Managing ITA users and user rights

In the web client Administration menu, if you are logged in as a ITA administrator with the needed permissions, you can set up and edit ITA users, groups, permissions, and remote authentication servers. 

Granting general (global) system rights and fine-grained permissions for individual parts of the application allows you to restrict access and protect system functions and inventory that only you or a subset of your team is allowed to see or edit.

About ITA users

First time login with default admin user

During the initial installation of ITA, a default ITA user with administration rights is created with the credentials apc/apc (password must be changed on your first login). You will not be able to access the system without using this user account for the first login.

For security reasons, whether you're installing a fresh version of ITA or restoring an existing solution, it is important to change the default ITA user account as part of the initial setup. 

Note: If you're restoring a backup of an existing solution, you should open Administration>Users and make sure you don't have a legacy apc user in the system, or at least that the password is secure.

You'll be prompted to change the password the first time you log in to the web client with this user. It is recommended that you create  a new user with other credentials, avoiding apc, admin, system, and other frequently used names. You cannot change the apc username if you are logged in as the apc user. You must create a new user with user administration rights and log in as this other user to delete the apc user or change the username. 

Because all ITA users will also be able to log in through the web client and Tenant Portal, it is particularly important that you avoid insecure passwords and that you delete user accounts for all previous employees, etc. 

Local vs remote users

When you add a new user, you are setting up a local user on the ITA server by default. To set up a remote user, configure authentication servers to have the information supplied by that server. See how to configure authentication servers for remote users here.

About ITA permissions

The ITA user permission model is a complex model of general system permissions and granular equipment permissions for users and groups. These permissions have an internal hierarchy in case of conflicts:

User and group permissions

If a user is in one or more groups, his total permissions are the sum of all these permissions.

• If he has access to something his group doesn’t, he keeps his individual permissions.
• If the group has access to more than the individual user or another group he is in, he gains the group’s permissions.

Equipment permissions

If there’s a conflict in user and user group permissions, equipment permissions take priority in this order: No access, view, and edit.

When setting up or changing equipment permissions, you may want to verify the equipment permissions for the user and all his groups since the user interface may not update to reflect a change:

• If No access is selected for the user or one of his groups, it overrides any view or edit permissions set the the user or another one of his groups. 
• If View access is selected for the user or one of his groups, it overrides any edit permissions set for the user or another one of his groups.

General Permissions

Users can get administration or access permissions to particular parts of the application.

Users can be granted administration rights over:

• Genome library and network cable types
• System configuration
• Tags
• User rights and authentication servers
• Work order processes
• Planning work orders

Users can be granted access rights over:

• Desktop client
• Discovered devices and alarms
• Legacy SOAP web service APIs
• Permit access from external network
• Planning data center and asset provisioning
• Power usage effectiveness summary
• Reports

User Rights and Authentication Servers permissions

This administration setting overrides any other settings and provides access to any location or equipment on the ITA server, regardless of other settings, even No access.

Setting up users and permissions

When you are setting up a local user, user information is stored directly on the IT Advisor server. This method provides the ability to create IT Advisor user accounts without the need to connect to any external systems or repositories.

Setting up a new user

• In Administration > Users click ADD USER, and type the user information. 
  The user's email address is used by the system to send automatic notifications, e.g. initial welcome email with username and password to new users, and notifications related to work order assignments (IT Advisor: Change feature).

Setting up permissions

1. Click the new user and open the user information view where you can select granular permissions. 

2. Select the system functions to which the user needs access or administration rights and the inventory to which the user needs view or edit rights. 

   1. Granting user administration rights
      Click Select under Global Permissions, and then select User Rights and Authentication Servers to allow the user to set up users and permissions. 

      Note: This user will get access to ALL locations and equipment on the ITA server, even if he was assigned No access to a location, room, or equipment in Equipment Permissions.

   2. Granting rights to use the system
      Click Select under Global Permissions, deselect User Rights and Authentication Servers and System Configuration, and select the rest of the check boxes.
      

      This user will be able to use all features in the system but will not be able to perform system configuration or change user rights.

      Restrict the rights by clearing the check boxes to the different parts of the application as required, e.g. access to reports, alarms, planning data center and asset provisioning (to access these perspectives), or even access to the desktop client. 

   3. Granting restricted rights to partial inventory
      Click Select under Equipment Permissions. Select which parts of the inventory the user is allowed to access, and if the access should be restricted to only viewing or if editing rights should be applied. For example, a user might need access to edit only in one room but view all rooms.

      Some settings are dependent on others, e.g. a user with access to Energy Efficiency configuration must also be granted edit rights to all rooms.

Setting up and editing user groups

User rights can be set at individual user or group level. If you're setting up many users with the same permissions, create a user group with these permissions to automatically grant them the permissions set at group level.

1. In Administration >Users, add individual users one by one. Click ADD USER and type the user information.
   Check the box to generate a password and send it via email. You do not need to set up permissions at this point. 
2. In Administration > User Groups, click ADD to add a new user group and name it.
3. Set permissions to access and/or administrate various ITA features in the same way as for individual users, only these will apply to all users in the group.
4. Select to add the users to the group.
   Existing users can also be added to a group from the Users view (in User Groups, click Select... and choose between existing user groups).

Auditing user access activities and resetting password

Auditing user access activities

You can track some user activities by generating an audit trail report in the desktop client. 

Auto lock out is handled the same way for all users. No notification is sent. Failed login attempts login are logged to the server log file only. 

Resetting a user's password

To reset a user's password, in Administration>Users, click the user to open the user information, then select RESET PASSWORD.

The IT Advisor system users should not be confused with the OS user on the IT Advisor server. Resetting the password for the OS user is entirely different. Learn more....