Adding users

Overview

Right after installation, the only user that exists in the system is the first and main central administrator or admin user. The admin user has unrestricted access to all data available in both the Portal and the Finder. Moreover, the admin user is able to create and modify all kinds of content in the system, including dashboards, investigations, categories, alerts and user accounts.

Incidentally, you may want to give other people the chance to log in to the system and use it without necessarily having all the capabilities of the admin user. The admin user can thus create accounts for other users, restrict their views on the data and limit their ability to alter content. In this section, learn how to add users to the system and control their access to the data recorded.

Prerequisites

Before defining new profiles and users, ensure that you have installed a license for the product. Otherwise, some configuration pages will not show up.

Account update considerations

Beware that changes to accounts and their permissions may not take immediate effect on logged in users.

For users logged in to the Finder or to the Portal, the user keeps the permissions before the change during the session lifetime. For users making use of Web API (NXQL), the old permissions are still in force up to five minutes after the change, until the Engine synchronizes account information with the Portal.

Defining user roles

The roles attributed to a user determine the responsibilities of the user. Depending on their responsibilities, users carry out different tasks to achieve their goals. Roles let you group the items that enable users to execute their assigned tasks. When assigning roles, specify the modules that a user or group of users can see in the Portal, the investigations that they are able to run in the Finder, and the alerts of which they must be aware.

To incorporate items into a role, first create those items either in the Finder or in the Portal. It is not essential to have all the items ready before defining a role. You can start by creating the role with a few items and later edit the role to add the missing items.

To define a new role:

1. Log in to the Portal as administrator .

2. Click the ADMINISTRATION drop-down menu at the top of the window.

3. Select the option Roles to open the dashboard for editing roles.

4. Click the plus sign at the top right hand side of the dashboard to open the wizard for adding a new role.

Step 1: Adding modules

1. Type in the name of the new role in the Name field.

2. Optional: Click Add module to add an existing module of the Portal to the role. A dialog to choose the module pops up.

   1. Select a module from the list labeled Module.

   2. Click Add. The dialog closes and the selected module is added to the Modules list of the role.

3. Repeat the previous step to add as many modules as the role needs.

4. Click Next to go on with the next step of the wizard.

Step 2: Adding service-based alerts

1. Optional: Click Add alert to include service-based alerts to the role. A dialog to specify the alerts pops up.

   1. Select a service-based alert from the list labeled Alert.

   2. Optional: Click yes in the Mandatory section to force the subscription to the alert of all users with the current role. By default, the alert is not mandatory.

   3. Click Ok.

2. Repeat the previous step to add as many alerts as the role needs.

3. Click Next.

Step 3: Adding investigations

1. Optional: Click Add investigation to share existing investigations with all users who have the current role assigned. A dialog to specify the investigation pops up.

   1. Export an investigation or a folder of investigations from the Finder to the clipboard.

   2. Paste the contents of the clipboard on the dialog of the wizard.

   3. Click Add. The dialog to paste the investigation closes and the investigation is added to the Investigations list of the role.

2. Repeat the previous step to add as many investigations as the role needs.

Step 4: Adding one-click investigations

1. Optional: Export a pack with all the one-click investigations that you want to add to the role from the Finder.

   1. Paste the pack of one-click investigations on the dialog of the wizard.

2. Click Next.

Step 5: Adding investigation-based alerts

1. Optional: Click Add alert to include investigation-based (Finder) alerts to the role. A dialog to specify the alert pops up.

   1. Export an alert or a folder of alerts from the Finder to the clipboard.

   2. Paste the contents of the clipboard on the dialog of the wizard.

   3. Click Add. The dialog to paste the alert closes and the alert is added to the Alerts list of the role.

      • The syslog notification mechanism of global alerts is local to the Engine where the global alert was created and, therefore, not propagated to other Engines via roles. If you add a global alert with syslog notification enabled to a role, only the email notification mechanism is propagated to the users with that role.

2. Repeat the previous step to add as many alerts as the role needs.

3. Click Next.

Step 6: Adding remote actions

This step is available only if you have purchased a Nexthink Act license. Moreover, only the main admin or users with the right to edit remote actions in their profile can assign role-based remote actions to other users.

1. Optional: Click Add remote action to assign a remote action to the current role. A dialog shows up.

   1. Select a remote action from the drop-down list. Only remote actions which can be triggered manually are available in the list.

   2. Click Ok to add the remote action.

2. Repeat the previous step to add as many remote actions as the role requires.

3. Click Finish to end the wizard. The new role is added to the list of the Roles dashboard.

Defining user profiles

The profile of a user defines the type of user, the access rights of the user to the different domains of a hierarchy (both as a viewer and as administrator, if applicable) and to the functions of the Finder. Moreover, you can associate one or multiple roles to a profile. Thus, users are able to play any of the roles associated to their profile, along with any other possible role that you may additionally assign to them.

Profile types

There are two main types of profiles:

User

This profile is intended for users that only have the right to view the information; both in the Portal and, optionally, in the Finder. They are able to see only the data that belongs to their view domain (a subset of the available hierarchies), possibly limited by privacy settings as well. Optionally, users can create and publish Portal modules (dashboards).

Central administrator

Users with a Central administrator profile can practically do all that the main admin user does. The difference is that, while the main admin has complete visibility over all the information available, the information that central administrators can see is limited by their privacy settings. Central administrators have the rights to create and manage Portal content, create other user accounts, access all hierarchies, create and modify profiles and hierarchies, control the connections of the Portal to the Engines, and manage the product license.

In general, an administrator is either the main admin user or a user with the central administrator profile.

See here the complete matrix of access rights and permissions.

To create a new profile:

1. Log in to the Portal as administrator.

2. Click the ADMINISTRATION drop-down menu at the top of the window.

3. Select the option Profiles to open the dashboard for editing profiles.

4. Click the plus sign at the top right hand side of the dashboard to add a new profile. The wizard to add a new profile opens.

Step 1: Choosing the type of account

1. Type in a name for the new profile in the field labeled Profile name.

2. Select one of the three types of accounts from the choice Account type.

   • Select User if the profile is intended for users without administrative tasks.

     • Optional: Uncheck the box Allow creation of personal dashboards to prevent users with the current profile from creating their own modules and dashboards. By default, the box is checked, allowing the users to create Portal content.

     • Optional: Check the box Allow publication of dashboards to enable users with the current profile to publish their own modules and dashboards, so that others can use them.

   • Select Central administrator to create users that can administer the whole system in the same way as the main admin user, except for the fact that you can restrict what they see in their data privacy settings.

3. In the section Available metrics, choose the group of metrics that users with the current profile may use to build their own dashboards and see in dashboards created by others:

   • Select All metrics for the user to be able to see and use any of the metrics in the system. This option is mandatory if the user must be able to edit metrics (see step 3).

   • Select Only metrics in roles for the user to be able to see and user only those metrics which are part of their roles; that is, metrics embedded in the modules added to their roles. This is the only option available if the user has no right to create dashboards.

4. Click Next to go on with the next step of the wizard.

Step 2: Set privacy settings, roles and view domain

1. Select the Data privacy settings for the profile:

   • anonymous users, devices, destinations and domains: user accounts with this profile cannot see the names of users, devices, destinations, or domains.

   • anonymous users and devices: user accounts with this profile can see neither the names of users nor of devices.

   • anonymous users: user accounts with this profile cannot see the names of users.

   • none (full access): user accounts with this profile have full access to the collected data.

2. Select the roles of the profile by clicking their name in the Role(s) list. Use the Ctrl key to select several roles at the same time. The investigations, alerts, modules, etc attributed to the selected roles are inherited by the profile.

3. Specify the view domain of the profile for each defined hierarchy. Users with the current profile can only view the objects grouped in the specified domain:

   1. In the from field, select the highest level in the hierarchy that belongs to the view domain.

   2. In the Node field, either:

      • Choose the top node of the view domain from the available nodes of the level. This node and all the nodes below it belong to the view domain, down to the level specified in the next step.

      • Leave the top node undefined by choosing --parameter-- from the list. Define the top node of the view domain individually for each user when creating their user account.

   3. In the to field, select the lowest level in the hierarchy that belongs to the view domain.

4. Click Next.

Step 3: Set Finder access

To let users with the current profile access the Finder and its different features:

1. Check the box Finder access.

2. Select the time zone of the user.

3. Optional: Check the box Allow editing of application and object tags to let users with the current profile manually modify the tags of objects in the Finder.

5. Optional: Check the box Allow editing of remote actions to let users with the current profile add and modify Nexthink Act scripts. In addition to a Nexthink Act license, this option requires the profile to have full access to data in the privacy settings and an unrestricted view domain in at least one of the defined hierarchies.

6. Optional: Check the box Allow API of remote actions to let users with the current profile execute remote actions programmatically through the Nexthink Act API. In addition to a Nexthink Act license, this option requires the profile to have full access to data in the privacy settings and an unrestricted view domain in at least one of the defined hierarchies.

7. Optional: Check the box Allow editing of campaigns to let users with the current profile create, modify, and publish campaigns, as well as trigger manually targeted campaigns, to get end-user feedback. This option requires the profile to have full access to data in the privacy settings and an unrestricted view domain in at least one of the defined hierarchies.

8. Optional: Check the box Allow management of Collectors to let users with the current profile follow and control the deployment of the Collector from the Finder. Again, you can only select this option if you gave full access to the profile in the privacy settings of the previous step.

9. Set the visibility level of Web & Cloud information for the users with the current profile to either restricted or full in the list under Web & Cloud visibility.

10. Optional: Check the box Access campaigns trigger API to let users with the current profile send campaigns programmatically through the Nexthink Engage API. In addition to a Nexthink Engage license, this option requires the profile to have full access to data in the privacy settings and an unrestricted view domain in at least one of the defined hierarchies.

11. Click Finish to end the creation of the profile. The profile is added to the list of profiles in the dashboard.

Creating a user

After defining roles and profiles for users, create the user accounts that make use of them. To create user accounts in the Portal, either:

• Create individual user accounts manually.

• Provision user accounts from Active Directory (recommended).

Find below how to manually create a new user account. To learn how to provision user accounts to Nexthink from existing user accounts in Active Directory, see the article on provisioning user accounts from Active Directory.

Nexthink supports both internal and external management of credentials to authenticate users:

Because the Finder connects to the Portal, it is the Portal that holds the responsibility of authenticating users. The Portal decides whether to authenticate a user by either internal or external means based on the provided login name for that particular user:

• If the login name includes a @ character, the Portal assumes external authentication of the user. The exact external method is determined by the configuration of the Portal.

• Otherwise, the Portal authenticates the user with the internally stored credentials.

Because the login name of the users provisioned from Active Directory is in the UPN format (username@domain), the provisioned users are all authenticated with the help of external mechanisms such as Active Directory or SAML.

To create an individual user account:

1. Log in to the Portal as administrator.

2. Click the ADMINISTRATION drop-down menu at the top of the window.

3. Under ACCOUNT MANAGEMENT, select the option Accounts to open the dashboard for editing accounts.

4. Click the plus sign in the top right corner of the dashboard. The wizard to create a new user account shows up.

Step 1: Setting personal data and profile

1. Type in the name of the user:

   • To use internal authentication, type in the desired account (login) name of the user in the field Username.

   • To externally authenticate users, type in the name of the user in a format that includes the @ character in the field Username:

     • In the case of Active Directory or Windows authentication, type in the sAMAccountName of the user followed by the @ character and the DNS domain name (e.g. jwick@example.com). Note that this field is case sensitive. Therefore, the name of the Nexthink account must exactly match the sAMAccountName name in Active Directory.

     • In the case of SAML authentication, type in the Name ID of the user, as returned by the Identity Provider.

2. Type in the complete name of the user in the field Full name.

3. Configure the email address for sending notifications to the user in the field Email address.

4. Depending on the authentication method applied to the user, enter a password for the user or not:

   • If the user is internally authenticated, type in a password for the user in the field Password and retype it in Password confirmation.

     • The default minimum password length for an internally managed account is 8 characters (configurable).

   • If the user is externally authenticated, enter no password. The Password field becomes uneditable and displays the message Managed externally as soon as the Username includes an @ character.

5. Select the profile of the user from the list Profile. The user gets all the permissions, default content and roles associated to the profile.

   • If the selected profile does not define a particular top node for the view domains of the users with that profile (because the domain is parameterized), select now the top nodes of those domains individually for the current user.

6. Optional: tick the check box Never automatically sign out this account from Portal when active if you want to override the session timeout control configured in the Portal and never log out the user from the Portal while active. Note that having a live view on a service keeps a user active even without actual user interaction.

7. Click Next.

Step 2: Setting additional roles

1. Optional: If you want the user account to inherit content from one or more roles that do not belong to its assigned profile, select the desired roles from the list Additional roles. Use the Ctrl key to select more than one. Note that the list of Additional roles does not display roles that already belong to the profile of the user account.

2. Click Ok to end the creation of the user account. The account is added to the list of accounts in the dashboard.

RELATED TASKS

• Provisioning user accounts from Active Directory

• Enabling SAML authentication of users

• Enabling Windows authentication of users

• Setting the minimum password length for local accounts

• Controlling session timeouts in the Portal

• Setting up a software license

• Triggering remote actions via their API

RELATED REFERENCES

• Access rights and permissions

• Active Directory Authentication