Granting Automation Engine Authorizations
- Granting Automation Engine Privileges

Carry out the following steps to define the User settings in the User object.

Defining Users: General Settings

In this section, you can define the following:

When you create a new User object, you specify its name and department on the Create User dialog. The User name/department combination is displayed in the Name filed, which is read only. You cannot change the User name here, for this purpose, you use the Rename function. For more information, see Renaming Objects and Folders.
By default, a newly created User is always active (the User is active checkbox is checked). If you uncheck this option, the User is set to inactive and is not allowed to log in.

When Users enter a wrong password multiple times, they will be locked and cannot log in anymore. You as an administrator configure the maximum number of invalid login attempts in the PWD_ATTEMPTS_MAX variable (see PASSWORD Parameters).

Important! If you deactivate a User under whose name there are still running tasks, those tasks will continue running.
The administrator or the LDAP Sync tool can activate the User is locked option to disable the User. This option is useful in the context of LDAP connections where the user in Automation Engine is synced regarding the state with the LDAP server.
Select LDAP Connection and Synchronize if your organization is using LDAP. This will synchronize the data with the LDAP server and the User data fields will be populated with the information contained in the directory service. This means that the User login will be authenticated by a directory service, such as the Microsoft Active Directory, rather than by the Automic Automation system.

If you activate this option, most of the fields on the page are disabled because data is retrieved from the directory service. The only fields that you can still specify here are the User Status options and Email 2.

You specify the LDAP connection parameters in the UC_LDAP_EXAMPLE variable (see UC_LDAP_EXAMPLE - LDAP Connection Variable).

Note: You can also activate the LDAP connection directly from the User list. Select one or more Users, right-click and select Activate LDAP Connection from the context menu. If you do so in Client 0, you can activate it for User from different Clients in a go.
The Distinguished Name (DN) field is only enabled if you have activated the LDAP connection. If you enter a value here, the distinguished name specified in the UC_LDAP_EXAMPLE variable will be ignored.
Optionally, enter the User's First/Last Names; they are displayed in various areas of the user interface.
Optionally, enter the E-Mail 1/E-Mail 2 addresses. If you have configure an SNMP connection, the User will receive alerts and notification in these email addresses. Automic Automation uses Email 1 as the primary address and will send alerts and notifications there. If you enter an address in Email 2, it will be used as a cc address.

You can enter up to 50 characters in the Email fields.

Defining Users: Password Policy

When you create a new User, its default password is pass. You must change it immediately after creating it or the user must change it when they first log in to the system.

As an administrator, you define the password policy to be adhered to in the PASSWORD variables (see PASSWORD Parameters). In this variable you define the required password structure, the intervals in which passwords must be changed, the number of failed login attempts that is allowed, the default password for new Users and so forth.

Activate Change Password to assign the User a new password. This activates the password input fields.
Enter the new password twice, once in Password and then again in Confirm password.
Alternatively, activate User must change password at next login. The User will have to login first using the assigned password and change it after that.
Activate Password never expires if your company's policy does not require regular password changes.

Tip: Avoid special national language characters (umlauts (ä), accents (è), special letters (ß), etc.) if Users are in various international locations. Not all keyboards in all countries support such characters.

Defining Users: Tokens

Automic Automation supports the following authentication methods, Basic Authentication and User Tokens. Depending on your User privileges, you can generate and manage tokens from two different AWI areas:

Users with access to their User object definition who have the Token access and token creation privilege.

You generate and manage your tokens in the Tokens section on the User page in the Administration perspective.
All Users, regardless of their User object definition

You generate and manage your tokens in the Tokens tab on the Settings dialog. For more information see Generating and Managing User Tokens.

User tokens have an expiration date. When a token expires, all requests result in an "Access denied" error message. This is why it is recommended that you create various tokens whose expiration dates overlap so that you can authenticate successfully at any time.

Important!

For security reasons, only Automic Automation users can create their own tokens. Administrators CANNOT create the tokens for them. This restriction guarantees that knowledge about the tokens is safeguarded and limited to the User that will use them.

A token is always tied to a User object. However, bad practices when storing and/or using them can lead to accidentally exposing them publicly. It is recommended that you enforce a strong security policy to avoid these situations. These recommendations can help you with it:

Protect the token by separating your REST client from the location where you store the token,
Delete tokens that are no longer needed.
Rotate the tokens periodically and define expiration times that are no longer than necessary and that they comply with your company's security policy.

To Add a Token

Click Add Token.
On the Add Token dialog, enter the Token Name that is unique within your User definition. Specify a name that helps you remember the purpose of the key later on.
Specify an Expiration Date. You will not be ale to authenticate using this key once this date has passed.
Click Add.
The Token dialog is displayed. The Automation Engine automatically generates the token (an alphanumeric string) and displays it here.

Important! This is the only time in which you will be able to see the token. Once you close this dialog, you will not have access to it any more. Copy it now and save it elsewhere in case you need it later on.
Click Copy to Clipboard.
Paste the key in your REST client application or save it for later use.
Go back to AWI and click Close to return to the User page. The name of the token and its expiration date are added to the list, however, the key itself (the string) is not; the string is obfuscated and saved to the database.

To Remove Tokens

Select one or more tokens and click Remove. Once they are removed, your requests can no longer authenticate using them and will result in an "Access denied" error message.

To Export the Tokens

Click the Export Table button. The resulting CSV file contains the data from the Token Name and Expiration Date columns

For more information, see AE REST API Authentication.

Defining Users: Advanced Settings

In this section you can define the following:

Time Zone that will be applied to this User. If you leave this option empty, the Client's predefined Time Zone is used.
Default Login, which is the Login object that will be assigned to the objects used by this User object. The Login objects contains the credentials that the Agent needs to access the target system. For more information, see Login (LOGIN).

Defining Users: Session Settings

In this section you can restrict the login possibilities for this User.

Select Login Restrictions to limit the times and days that this User can log in to the system:
- From / To
  
  Specify the period of time in hours and minutes within which the User can log in to the system. Outside this time, any login attempt will be denied.
- If Calendar Conditions Are Met
  
  Select the Calendar and Calendar Event that contain the dates on which the User will be able to log in to the system. Login attempts outside these dates will be denied.
Max. Parallel Sessions

Select the maximum number of parallel logins you will allow for this User. 0 enables unlimited parallel access.

Min. Activity Refresh

Select the minimum time interval (in seconds) for refreshing the following views in the Process Monitoring perspective:

The list of Tasks
The Schedule Monitor
The Workflow Monitor

Process Monitoring users can customize these intervals on the User and session Settings dialog. However, the value that you enter here determines the value that users will see as default in the User and session Settings dialog. This table explains how:

Your parameter in "Min. activity refresh"	Affects the "Default" value on the Settings dialog, which is ...	And the "User Defined" value on the Settings dialog, which is ...
Lower than 90 seconds	90 seconds	Taken over from Min. activity refresh
90 seconds	90 seconds	90 seconds
Greater than 90 seconds	Taken over from Min. activity refresh	Taken over from Min. activity refresh

For more information, see Refresh Interval.

Notes:

By default, this value is 90 seconds, the minimum value is 10 seconds.
If the User clicks the Refresh button between the defined intervals, the system will ignore the new refresh request and finish processing the previous one. This prevents the system from getting jammed up with multiple refresh requests in rapid succession.

Next Steps

Switch to the User Group page, where you can assign the current User to one or more User groups. This will determine the User's rights to objects and privileges.

For more information, see: