Managing ITA users and user rights

In the web client Administration menu, if you are logged in as a ITA administrator with the needed permissions, you can set up and edit ITA users, groups, permissions, and remote authentication servers.  Granting general (global) system rights and fine-grained permissions for individual parts of the application allows you to restrict access and protect system functions and inventory that only you or a subset of your team is allowed to see or edit. Warning Setting up users and managing permissions can be a complex process. Take your time to understand how some settings override others. Be cautious specifically about granting permission to User Rights and Authentication Servers. This setting overrides all equipment permissions and gives the user access to ALL locations and equipment on the ITA server, even if they were assigned No access to a location, room, or equipment in Equipment Permissions. About ITA users First time login with default admin user During the initial installation of ITA, a default ITA user with administration rights is created with the credentials apc/apc (password must be changed on your first login). You will not be able to access the system without using this user account for the first login. For security reasons, whether you're installing a fresh version of ITA or restoring an existing solution, it is important to change the default ITA user account as part of the initial setup.  Note: If you're restoring a backup of an existing solution, you should open Administration>Users and make sure you don't have a legacy apc user in the system, or at least that the password is secure. You'll be prompted to change the password the first time you log in to the web client with this user. It is recommended that you create  a new user with other credentials, avoiding apc, admin, system, and other frequently used names. You cannot change the apc username if you are logged in as the apc user. You must create a new user with user administration rights and log in as this other user to delete the apc user or change the username.  Because all ITA users will also be able to log in through the web client and Tenant Portal, it is particularly important that you avoid insecure passwords and that you delete user accounts for all previous employees, etc.  Local vs remote users When you add a new user, you are setting up a local user on the ITA server by default. To set up a remote user, configure authentication servers to have the information supplied by that server. See how to configure authentication servers for remote users here. About ITA permissions The ITA user permission model is a complex model of general system permissions and granular equipment permissions for users and groups. These permissions have an internal hierarchy in case of conflicts: User and group permissions If a user is in one or more groups, his total permissions are the sum of all these permissions. If he has access to something his group doesn’t, he keeps his individual permissions. If the group has access to more than the individual user or another group he is in, he gains the group’s permissions. Equipment permissions If there’s a conflict in user and user group permissions, equipment permissions take priority in this order: No access, view, and edit. When setting up or changing equipment permissions, you may want to verify the equipment permissions for the user and all his groups since the user interface may not update to reflect a change: If No access is selected for the user or one of his groups, it overrides any view or edit permissions set the the user or another one of his groups.  If View access is selected for the user or one of his groups, it overrides any edit permissions set for the user or another one of his groups. General Permissions Users can get administration or access permissions to particular parts of the application. Users can be granted administration rights over: Genome library and network cable types System configuration Tags User rights and authentication servers Work order processes Planning work orders Users can be granted access rights over: Desktop client Discovered devices and alarms Legacy SOAP web service APIs Permit access from external network Planning data center and asset provisioning Power usage effectiveness summary Reports User Rights and Authentication Servers permissions This administration setting overrides any other settings and provides access to any location or equipment on the ITA server, regardless of other settings, even No access. Setting up users and permissions When you are setting up a local user, user information is stored directly on the IT Advisor server. This method provides the ability to create IT Advisor user accounts without the need to connect to any external systems or repositories. Setting up a new user In Administration > Users click ADD USER, and type the user information.  The user's email address is used by the system to send automatic notifications, e.g. initial welcome email with username and password to new users, and notifications related to work order assignments (IT Advisor: Change feature). Setting up permissions Click the new user and open the user information view where you can select granular permissions.  Select the system functions to which the user needs access or administration rights and the inventory to which the user needs view or edit rights.  Granting user administration rights Click Select under Global Permissions, and then select User Rights and Authentication Servers to allow the user to set up users and permissions.  Note: This user will get access to ALL locations and equipment on the ITA server, even if he was assigned No access to a location, room, or equipment in Equipment Permissions. Granting rights to use the system Click Select under Global Permissions, deselect User Rights and Authentication Servers and System Configuration, and select the rest of the check boxes. This user will be able to use all features in the system but will not be able to perform system configuration or change user rights. Restrict the rights by clearing the check boxes to the different parts of the application as required, e.g. access to reports, alarms, planning data center and asset provisioning (to access these perspectives), or even access to the desktop client.  Granting restricted rights to partial inventory Click Select under Equipment Permissions. Select which parts of the inventory the user is allowed to access, and if the access should be restricted to only viewing or if editing rights should be applied. For example, a user might need access to edit only in one room but view all rooms. Some settings are dependent on others, e.g. a user with access to Energy Efficiency configuration must also be granted edit rights to all rooms. Setting up and editing user groups User rights can be set at individual user or group level. If you're setting up many users with the same permissions, create a user group with these permissions to automatically grant them the permissions set at group level. In Administration >Users, add individual users one by one. Click ADD USER and type the user information. Check the box to generate a password and send it via email. You do not need to set up permissions at this point.  In Administration > User Groups, click ADD to add a new user group and name it. Set permissions to access and/or administrate various ITA features in the same way as for individual users, only these will apply to all users in the group. Select to add the users to the group. Existing users can also be added to a group from the Users view (in User Groups, click Select... and choose between existing user groups). Auditing user access activities and resetting password Auditing user access activities You can track some user activities by generating an audit trail report in the desktop client.  Auto lock out is handled the same way for all users. No notification is sent. Failed login attempts login are logged to the server log file only.  Resetting a user's password To reset a user's password, in Administration>Users, click the user to open the user information, then select RESET PASSWORD. The IT Advisor system users should not be confused with the OS user on the IT Advisor server. Resetting the password for the OS user is entirely different. Learn more....  

Users who have been granted the necessary user rights can integrate with third party systems using the legacy SOAP web service API. These web services are gradually being replaced by a new publicly available RESTFul API. In the ITA web client, go to Administration > Users. Select the user you want to have this right. Under Global Permissions, click Select. Under Access to, check the box for  Legacy SOAP web service APIs . Click OK. The user is now able to create a web service account and access the data exposed by the system.

ITA user ITA users can log in to the ITA desktop and web client (known as Tenant Portal for Colo users) to use the parts of the application they have been granted access to according to their user rights. They can manage their own user accounts but need to contact their administrator for other configuration needs or in case of any issues. ITA administrator ITA administrators are administrators of the ITA application. ITA administrators can log in to the ITA web client and perform administration tasks related to the ITA application, such as user management, license management, and web branding for the look and feel of the web client. This is not the same user as the server OS administrator described below. ITA users and administrators can be local users (saved on the ITA server) or remote users authenticated by an AD or LDAP server, see more Configuring authentication servers used for managing remote users. Ensure there's at least one local ITA administrator account. This is needed for various reasons, for example in case there's a network related issue preventing connection to the authentication server or in case changes were made on the authentication server preventing ITA from getting the user data. Server administrator The server administrator is administrator on a deeper level, managing the server as well as the applications running on the server. This is the person doing server configuration and maintenance, such as configuring backup, secure connection, or file sharing.  This user may also be referred to as the Linux, OS (operating system) or Webmin user because: Linux CentOS is the operating system that comes with the ITA server installation and, as part of the ITA installation process, this first Linux server administrator must be created to subsequently be able to log in and perform server management tasks on the server after installation is complete. Webmin is the name of the web-based server management interface that the server OS administrators can use to perform server management tasks on the ITA server after installation is complete. Webmin is not the only way to manage the server. You can also run commands directly on the ITA server by connecting through SSH without the need to open Webmin. SSH to the ITA server and log in with the server administrator credentials created during initial installation of ITA.  Note Since the ITA administrator and the server administrator are two different users, credentials are also separate and independent of each other. ITA administrator credentials are stored in the the ITA application database while server administrator credentials are stored by the server's operating system. ITA administrator credentials are included in ITA backups. Restoring a ITA backup will reset ITA administrator credentials to whatever was stored in the backup. Server administrator credentials are separate and are not affected by restoring ITA backups.