Tenant users and administrators
Important: There is no access to tenant user management from the IPS Manager interface, and administrator users of IPS Server are not automatically granted any access to any of the tenants. A default administrator user (based on a 'Local' type user account) is created when a tenant is created: the username is 'Administrator' and the password is 'Administrator'. This account can be locked after you have created an additional administrator user.
To access user management for a tenant, you need to login as a tenant administrator user (using the default 'Administrator' in the first instance) and launch any one of the Planning Space client applications. Click 'Security' in the Navigation menu, and 'Users' in the Security workspace top menu.
You will see the name, Login ID, and status information for the existing users for the tenant. In a new and empty tenant only the 'Administrator' user account will exist. Accounts can be 'locked' which means they remain visible but login is blocked, or 'deactivated' which means the account is hidden.
Note: Deactivated user accounts are not shown in the Users list by default, but can be displayed by checking the box 'Include Deactivated Users'.
Click any of the column headings to change the sort order of the list of users. The displayed users can be filtered by using one or more of the filter controls located at the head of each column.
Workgroups and Roles
Each user account can be granted permissions by granting membership of different Tenant workgroups. 'Administrators' is the default workgroup for granting administrator user rights.
By creating new workgroups mapped to specific Tenant roles, you can create fine-tuned administrative permissions for the user accounts.
User account types
There are three types of user accounts, based on different authentication methods.
Every ordinary user needs to have an account created for them, and must be provided with the appropriate login credentials. Note there are no automated system functions for an ordinary user to recover access to their account in case of a problem.
| User Account Type (Authentication Method) | Required minimum configuration to create an account | 'Sign in' username for Planning Space | Comments |
|---|---|---|---|
| Local | Login ID, Name, Description, Password | Login ID | Password is stored and authenticated by the IPS Server. User credentials are passed from client to server over the HTTP/HTTPS network connection. |
| SAML2 | Login ID, Name, Description | Login ID | Requires an ADFS-based authentication service to be configured (see Identity Provider (IdP) setup). This is the recommended option for authentication in a production environment. The Login ID must be a valid UPN (User Principal Name) for the authentication service. |
| Windows Active Directory | Login ID, Name, Domain, Description | Domain/Login ID | Authentication is performed by the IPS Server using the Windows AD services. User credentials are passed from client to server over the HTTP/HTTPS network connection. This account type is mainly provided for compatibility with earlier versions of Planning Space. The Login ID must be a valid username for the Active Directory service. |
For version 16.5 Update 13 and later: the allowed authentication methods - Local, SAML2, and Windows Active Directory) - can be enabled or disabled for each tenant independently in IPS Manager; see Tenant authentication methods. The default is that all methods are enabled.
If Local method is disabled this will block logins for all Local accounts, including the default 'Administrator' user account.
When you add or edit a user account, a message will appear when the corresponding authentication method has been disabled: "This authentication method is currently disabled for the the tenant. You will be able to save the user details however the user will not have login access."
Create a new user account
Click the 'New User' button to open an edit pane for a new user account at the right-hand side. Use the 'Authentication Method' selector to choose the account type 'Local', 'SAML2' or 'Windows Active Directory'.
Different fields will be enabled/disabled depending on the account type. The fields marked with a red asterisk are required.
All user accounts require a 'Login ID' (which is unique for the tenant), 'Name', and 'Description'.
A 'Local' account requires an (initial) password to be input. Use the checkbox 'User must change password at next login' to force the user to change the password. Use the checkbox 'Enforce password policy' to force the password to always satisfy the policy on password complexity (see Tenant security settings).
Expiry date: An account can be set to expire at a specified date (after which the user will not be able to login); a default value for that date can be set, see Tenant security settings.
Click the 'Workgroups' tab to set workgroup memberships for this account.
Click the 'Save' button to set up the new user account.
Automatic provisioning of SAML2 tenant user accounts
For version 16.5 Update 12 and later: Automatic provisioning of SAML2 tenant user accounts is possible based on the Identity Provider. This means that a new tenant user account can be created automatically when a user logs in to Planning Space for the first time using an account that is defined (and enabled to access Planning Space) by the Identity Provider's domain authentication services. It is also possible to externally control the Planning Space user's membership of workgroups - by editing the user's domain account the Planning Space SAML2 account will synchronize whenever the user logs in to Planning Space. For configuration details see Automatic provisioning of tenant user accounts.
Edit a user account
To edit the settings for an existing user, click on the user account name to open its edit pane.
The user account that is being edited will be highlighted in blue. Click the X button at the top right corner to close the edit pane.
There are two control buttons, which become activated when you have made an edit. Click the 'Save' button to save the changes that you have made. Click the 'Discard changes' button to undo any unsaved changes.
Administrator reset of a user account password: In the user edit pane, tick the 'Change password' box and type in a new password. There is no notification of password change to the user by the software; the administrator must deal with this.
It is not possible to delete a user account, however it can be locked or deactivated (see below).
Assign entity-level permissions for a user account
It is possible to edit the entity-level permissions for hierachies (Dataflow) and regimes (Economics and Financials).
Click a user account name to open its edit pane, and click the 'Assign Permissions' tab:
See Access permissions (entity-level) for hierarchies and regimes for explanation of the entity-level permissions.
Use the 'View Effective Permissions' tab to see the effective permission setting on an entity for a user account, after all of the different levels of permission have been combined.
API key management
Users can generate and use an API key for access to the Planning Space APIs (see API Key management); this requires being granted the role 'Security/API Key' (note the role covers both generating, or re-generating, an API key and using it for API access).
When an API key is assigned to a user account this will be visible in the account's edit panel by the asterisks in the 'API key' field:
For version 16.5 Update 7 and later: API keys can be set to expire on a specific date (based on the setting 'API Key Lifetime', see Service configuration). The expiry date-time will be shown in the field 'API key expiration'; the field will be blank if no API key exists for the user account, or it will display 'INFINITE' if the API key has no expiry date.
The API Key value is not stored in Planning Space and therefore cannot be recovered by the user or by an Administrator. If an API Key value is lost, the user should generate a new key as a replacement.
The API key can be deleted in the account edit panel by clicking the Delete Key button. This will immediately revoke the user's API access. Also, an Administrator can immediately revoke or (temporarily) suspend the user's API access by removing the user's access to the 'Security/API key' role.
Multi-user actions
A number of actions can be applied simultaneously to multiple user accounts. These are:
- Lock or Unlock the accounts
- Change the Windows domain for the accounts
- Change the expiry date of the accounts
- Deactivate or Reactivate the accounts
- Assign or Unassign the accounts' membership of workgroups
- Change passwords or modify password policies for the accounts
- Delete the API Key for access to the Planning Space APIs
Use 'CTRL-Click' to select two or more accounts (they will be highlighted in blue) and this will activate the 'Multi user actions' menu.
Export or Import user account information
Use the Export menu to export user account information as CSV data. Different information can be included; the options are Users (detailed user account data), Users & workgroups (all the workgroup memberships of user accounts), Users only in Everyone workgroup, and Workgroups without a user (the empty workgroups).
Note: The 'Users' export data contains entries for 'Last login date', 'Locked date' and 'Deactivated date' which are expressed in ISO 8601 date format of the form "{DATE}T{TIME}Z" where Z denotes UTC time zone and the time includes milliseconds digits. For example, "2021-01-04T14:35:44.293Z". (The ISO date format is not automatically handled by Microsoft Excel.)
You can import user account data using Import > Import from CSV (but this is not possible for 'Local' type accounts). Use Import > Download sample import file to get a template file. This provides a means to create user accounts as a batch process.
Note: If your user import data contains Unicode characters, please be aware that Microsoft Excel cannot write comma-separated plain text files with Unicode content. You can use the 'Unicode text' output format, which creates a file with tab separators, but you will need to have access to a Unicode-enabled text editor to substitute the tab separators with comma separators.
Lock or Deactivate a user account
Important: User accounts cannot be deleted, in order to preserve Planning Space tenant data for audit purposes.
The 'Locked' state should be used to temporarily stop a user account being used for login. The Administrator can apply or remove the Locked state on user accounts. Locked state will be applied automatically when there are too many failed login attempts for a user account (the number of allowed failed attempts can be set; see Tenant security settings).
The 'Deactivated' state should be used to 'close' a user account (usually permanently). The account will not be visible in any live Planning Space operations, but the audit records of activities involving that account will be preserved. A Deactivated user account can be Reactivated.