Tenant users and administrators
Important: There is no access to tenant user management from the IPS Manager interface, and administrator users of IPS Server are not automatically granted any access to any of the tenants. A default administrator user (based on a 'Local' type user account) is created when a tenant is created: the username is 'Administrator' and the password is 'Administrator'. This account can be locked after you have created an additional administrator user.
To access user management for a tenant, you need to login as a tenant administrator user (using the default 'Administrator' in the first instance) and launch any one of the PlanningSpace client applications. Click 'Security' in the Navigation menu, and 'Users' in the Security workspace top menu.
You will see the name, Login ID, and status information for the existing users for the tenant. In a new and empty tenant only the 'Administrator' user account will exist. Accounts can be 'locked' which means they remain visible but login is blocked, or 'deactivated' which means the account is hidden.
Note: Deactivated user accounts are not shown in the Users list by default, but can be displayed by checking the box 'Include Deactivated Users'.
Click any of the column headings to change the sort order of the list of users. The displayed users can be filtered by using one or more of the filter controls located at the head of each column.
Workgroups and Roles
Each user account can be granted permissions by granting membership of different Tenant workgroups. 'Administrators' is the default workgroup for granting administrator user rights.
By creating new workgroups mapped to specific Tenant roles, you can create fine-tuned administrative permissions for the user accounts.
User account types
There are three types of user accounts, based on different authentication methods.
Every ordinary user needs to have an account created for them, and must be provided with the appropriate login credentials. Note there are no automated system functions for an ordinary user to recover access to their account in case of a problem.
| User Account Type (Authentication Method) | Required minimum configuration to create an account | 'Sign in' username for PlanningSpace | Comments |
|---|---|---|---|
| Local | Login ID, Name, Description, Password | Login ID | Password is stored and authenticated by the IPS Server. User credentials are passed from client to server over the HTTP(S) network connection. |
| SAML2 | Login ID, Name, Description | Login ID | Requires an ADFS-based authentication service to be configured (see Identity Provider (IdP) setup). This is the recommended option for authentication in a production environment. The Login ID must be a valid UPN (User Principal Name) for the authentication service. |
| Windows Active Directory | Login ID, Name, Domain, Description | Domain/Login ID | Authentication is performed by the IPS Server using the Windows AD services. User credentials are passed from client to server over the HTTP(S) network connection. This account type is mainly provided for compatibility with earlier versions of PlanningSpace. The Login ID must be a valid username for the Active Directory service. |
Create a new user account
Click the 'New User' button to open an edit pane for a new user account at the right-hand side. Use the Authentication Method selector to choose the account type 'Local', 'SAML2' or 'Windows Active Directory'.
Different fields will be enabled/disabled depending on the account type. The fields marked with a red asterisk are required.
All user accounts require a 'Login ID' (which is unique for the tenant), 'Name', and 'Description'.
A 'Local' account requires an (initial) password to be input. Use the checkbox 'User must change password at next login' to force the user to change the password. Use the checkbox 'Enforce password policy' to force the password to always satisfy the policy on password complexity (see Tenant security settings).
Expiry date: An account can be set to expire at a specified date (after which the user will not be able to login); a default value for that date can be set, see Tenant security settings.
Click the 'Workgroups' tab to set workgroup memberships for this account.
Click the 'Save' button to set up the new user account.
Edit a user account
To edit the settings for an existing user, click on the user account name to open its edit pane.
The user account that is being edited will be highlighted in blue. Click the X button at the top right corner to close the edit pane.
There are two control buttons, which become activated when you have made an edit. Click the 'Save' button to save the changes that you have made. Click the 'Discard changes' button to undo any unsaved changes.
Administrator reset of a user account password: In the user edit pane, tick the 'Change password' box and type in a new password. There is no notification of password change to the user by the software; the administrator must deal with this.
It is not possible to delete a user account, however it can be locked or deactivated (see below).
Assign entity-level permissions for a user account
It is possible to edit the entity-level permissions for hierachies (Dataflow) and regimes (Economics and Financials).
Click a user account name to open its edit pane, and click the 'Assign Permissions' tab:
See Access permissions (entity-level) for hierarchies and regimes for explanation of the entity-level permissions.
Use the 'View Effective Permissions' tab to see the effective permission setting on an entity for a user account, after all of the different levels of permission have been combined.
Multi-user actions
A number of actions can be applied simultaneously to multiple user accounts. These are:
- Lock or Unlock the accounts
- Change the Windows domain for the accounts
- Change the expiry date of the accounts
- Deactivate or Reactivate the accounts
- Assign or Unassign the accounts' membership of workgroups
- Change passwords or modify password policies for the accounts
- Delete the API Key for access to the PlanningSpace APIs
Use 'CTRL-Click' to select two or more accounts (they will be highlighted in blue) and this will activate the 'Multi user actions' menu.
Export/Import user account information
Use the 'Export' menu to export user account information.
You can import user account data using 'Import > Import from CSV' (this is not possible for 'Local' type accounts). This provides a means to create user accounts as a batch process.
Use 'Import > Download sample import file' to get a starter template file.
Note: If your user import data contains Unicode characters, please be aware that Microsoft Excel cannot write comma-separated plain text files with Unicode content. You can use the 'Unicode text' output format, which creates a file with tab separators, but you will need to have access to a Unicode-enabled text editor to substitute comma separators.
Lock or Deactivate a user account
Important: User accounts cannot be deleted, in order to preserve PlanningSpace tenant data for audit purposes.
The 'Locked' state should be used to temporarily stop a user account being used for login. The Administrator can apply or remove the Locked state on user accounts. Locked state will be applied automatically when there are too many failed login attempts for a user account (the number of allowed failed attempts can be set - see Tenant security settings).
The 'Deactivated' state should be used to 'close' a user account (usually permanently). The account will not be visible in any live PlanningSpace operations, but the audit records of activities involving that account will be preserved. A Deactivated user account can be Reactivated.