Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:services:general_services:idm:idm-portal_documentation [2019/08/22 11:18] – [LDAP distribution list] bbrauns | en:services:general_services:idm:idm-portal_documentation [2024/09/10 15:28] (current) – [Dynamic group] ggroesc | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== IdM-Portal documentation ====== | ||
+ | |||
+ | ===== Overview ===== | ||
+ | |||
+ | This page serves as an introduction for the use of the Identity Management portal (IDM-portal). | ||
+ | |||
+ | {{: | ||
+ | |||
+ | The site is available at [[https:// | ||
+ | |||
+ | ===== Access requirements ===== | ||
+ | Every GWDG/ | ||
+ | |||
+ | ===== FAQ ===== | ||
+ | **Q: ** I would like to manage user accounts, but after login I can only see my own account details and nothing else. What to do? \\ | ||
+ | ** A: ** Your account lacks the required permissions. Please refer to https:// | ||
+ | |||
+ | **Q: ** When I log in I get a strange " | ||
+ | ** A: ** For one or all of your permissions are " | ||
+ | |||
+ | **Q: ** I would like to export all search results but the export file only shows n records. What is wrong? \\ | ||
+ | ** A: ** Unfortunately that is a known bug and will be addressed in the future. As a workaround you can increase the search result page size in your personal settings and do the export once again. | ||
+ | |||
+ | ** Q: ** I would like to have a group whose members are based on a certain criterion such as the department name. How can I achieve that?\\ | ||
+ | ** A: ** See: [[# | ||
+ | |||
+ | ** Q: ** I would like to have an easy way to get members into certain groups. Is there a way not to add everyone manually?\\ | ||
+ | ** A: ** See: [[# | ||
+ | |||
+ | |||
+ | ===== Site structure and navigation ===== | ||
+ | |||
+ | {{: | ||
+ | |||
+ | After a successful login the site has two navigation menus. On the upper side the first item is a dropdown menu which lets you switch to another so called // | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | **Workspace** | ||
+ | A // | ||
+ | </ | ||
+ | |||
+ | ===== User management ===== | ||
+ | ==== Search ==== | ||
+ | |||
+ | |||
+ | The search function allows you to find objects in the currently selected workspace. Default is the //simple search// where you can enter any text and the portal executes a search based on certain attributes like uid/ | ||
+ | |||
+ | If you wish to search for objects based on specific attributes like username, e-mail address, user status etc., you can use the **Advanced Search**, which is located in the second tab (2).\\ | ||
+ | \\ | ||
+ | For a more complex search, you can append multiple search rows by clicking the **dropdown** on the right hand side next to the input field. These search rows are linked by **and** or **or**, as shown at the end of the search row on the right side. By clicking on the button, you can toggle between those two options.\\ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | The * character can be used as a wildcard, but only with the operator: **equal**. | ||
+ | You can use **" | ||
+ | </ | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | You will be redirected to the edit page if only one object was found. | ||
+ | </ | ||
+ | |||
+ | The search result list contains a subset of the objects attributes. The shown attributes can be customized in the [[idm-portal_documentation# | ||
+ | |||
+ | After switching to the edit page, new actions specific to the currently selected object appear on the left side menu ((may vary based on your permissions)). Attributes of a selected object are categorized into groups like **general user data** or **Email**. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Password change ==== | ||
+ | On this page you can change the password of a user account. The password has an expiration date which means that the user must change the password within this period or the account gets deactivated (1). A short description text why the change was necessary must be entered (2). This text will be logged in the audit log for future reviews. | ||
+ | |||
+ | The password must meet a series of requirements which are listed above. These requirements are not arbitrary, but rather forced by connected system like Microsoft Active Directory or SAP which dictate these. | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | Users can change their password using the self service portal: https:// | ||
+ | </ | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | You can also generate a random password by clicking the **generate** button (3). You must **save** or **save & print** the password afterwards. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | A PDF document will be generated and opened if you choose **save and print**. | ||
+ | <WRAP center info 60%> | ||
+ | The template for the generated PDF file can be set individually for each institution. If you desire to use a non-standard template, write a mail to support@gwdg.de. The template should be created in the docx format. As placeholders the following values can be used: first name, last name, username, password | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Password expiration === | ||
+ | |||
+ | ^ Organization ^ Expiration ^ Notification ^ | ||
+ | |UNI| no | 1 year |4 weeks before expiration weekly, \\ 7 days before expiration daily| | ||
+ | |MPG| no | never or upon request | | | ||
+ | |||
+ | |||
+ | ==== History ==== | ||
+ | {{: | ||
+ | |||
+ | By clicking the **history** action, attribute and password changes can be reviewed. Changes that were made by the system are marked as // | ||
+ | |||
+ | ==== Personal settings ==== | ||
+ | |||
+ | |||
+ | The personal settings menu allows you to change how search results are displayed. You can find the Personal Settings page by opening the menu with the profile icon in the upper right corner. You can add and remove attributes in the list to change the layout of the search result table. You must change these settings for each workspace separately. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Special attribute descriptions ==== | ||
+ | |||
+ | === Email forwarding === | ||
+ | |||
+ | Two attributes can be used to forward incoming mails: **routing addresses** and **exchange redirect address**. If the user has an exchange mailbox you should use the exchange redirect address, otherwise use routing addresses. | ||
+ | |||
+ | ^ Name ^ Multiple values ^ Forward internal sent emails | ||
+ | | routing addresses | ||
+ | | exchange redirect address | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | If the source and the target mailbox are within the same Exchange organization the mail is delivered directly into the target mailbox which prevents the **routing addresses** attribute from taking effect. | ||
+ | </ | ||
+ | |||
+ | === Visibility in Exchange addressbook === | ||
+ | By default, all users are displayed in the Exchange address lists. To change this setting check the **hide from address lists** checkbox. <WRAP center round info 60%> | ||
+ | When using the Exchange cache mode with an Outlook client, the updating of the address book can take up to 48 hours. Outlook Web Access under https:// | ||
+ | </ | ||
+ | |||
+ | === Remove Active Directory short time lockout === | ||
+ | The Active Directory automatically locks a user account for a certain time (usually 30 minutes) if the password is entered incorrectly for 3 times. To remove this lock the corresponding ** short time lockout (AD) ** checkbox must be unchecked. | ||
+ | |||
+ | === Enable/ | ||
+ | You can enable and disable accounts by changing the **user status**. | ||
+ | Send an email to [[support@gwdg.de]] if you want to reactivate a deleted account. | ||
+ | |||
+ | <WRAP center round info 60%> | ||
+ | Applicable to Uni Göttingen accounts only: The account status is linked to the employment in SAP. As soon as the employment is active again a deleted account is also reactivated. | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Group management ===== | ||
+ | |||
+ | Currently there are two different types of distribution lists: | ||
+ | |||
+ | **LDAP distribution list** | ||
+ | * May contain external email addresses | ||
+ | * Not visible in the Exchange addressbook | ||
+ | |||
+ | **Groups** | ||
+ | * Can act as a Static Exchange distribution group | ||
+ | * Visible in the Exchange addressbook | ||
+ | * Members are shown in addressbook | ||
+ | * Send permissions can be defined | ||
+ | * Editing can be limited to certain user | ||
+ | |||
+ | ==== Groups ==== | ||
+ | |||
+ | If you don't provide an email address, groups are just a structural organisation tool. When an email address is given, they turn into an exchange distribution group. | ||
+ | |||
+ | When 'Only editable by " | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | Be aware that ' | ||
+ | </ | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | Be aware that deleting a group is immediate and cannot be recovered. | ||
+ | </ | ||
+ | |||
+ | |||
+ | === Add / Remove members === | ||
+ | There are two ways to add accounts to the group: | ||
+ | * By clicking the **Add** button and insert the username or email address (1). | ||
+ | * By clicking the **Select** button (2). A modal dialog is opened with all accounts to which one is entitled to ((For certain accounts with too much permissions this may not work because the result set is too large. This is a known limitation. Please use " | ||
+ | |||
+ | Members can be removed by selecting them in the table and clicking on **remove**. | ||
+ | |||
+ | {{: | ||
+ | === Send permissions === | ||
+ | You can set send permissions to control who can send to the list. | ||
+ | Users who are not allowed will receive a notification email if they try to send to the list. | ||
+ | You can choose between different settings: | ||
+ | * Unrestricted or as specified (default): Everybody is allowed to send to the list if the send permission list is empty. Otherwise, only the specified users/ | ||
+ | * Organization: | ||
+ | * Institute: All users of your institution with an Exchange mailbox or email enabled users are allowed to send to the list. | ||
+ | |||
+ | === Dynamic group === | ||
+ | An ordinary group can be turned into a dynamic group by adding a filter expression. This filter expression specifies which attribute values an object needs to have to be part of this group (e.g. all objects with the attribute " | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | You can easily create a distribution group for all members (normal user) of the department "AG I" by using the filter: | ||
+ | |||
+ | '' | ||
+ | |||
+ | All new staff will automatically be added to this group if the department is set to **AG I**." | ||
+ | </ | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | When using multiple filters be aware of logical interpretations of those filters and its grouped components. | ||
+ | Using parentheses might be very useful or even necessary! | ||
+ | |||
+ | For example: Addressing all normal user in two departments. | ||
+ | |||
+ | **Wrong**: just lining up each expression: | ||
+ | |||
+ | '' | ||
+ | |||
+ | This will address all normal user for the department 'AG I' but for 'AG O' it will also address all other possible user types (**including distribution lists**). | ||
+ | |||
+ | **Correct**: | ||
+ | |||
+ | '' | ||
+ | |||
+ | or, without parentheses, | ||
+ | |||
+ | '' | ||
+ | |||
+ | </ | ||
+ | |||
+ | The Filter uses the OPath-Syntax: | ||
+ | You can use parentheses for complex filters as well. | ||
+ | |||
+ | **Supported variables** | ||
+ | ^ Variable | ||
+ | | $department | ||
+ | | $title | ||
+ | | $usertype | ||
+ | | $userstatus | ||
+ | | $gender | ||
+ | | $institute | ||
+ | | $filterattribute1 | ||
+ | | $filterattribute2 | ||
+ | | $filterattribute3 | ||
+ | | $emailaddresses | ||
+ | |||
+ | **Valid operators** | ||
+ | ^ Operator ^ Description ^ | ||
+ | | -eq |Equal | | ||
+ | | -ne |Not equal | | ||
+ | | -like |Like (Wildcard: *) | | ||
+ | | -and |And | | ||
+ | | -or |Or | | ||
+ | | -not |Not | | ||
+ | |||
+ | == Group Member Scope == | ||
+ | Defines the scope where to find the member. Default scope is institute. No specification only allows the maximum scope for the administration area, in general organizational scope. | ||
+ | |||
+ | == Additional Members == | ||
+ | List of members/ | ||
+ | |||
+ | == Excluded Members == | ||
+ | List of members/ | ||
+ | |||
+ | == Error during member calculation == | ||
+ | The background process calculating the group members indicates errors by setting a value into an attribute called //Group Calculation error//. If a value is set, it **prevents** new calculations from running. Setting the value manually prevents further calculations as well. | ||
+ | The value for //Group Calculation error// needs to be removed to resume the calculation. | ||
+ | The containing text gives details of the problem: For example: | ||
+ | * The calculated member count (352) exceeds the defined member limit (80) | ||
+ | * The calculated member count changed from exceeding the threshold (100) to 0; implies filter error | ||
+ | |||
+ | |||
+ | Sometimes a syntactically correct, but logically invalid search filter is entered. To mitigate the negative effects of dropping from **n** members to **0** a further check is implemented: | ||
+ | |||
+ | === Invitation === | ||
+ | For groups an invitation link can be created. You can distribute this link (e.g. by email) and thus easily enable others to become members. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | === Limits === | ||
+ | You can configure a maximum upper limit on how many accounts are member of a group. This can be useful if the group is used for license assignments. | ||
+ | |||
+ | The limit also matches for dynamic groups. If a new member calculation would add more members as the upper limit, the run is cancelled and //Group Calculation error// is set accordingly. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Approval process ===== | ||
+ | You may have only access to create certain new object types through the //approval process// ((This is dependent on your institution and may not be available at all)). A request for a new account/ | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Shared mailboxes ===== | ||
+ | TODO | ||
+ | |||
+ | ===== Resource mailboxes ===== | ||
+ | TODO | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Application Credentials ===== | ||
+ | The Application Credentials page allows you to create Credentials for your account that work for a certain service only. You can think of them as sub-accounts to your account. | ||
+ | |||
+ | You can find the Application Credentials via the profile menu. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Select a service you want to add credentials for, for example the //IdM API//. After creating a new Application Credential, you will be able to use it with the specified service only, and you can deactivate or delete the Application Credential at any time. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | See: https:// | ||
+ | |||
+ | ===== API ===== | ||
+ | See: https:// |