Adding a new user

Introduction

The document describes the mechanism of creating new users in the system and explains the options and functions of authentication mechanisms. Each user in the system must have an account. We log in to the system using the login identifier (login). The remaining data in the user definition allow you to define access mechanisms and places to which the user has access. In this document, we explain the authorization mechanism, the different types of users, and the functions that allow you to determine the level of access for each of them.

The list of system users is available in the system configuration section. The list of users can be filtered according to the available search criteria and exported to an XLS format.

common create new user b2f9a
The system has two places where you can view the list of users. One in the configuration section, which provides items related to permissions, user passwords. On the other hand, there are additionally employee displays in the main part of the interface. They present the same accounts, but in the display that is needed in daily work, i.e., attendance, employee competencies.

Types of users

In the system, each user must have an account to be able to log in. Each account is identified by a login. That is an identifier that is used to clearly indicate which user is planning to log in. However, a separate step that is required for proper authorization in the system is proper user authentication, i.e. indicating that the person logging in is actually that person.

In the system, we distinguish two types of users due to their authorization method: "Local Users|" and "Corporate Users". Typically, enterprises have a global authorization system, i.e., a place where a given user’s password is defined in one place, and then all systems in the enterprise use appropriate authorization channels. The AMAGE system can also authenticate users in this way. These users must be specified as Enterprise users. That means they have a disabled local user flag. In this case, when the user’s login is provided, the AMAGE system uses external authorization systems (e.g., Azure Active Directory or other LDAP servers) to authenticate the user.

A local user is a user who authenticates himself using a password/PIN that is defined locally in the database (properly secured). Such a user, after entering his login, will be asked to provide the above mentioned secret and will be authenticated on this basis.

The configuration of the enterprise login mechanism is defined during deployment. AMAGE implementers together with the client’s IT department configure the login system.

The AMAGE system allows you to have local and corporate users in the same instance at the same time. That allows users from a particular company and centrally authorized to be added to the system, as well as additional local accounts such as subcontractors, users of other companies so that they can work on the data in the system.

That is the main distinction between user types and should be kept in mind when defining a new user in the system. It depends on the method of authorization. The system allows you to change the user type during system operation, i.e., create a local user and then change his type to a corporate one. Only the authentication method changes.

Basic data

When adding a new user, we specify the basic data. The main ones are login/password/PIN and general information about the assignment to a department in the organization.

common create new user d3e3d
As stated earlier, corporate users should also have a defined password so that the user type can be changed at any stage. User PIN is used in embedded devices (offline) for quick user login.

Access flags

The second section defines system access flags. Here we define general flags that allow you to specify what areas of the system the user has access to. That allows you to roughly limit the user’s access to the system only to places/sections to which he should have access. Further detailed permissions are defined using profiles (explained later).

common create new user f5a9a

The flags that can be set in the system allow you to specify the following characteristics.

Global - global flags

  • Active - only an active user can log into the system. By disabling this flag, we automatically block the user’s access. That does not mean removing the user from the system, but blocking login.

  • Super-administrator - a flag indicating the user with the highest privileges. Such a flag is explained at the end of the document in more detail.

  • Must change password - local user will be prompted to set a new password the next time they log in. That allows you to force users to change their password manually (bypassing the global security policy) or to set a password for the first login and force the user to set his own password at the first login.

  • Local user - a flag enabling a local user in the system. If disabled, the user is treated as corporate.

The local user flag is valid only in AMAGE instances that have configured logging in with the above mentioned two types of user. In systems that do not have it, the flag has no meaning and the local password is always used for authentication.

WWW - AMAGE Web system access. Define access to the system accessible through the browser (i.e., the one to which the current document applies)

  • Desktop - access to the desktop section of the system - the main interface of the system available on devices such as laptops and desktop computers.

  • Mobile - access to the mobile section of the system - access to a simplified interface dedicated mainly to mobile devices. The interface is also displayed on laptop devices, but contains less information than a desktop system.

  • Administration - access to the system configuration section. The user configuration described in this document is located in this part of the system.

You can also use these flags to specify general access to the system. That is important because the Desktop version of the system allows access to all system data (if the user has access to it). In the mobile section, you can (after configuration) specify access to selected system resources based on each record. For example, the list of work orders in the desktop system, if the user has access to it, is always shown in its entirety. In the mobile version, only those orders to which the user is assigned. Using such a configuration, you can grant access to, for example, subcontractors to carry out activities in the system without giving access to all other data.

Fx application (offline) - an application dedicated to working offline on rugged devices. The application allows you to perform activities without access to the network (but also with access)

  • User - a regular user of the mobile application

  • Administrator - a user who has access to some configuration sections of the mobile application (definition of readers, interface, tools, etc.) performed locally on a given device

We use a Login + PIN pair to log in to this part of the system. That is because these devices are mostly designed for harsh environments and logging in with a full password (full keypad) may be difficult, hence the use of logging in with a 4-digit user PIN.

Desktop (with installer) - old version of the AMAGE application

Section left for customers who still have used AMAGE applications of the old type installed locally on users' computers. For new instances left only for compatibility purposes.

  • Desktop user - a regular user with access to this interface

User data

In the data sections, we may specify personal data, identifiers, email addresses. We may also add barcode/RFID identifiers that are used to identify the user in certain parts of the system.

The system user can also have a photo and his signature attached. The signature is used when generating PDF documents with orders. That allows those captions to be embedded.

common create new user a4632

Access profiles

Access profiles allow access to selected sections of the system. They are covered in detail in the user manual and other tutorials. Here we can assign a list of access profiles to the user.

common create new user 86a40

Super-Administrator

In the case of correct user authentication, the AMAGE system starts checking access profiles to determine access to a given section of the system or to perform an action (e.g., adding/deleting a record). For initial users then there is a problem as no permissions/profiles are defined. In this case, the user would not have access to any section of the system.

Therefore, the super-administrator flag has been introduced in the system. Enabling this flag allows you to bypass the access profile mechanism. A user with this flag always has access to all sections and functions of the system (the system always replies YES to the query "Does the user have the authority to function X?"). That allows the main users of the system to access the full functionality and then define access through profiles for other users.

common create new user ea409
That flag should be used with caution, as it is an explicit bypass of the permissions mechanism and access profiles.
The Howto is based on system version 1.17.0.2 (03.2022) and presents features that may not be available in your system. Ask AMAGE about making this functionality available.
Due to ongoing development of the system, some screens or configuration files may look slightly different, but will still retain the full functionality described here. This does not affect the core functionality described in this document.