Users and groups

Users belong to group s. Roles are associated with groups. Predefined groups can be used or new ones can be created by adding or removing different roles.
For example, for a user to be able to register a compound, it needs to have the AUTOREGISTER or the ADVANCED_AUTOREGISTER role. Predefined groups associated with this role are the USER and the REGISTRAR groups. For more information on roles visit this page.

Newer Compound Registration versions

The following section describes the new features since version 19.13.0-1907171250

Users

Create User

New local users can be created on this page. Username, password and confirm password are mandatory fields. User details like e-mail address, first and last name, full name and the group where the user belongs can be also set.

images/download/attachments/1806133/create_user.png

Create user

Creation of a local user with a same name as a deleted one is not allowed.

Edit User

This page can be reached by clicking on the row of a user in the list of users.

images/download/attachments/1806133/user_details.png

Edit user

Editing a local user

In case of local users the first and last name, full name, e-mail address, password and the group where the user belongs can be set here. Local users can be deactivated here with the help of the Deactivate user button.

Editing a remote user

In case of remote users (AD/LDAP/SAML) the e-mail address, first name, last name, full name, and remote groups will be synchronized with Compound Registration if it is configured (Authentication), therefore these properties are not editable for a remote user. The only thing that is allowed for remote users is to manage its local groups.

If you want to change the details of a remote user, you have to do it in the remote authentication provider (e.g. AD/LDAP).

Deactivate/Activate User

Only local users can be deactivated/activated on the Compound Registration UI. Select the local user you want to deactivate/activate and click on the Deactivate user / Activate user button. Remote users will be deactivated/activated automatically in Compound Registration after synchronization if they are deactivated/activated in the authentication provider.

images/download/attachments/1806133/deactivate.png

Deactivate user

Deactivated user's details cannot be modified and submissions cannot be assigned to this user.

Synchronize Users

If you log in with a new remote user or you click on the Synchronize button, these remote users will be listed on the Users page and their details will be synchronized with Compound Registration.
Synchronize button: On the Users page and Groups page there is a button for remote users and groups (AD/LDAP/SAML) synchronization.

images/download/attachments/1806133/Sync_new.png

Synchronize button

After clicking on this button a pop-up window appears with 3 columns: New, Updated and Deleted.

images/download/attachments/1806133/sync_pop_up.png

Pop-up window after synchronization

New: Newly created remote Users are counted here. After clicking on the Synchronize button again these will be counted as updated users.

Updated: Still, existing remote users are counted here. Synchronization updates also the details of the remote users.

Deleted: Deleted users are counted here.

After clicking on 'show more' a detailed list can be seen.

images/download/attachments/1806133/sync_list.png

Detailed list of synchronized users

All of the remote users are listed here, their username, source (e.g LDAP) and the status (new/updated/deleted).
After the synchronization, the remote users will appear on the Users page.

Conflicting Usernames

Compound Registration does not allow duplicate usernames. You can end up having conflicting usernames if you have a local user with a certain username and a remote user is synchronized with the same username. In this case the system introduces a few preventive measures:

  • Conflicting users will be forbidden to log in

  • Submissions cannot be assigned to conflicting users

  • Compounds containing a conflicting submitter cannot be registered - it will end up in Staging area

Conflicted usernames are marked in the list of users on the Users page. An exclamation mark can be seen next to these usernames and a 'Conflicted usernames are detected' banner can be seen above the list with a button for Solve conflicts.

images/download/attachments/1806133/conflict_new.png

Conflicting usernames

After clicking on this Solve conflict button a list appears with the conflicted username pairs.

images/download/attachments/1806133/solve_confl_new.png

Resolve user conflicts page

To solve the conflict there are 3 options:

  • Merge a conflicting user pair using the resolver page above. During a merge operation, the remote user remains and inherits the local user's activity. Please note, that the system can merge users only if the remote user has no activity yet. Activity means for example if there is a compound assigned to that user or the user made any changes on a compound. When a local and a remote user is merged the 'new' user will get the groups from both users.

  • Rename the local user to have a different user name. For this find a small edit icon on the right-hand side in the Actions column.

  • Deactivate the local user of the conflicting pair. For this find a small deactivate icon on the right-hand side in the Actions column.

From version 19.20.0-1910071220 SSO user conflicts are resolved during login. The local and remote users are merged automatically, in the list of users the remote source (SAML) is visible. If there is a remote group with the same name as a local group, after login the remote group will automatically have the same roles as the local group.

Resolve Administrator lock-out

It can happen that a local user with administrator privileges is locked out because a remote user with the same username is synchronized. In this case, the administrator user cannot resolve conflicts on the pages above, because he/she cannot log in.

In such cases, you have to create a new administrator user by using the Command Line Tools. With the newly created administrator user you can log in and resolve the conflicts:

Create a new admin user
# The following command creates a "new_admin" user and assigns it to the SUPER group, which is the default group with administrator privileges.
$ create-user -name new_admin -password <yourpassword> -group SUPER

Granting administrator privileges for SAML users

When Compound Registration is configured to use SAML, local administrator users cannot log in, because the login page of Compound Registration will be committed in the favor of SSO login screen. In this case, you have to grant administrator privileges to one of your SAML users. During login, user data and their groups are synchronized to Compound Registration. One of the solutions is to give administrator roles to one of the synchronized SAML group:

Create a new admin user
# Add the "ALL" role to a SAML group named <your_SAML_group>
$ update-group -group <your_SAML_group> -source SAMLSSO -role ALL

Groups

Create group

images/download/attachments/1806133/create_group.png

Create group

New local groups can be created here. Group name is a mandatory field. Users in this group and the Roles associated with this group can be set here.

Edit group

This page can be reached by clicking on the row of a group in the list of groups.

images/download/attachments/1806133/edit_group.png

Edit group

In the case of local groups, the Users in this group and Roles associated with this group can be set here. Local groups can be deleted here with the help of Delete group button.

In the case of remote groups (AD/LDAP/SAML), belonging users are synchronized automatically from the identity provider.

Roles associated with this group can be added here.

More details can be found here: Groups and roles

Delete group

Only local groups can be deleted. Select the local group you want to delete and click on the [Delete group] button.

images/download/attachments/1806133/delete_group.png

Delete group

Synchronize groups

If you log in with a new remote user or you click on the Synchronize button, these remote users' groups will be listed on the Groups page and their details will be synchronized with Compound Registration.
Synchronize button: On the Users page and Groups page there is a button for remote users and groups (AD/LDAP/SAML) synchronization.

images/download/attachments/1806133/sync_pop_up.png

Pop-up window after synchronization

New: Newly created remote Groups are counted here. After clicking on the Synchronize button again these will be counted as updated groups.

Updated: Still, existing remote groups are counted here. Synchronization updates also the details of the remote groups.

Deleted: Deleted groups are counted here.

After clicking on 'show more' a detailed list can be seen.

images/download/attachments/1806133/group_sync_list.png

Detailed list of synchronized groups

All of the remote groups are listed here, their group name, source (e.g LDAP) and the status (new/updated/deleted).

After the synchronization, the remote groups will appear on the Groups page.

Synchronized remote group details can be seen on the first screenshot below, but after the synchronization, an administrator or someone with the USER_ADMINISTRATOR role will have to set up the required roles for these groups on the groups' page.

images/download/attachments/1806133/group_addrole.png

Synchronized remote group

Click Add new, select the roles from the drop-down list then update group. After that, another user in the same group will have the same role automatically.

images/download/attachments/1806133/sync_group_roles.png

Adding new roles to remote group after synchronization

For older Compound Registration versions

The following section describes how to set up LDAP/Active Directory before version 19.13.0-1907171250

Two options are available if you use LDAP / Active Directory (AD):

  1. Create the user with the same username in the Compound Registration system as it is in LDAP/AD, and associate the proper group in the Compound Registration.

    1. the user must exist in both LDAP/AD and Compound Registration

    2. within Compound Registration the user must be associated with a group associated with role AUTOREGISTER

  2. Store a group in LDAP/AD with the same name as a group in Compound Registration that has the given role associated with.

    1. the group must exist in both the LDAP/AD and Compound Registration

    2. the user within LDAP must be associated with the group

    3. in the CompReg the role AUTOREGISTER must be associated with the group

For both of these options, you need to be an administrator and have the USER_ADMINISTRATOR role to be able to set it up in Compound Registration.