...
Info |
---|
Summary: this page describes how to manage roles and access permissions for grant/revoke existing roles to your users and groups using the Admin Center. |
Note |
---|
A user with the ADMIN or SUPER ADMIN role role is required. |
Introduction
The Users panel ( panel 5) enables you to manage users/groups and the roles and permissions granted to them. Click panel 3 to access the listgrant/revoke existing roles to your users and groups:
The list is displayed when panel 3 is clicked:
...
When clicked, a list of existing users/groups and their assigned roles is displayed:
Info |
---|
...
The USER role should be granted to "standard" users/groups - i.e. those that do not need to execute advanced actions in the Admin Center. All users MUST be granted a role (either directly to the user or to a group the user is a member of) before the user will be able to access Application data.
In addition, a user/group with the USER role can manage some (not all) preferences - see Configuring display preferences.
...
Access to Application data is granted on a per user/group basis. By default, users/groups (except those with the ADMIN role) have no access to any Application data, therefore before a user/group can view an Application, access must be specifically granted.
Info |
---|
|
...
Group data access permissions
- Groups can be assigned access permissions in Active Directory or LDAP/S authentication mode (groups are not supported in local authentication mode). If a user is not specifically granted access to a given Application, but a group the user belongs to has been granted permission to the Application, the user will be able to access the Application data.
- If an LDAP/Active Directory group is granted the ADMIN role, all members of the group will have access to all applications, as well as to the Admin Centre.
- If a user is a member of multiple groups, and if one of those groups has been granted the ADMIN role, then the user will be granted the ADMIN role (i.e. most permissive role will take priority). If none of the groups have been granted the ADMIN role, the user will be presented with the list of applications that can be accessed by all of his/her groups ONLY, and no access will be available to the Admin Center.
Role clean up when switching to a new authentication mode
Whenever you switch to a new authentication mode, i.e. from local to Active Directory, or vice-versa, you must run the following batch file to clean up any roles that have been assigned to users/groups in the previous authentication mode. The batch file is located here:
Code Block | ||
---|---|---|
| ||
%PROGRAMFILES%\CAST\ImagingSystem\imagingservice\switchSecurityMode.bat |
Become Admin
The BECOME ADMIN message will be displayed when CAST Imaging detects that there are no users that have been granted the ADMIN role (essential for executing actions in the Action Center). This message will normally be displayed for the first user that logs in after switching to a different authentication mode. Clicking the BECOME ADMIN button will grant the ADMIN role to the currently logged in user and then the User/Group Management table will be displayed listing any other users that have permissions or have been defined (local authentication only).
Click to enlarge
User/Group management table
The User/Group Management table lists all users/groups as follows:
- All users/groups that have been declared when Local Authentication is active (in other authentication modes, users/groups without a role/permission are never displayed)
- All users/groups that have already been granted a role/permission
Info |
---|
|
In the following example, one user (with the USER role) and two groups (one with the USER role and one with the Admin role) can be seen:
...
Allows you to select the user/group and then make changes.
...
Granting permissions to users/groups
To grant a permission to a user/group, first locate the user/group in the User Management table and select it:
Info |
---|
|
Access permissions
There are two sets of access permissions that can be granted via the Admin Center to a User or a Group:
...
The ability to execute actions in the Admin Center is granted via a "role" mechanism. The following roles are available:
...
The ADMIN role provides permission to execute the following actions in the Admin Center:
- Manage applications - see Admin Center - Application management panel.
- Manage users/groups (current documentation page)
- Manage preferences - see Configuring display preferences
- In addition, users and members of groups with the ADMIN role can access all Application data in CAST Imaging.
Note |
---|
You should use this role with caution! |
|
Assign a role or roles
Chose the role or roles you require using the drop down list (you can create new roles in the Roles panel). When assigning multiple roles, the role with the most permissive behaviour will override other roles.
LDAP/SAML authentication
Adding users/groups to the list
If an authentication mode other than "local" is active and the user/group has never been granted a permission, the user/group will not be visible in the list. Therefore, to find the user/group:
Using LDAP
You will need to search for the user/group because it will not be displayed in the table:
Using Active Directory/SAML
In these modes, the search mechanism is not available, instead, you will need to specifically use the Add user/group icon to add a user or group with an identical name to the user or group you want to grant the role or permission to:
Grant a role
Chose the role you require using the drop down list:
Click Save to apply the change:
...
Choose the Application(s) you want the user/group to be able to access using the drop down list:
You can choose Select all, or just tick those you require:
And then click Save to ensure the changes are taken into account:
...
Info |
---|
Note that when using SAML authentication, you MUST ensure that the login/user name that you add exactly matches the login/username in the SAML directory. For example if the login uses a mixture of upper and lowercase characters, ensure that these are also used in CAST Imaging. |
Anchor | ||||
---|---|---|---|---|
|
...
permission to
...
users/groups
To allow non-ADMIN users/groups to use the Tutorial or Cypher Search features feature, you will need to grant the permission on a user or group basis. Select the user/group you want to grant these permissions to (1), and then click the icon highlighted in the top right (2):
Then enable the required permissions permission and click Update:
The changes will be saved automatically.
Editing/deleting existing roles
...
assignments
Edit existing role assignments
If you need to edit existing roles /permissions for a user/group, you can : use the dropdown list to change the role that has been assigned
...
Info |
---|
If you "demote" a user/group from Admin to User, then the user/group will retain the same "all Application" permissions that it was granted via the Admin role. You will need to manually change the Application permissions if the user/group should no longer have access to all Applications. |
Delete
Info |
---|
This functionality is only available when local or LDAP authentication is active. |
:
Delete role assignments
To delete all roles/permissions that have been granted to a user or group already, use the delete icon on the selected users/groups:
You will be prompted to confirm the choice:
...