.
Before users can log on to MRI for the Web, you must add them to the system and establish their access rights.
To add a user to MRI, and assign their access rights, follow these steps:
Note
SaaS clients and on-premise clients using MRI Identity Provider as their identity provider (IdP) can add users strictly through Security Console.
Clients using an external IdP must create users in their IdP first, and then create the user in Security Console with the appropriate value in the Identity field.
Create User permissions are required to create a user.
1. Go to Users.
2. If you have super
administrator rights for an on-premise client, enter the appropriate Client
ID in the Client ID Override field
in the user profile .
Note
The user list is filtered depending on your Client ID from your login.
3. Click Add.
4. In the Create New User dialog box, complete the following fields:
▪ Web Service User—Select to allow the user to access MRI Web Services.
Caution
For security reasons, a Web Services user cannot log on to MRI applications.
▪ Username—Enter a unique user logon name limited to 20 characters.
▪ Email—(Standard users only) Enter a valid email address for the user.
▪ First Name—Enter the user's first name limited to 50 characters.
▪ Last Name—Enter the user's last name limited to 50 characters.
▪ Password and Confirm Password—(Web Service users only) Enter the password for the user.
▪ External Identity—Enter the value that serves as this user's ID in your identity provider.
Note
The External Identity field is only visible for clients using Okta as their IdP.
If you enter a valid Okta ID, the user will be linked to that ID. MRI Software recommends that the email address entered in the Email field matches the email address used in this user's Okta profile.
If you enter an invalid Okta ID, an error message appears and the user cannot be saved.
If you leave this field blank, a new Okta ID is automatically created and associated with the new user upon saving.
If another user has the same external identity, the new user will be created as a secondary user ID for the existing user.
▪ Access Type—Select one of the following:
▪ Windows—This user can only access MRI for Windows.
▪ Web—This user can only access MRI for the Web.
▪ Both—This user can access both MRI for Windows and MRI for the Web.
Note
This field is only visible for standard users for SaaS clients (not web services users).
▪ User Type—Select one of the following user types to indicate the type of user for auditing purposes, such as a client, a consultant, or an MRI Software user:
▪ Windows—This user can only access MRI for Windows.
▪ APPS—Application Support
▪ CES—Client Experience Specialist
▪ CLI—Client
▪ GPS—Professional Services
▪ SAAS—SaaS
▪ SALES—Sales
▪ SVC—Service Account
▪ TECH—Technical Support
▪ TDEV—Talent Development
▪ TPC—Third Party Consultant
Note
This field only applies to standard users for SaaS clients (not web services users). It is visible if you are logged on as SYSADM or if your user has super administrator rights. Otherwise, the value is automatically set in the database to CLI.
▪ AD Template—Select an Active Directory template for the user.
Note
The AD Template field is only visible for SaaS clients where more than one Active Directory template exists.
5. Click Save.
Note
After saving, a web services user cannot be changed back to a standard user.
6. The temporary password for the user appears. Note this password, and then click Close.
Note
This password is not saved in any other location outside the dialog box. Be sure to copy it or write it down in order to provide it to the user.
If the user cannot be authenticated, an Unauthorized message displays. A user must be authenticated through MRI Identity Provider before you can add them in Security Console.
7. On the User Setup tab, complete the following fields:
▪ Identity—Enter the user's identity based on your IdP:
▪ If you are using AD FS, each user’s Active Directory (AD) user name must match their MRI user name. If they are different, enter the AD user name in this field.
▪ If you are using Okta, enter the user’s Okta ID.
Note
This field is disabled for SaaS clients. The identity is assigned at Step 5 when the user is saved and cannot be edited later.
▪ Default Database—Select a default database to automatically open each time the user logs on.
Note
All databases that have a license association matching one of the licenses associated with this user are included in the list. Leave this field blank to force the user to choose a database upon each logon.
▪ Named User—Select to allow the user to log on regardless of the number of users already logged on.
Note
This field is only visible for standard users for SaaS clients (not web services users).
▪ Inquiry User—Select to assign the user view-only access rights.
Note
This field is only visible for standard users for SaaS clients (not web services users).
▪ Change MRI Password on Next Login—Select to force the user to change their password during the next logon.
Note
This field is only visible if users are federated through Active Directory. This field does not appear is users are federated through Okta only.
▪ SCIM Access—Select this check box to give the user access to the following endpoints in the SCIM (System for Cross-domain Identity Management) protocol: Get User, List User.
Note
This check box is only visible for web service users.
▪ SCIM Modification—Select this check box to give the user access to the following endpoints in the SCIM (System for Cross-domain Identity Management) protocol: Create User, Update User, Patch User. This option can only be selected if SCIM Access has been selected.
Note
This check box is only visible for web service users.
▪ Disabled Login—Select to prevent the user from logging on to MRI.
8. On the User Security Assignments tab, complete the following steps:
▪ In the Database field, select the database in which to assign classes and roles for the user.
Note
If you only have access to one database, it is selected by default.
▪ Select any entity class, project class, and property class that apply to this user and database. A user can belong to only one of each type of class.
Note
You must have Assign Roles permissions to assign classes.
Project class security only appears if you are licensed for Project Management. Property class security only appears if you are licensed for Property Management.
▪ If this database uses site security, select the Site that applies to this user. A user can be assigned to only one site ID.
▪ In the User Roles section, assign any roles that apply to this user and database. A user can belong to many roles.
Note
You must have Assign Roles permissions to assign roles.
Type an entry in the filter field at the top of the list to locate a matching role.
For a web services user, this section is labeled Web Service Classes. Only web services classes are available in the list.
9. On the Administrator Rights tab, select any administrator functions to which the user has access.
Note
This tab is only visible for standard users (not web services users).
a. Select Can Access Security Console to grant the user view-only access to Security Console.
b. Select Can Access Database Console to grant the user access to Database Console from the Setup menu in MRI Property Management. In addition to this permission, the user must also be assigned a role with the WEBAPPLYCABINET additional access permission, for each database for which this user should be allowed to apply cabinet files to the database. For further instructions, refer to the Specifying User Role Additional Access topic.
c. Select any of the following User and Role Administration options that apply:
▪ Select All—Select to grant this user all user and role administration rights, including adding and deleting users and changing their roles.
▪ Create User—Select to allow this user to create other users.
▪ Edit User Setup—Select to allow this user to edit another user's data on the User Setup tab and unlock a locked user.
▪ Delete User—Select to allow this user to delete other users, if you use MRI Identity Provider as your identity provider (IdP).
▪ Reset Password—Select to allow this user to issue temporary passwords.
▪ Assign Roles—Select to allow this user to assign roles and classes to other users.
▪ Modify Roles—Select to allow this user to add, modify, and delete roles and classes.
d. Select any of the following License Administrator options that apply:
▪ Select All—Select to grant this user all license administration rights.
▪ Database License Association—Do not use. This option does not drive any current functionality and is reserved for future use.
▪ License Maintenance—Select to allow this user to add, update, and delete licenses.
▪ User License Association—Select to allow this user to associate other users with a license.
e. Select any of the following System Administration options that apply:
▪ Select All—Select to grant this user all system administration rights.
▪ Password Options—Select to assign this user access to all functions available from the Password Settings page.
▪ Report Access—Select to assign this user access to all reports available from the Reporting link.
▪ Database Maintenance—Select to allow this user to modify database security on the Database tab.
▪ Audit Settings—Do not use. This option does not drive any current functionality and is reserved for future use.
▪ System Settings—Select to allow this user access to all functions available on the Settings tab.
▪ Manage Sessions—Do not use. This option does not drive any current functionality and is reserved for future use.
▪ Super Administrator—Select to grant this user super administrator status, meaning that they have full administrator rights and may also configure other users as super administrators.
f. Select any of the Delegate Rights options that apply. The user will be able to assign those rights to additional users.
Note
The Delegate Rights options are only available if you are logged on as SYSADM or if your user has super administrator rights.
Note
A user can modify the Can Access Security Console check box for another user under either of these conditions:
The Edit User Setup check box is selected for the modifying user
or
Any of the Delegate Rights check boxes are selected for the modifying user
10. Click Save.
Note
If you do not have Edit User Setup permissions, you cannot modify a user's setup information. Refer to Adding and Maintaining Users and Access Rights for more information.
For a secondary user, the First Name, Last Name, Email Address, Identity, and Access Type fields cannot be edited. These fields remain synced with the primary ID and change when they are changed on the primary ID.
To modify user information and access rights, follow these steps:
1. Go to Users.
2. Select the user you want to modify.
3. Use the information in Adding a User above to change the user's setup information, security, or administrator rights.
4. Click Save.