Users and groups

    Users belong to groups. Roles are associated with groups. Predefined groups can be used or new ones can be created by adding or removing different roles.

    For example, for a user to be able to register a compound, it needs to have the AUTOREGISTER or the ADVANCED_AUTOREGISTER role. Predefined groups associated with this role are the USER and the REGISTRAR groups. For more information on roles visit this page.

    {primary} The following section describes how to set up LDAP/Active Directory since version 19.13.0

    Users

    Create User

    New local users can be created on this page. Username, password and confirm password are mandatory fields. User details like e-mail address, first and last name, full name and the group where the user belongs can be also set.

    images/download/attachments/1806133/create_user.png
    Create user

    Creation of a local user with a same name as a deleted one is not allowed.

    Edit User

    This page can be reached by clicking on the row of a user in the list of users.

    images/download/attachments/1806133/user_details.png
    Edit user

    Editing a local user

    In case of local users the first and last name, full name, e-mail address, password and the group where the user belongs can be set here. Local users can be deactivated here with the help of the Deactivate user button.

    Editing a remote user

    In case of remote users (AD/LDAP/SAML) the e-mail address, first name, last name, full name, and remote groups will be synchronized with Compound Registration if it is configured (Authentication), therefore these properties are not editable for a remote user. The only thing that is allowed for remote users is to manage its local groups.

    If you want to change the details of a remote user, you have to do it in the remote authentication provider (e.g. AD/LDAP).

    Deactivate/Activate User

    Only local users can be deactivated/activated on the Compound Registration UI. Select the local user you want to deactivate/activate and click on the Deactivate user / Activate user button. Remote users will be deactivated/activated automatically in Compound Registration after synchronization if they are deactivated/activated in the authentication provider.

    images/download/attachments/1806133/deactivate.png
    Deactivate user

    Deactivated user's details cannot be modified and submissions cannot be assigned to this user.

    Synchronize Users

    If you log in with a new remote user or you click on the Synchronize button, these remote users will be listed on the Users page and their details will be synchronized with Compound Registration.

    Synchronize button: On the Users page and Groups page there is a button for remote users and groups (AD/LDAP/SAML) synchronization.

    images/download/attachments/1806133/Sync_new.png
    Synchronize button

    After clicking on this button a pop-up window appears with 3 columns: New, Updated and Deleted.

    images/download/attachments/1806133/sync_pop_up.png
    Pop-up window after synchronization

    New: Newly created remote Users are counted here. After clicking on the Synchronize button again these will be counted as updated users.

    Updated: Still, existing remote users are counted here. Synchronization updates also the details of the remote users.

    Deleted: Deleted users are counted here.

    After clicking on 'show more' a detailed list can be seen.

    images/download/attachments/1806133/sync_list.png
    Detailed list of synchronized users

    All of the remote users are listed here, their username, source (e.g LDAP) and the status (new/updated/deleted).

    After the synchronization, the remote users will appear on the Users page.

    Conflicting Usernames

    Compound Registration does not allow duplicate usernames. You can end up having conflicting usernames if you have a local user with a certain username and a remote user is synchronized with the same username. In this case the system introduces a few preventive measures:

    • Conflicting users will be forbidden to log in

    • Submissions cannot be assigned to conflicting users

    • Compounds containing a conflicting submitter cannot be registered - it will end up in Staging area

    Conflicted usernames are marked in the list of users on the Users page. An exclamation mark can be seen next to these usernames and a 'Conflicted usernames are detected' banner can be seen above the list with a button for Solve conflicts.

    images/download/attachments/1806133/conflict_new.png
    Conflicting usernames

    After clicking on this Solve conflict button a list appears with the conflicted username pairs.

    images/download/attachments/1806133/solve_confl_new.png
    Resolve user conflicts page

    To solve the conflict there are 3 options:

    • Merge a conflicting user pair using the resolver page above. During a merge operation, the remote user remains and inherits the local user's activity. Please note, that the system can merge users only if the remote user has no activity yet. Activity means for example if there is a compound assigned to that user or the user made any changes on a compound. When a local and a remote user is merged the 'new' user will get the groups from both users.

    • Rename the local user to have a different user name. For this find a small edit icon on the right-hand side in the Actions column.

    • Deactivate the local user of the conflicting pair. For this find a small deactivate icon on the right-hand side in the Actions column.

    From version 19.20.0 SSO user conflicts are resolved during login. The local and remote users are merged automatically, in the list of users the remote source (SAML) is visible. If there is a remote group with the same name as a local group, after login the remote group will automatically have the same roles as the local group.

    Resolve Administrator lock-out

    It can happen that a local user with administrator privileges is locked out because a remote user with the same username is synchronized. In this case, the administrator user cannot resolve conflicts on the pages above, because he/she cannot log in.

    In such cases, you have to create a new administrator user by using the Command Line Tools. With the newly created administrator user you can log in and resolve the conflicts: Create a new admin user

    
    # The following command creates a "new_admin" user and assigns it to the SUPER group, which is the default group with administrator privileges.
    $ create-user -name new_admin -password <yourpassword> -group SUPER

    Granting administrator privileges for SAML users

    When Compound Registration is configured to use SAML, local administrator users cannot log in, because the login page of Compound Registration will be committed in the favor of SSO login screen. In this case, you have to grant administrator privileges to one of your SAML users. During login, user data and their groups are synchronized to Compound Registration. One of the solutions is to give administrator roles to one of the synchronized SAML group: Create a new admin user

    
    # Add the "ALL" role to a SAML group named <your_SAML_group>
    $ update-group -group <your_SAML_group> -source SAMLSSO -role ALL

    Groups

    Create group

    images/download/attachments/1806133/create_group.png
    Create group

    New local groups can be created here. Group name is a mandatory field. Users in this group and the Roles associated with this group can be set here.

    Edit group

    This page can be reached by clicking on the row of a group in the list of groups.

    images/download/attachments/1806133/edit_group.png
    Edit group

    Since version: 20.19.0, Group IDs are also listed next to the group names. Filtering can be made considering names, Ids and roles.

    images/download/attachments/1806133/Groups.png
    Listing groups with their Ids

    In the case of local groups, the Users in this group and Roles associated with this group can be set here. Local groups can be deleted here with the help of Delete group button.

    In the case of remote groups (AD/LDAP/SAML), belonging users are synchronized automatically from the identity provider.

    Roles associated with this group can be added here.

    More details can be found here: Groups and roles

    Delete group

    Only local groups can be deleted. Select the local group you want to delete and click on the [Delete group] button.

    images/download/attachments/1806133/delete_group.png
    Delete group

    Synchronize groups

    If you log in with a new remote user or you click on the Synchronize button, these remote users' groups will be listed on the Groups page and their details will be synchronized with Compound Registration.

    Synchronize button: On the Users page and Groups page there is a button for remote users and groups (AD/LDAP/SAML) synchronization.

    images/download/attachments/1806133/sync_pop_up.png
    Pop-up window after synchronization

    New: Newly created remote Groups are counted here. After clicking on the Synchronize button again these will be counted as updated groups.

    Updated: Still, existing remote groups are counted here. Synchronization updates also the details of the remote groups.

    Deleted: Deleted groups are counted here.

    After clicking on 'show more' a detailed list can be seen.

    images/download/attachments/1806133/group_sync_list.png
    Detailed list of synchronized groups

    All of the remote groups are listed here, their group name, source (e.g LDAP) and the status (new/updated/deleted).

    After the synchronization, the remote groups will appear on the Groups page.

    Synchronized remote group details can be seen on the first screenshot below, but after the synchronization, an administrator or someone with the USER_ADMINISTRATOR role will have to set up the required roles for these groups on the groups' page.

    images/download/attachments/1806133/group_addrole.png
    Synchronized remote group

    Click Add new, select the roles from the drop-down list then update group. After that, another user in the same group will have the same role automatically.

    images/download/attachments/1806133/sync_group_roles.png
    Adding new roles to remote group after synchronization

    {primary} The following section describes how to set up LDAP/Active Directory before version 19.13.0

    Two options are available if you use LDAP / Active Directory (AD):

    1. Create the user with the same username in the Compound Registration system as it is in LDAP/AD, and associate the proper group in the Compound Registration.

      1. the user must exist in both LDAP/AD and Compound Registration

      2. within Compound Registration the user must be associated with a group associated with role AUTOREGISTER

    2. Store a group in LDAP/AD with the same name as a group in Compound Registration that has the given role associated with.

      1. the group must exist in both the LDAP/AD and Compound Registration

      2. the user within LDAP must be associated with the group

      3. in the CompReg the role AUTOREGISTER must be associated with the group

    For both of these options, you need to be an administrator and have the USER_ADMINISTRATOR role to be able to set it up in Compound Registration.