Saperion User Management App

Introduction

The User Management App is a web-based app that allows administrators to manage access rights, privileges, and roles of users and groups. This is an extension of the User Management feature available in Rich Client.

Prerequisite

The following services must be installed and running.

• Configuration service
• Core Configuration service
• ECMS Spring service
• Authentication service

Install and configure the app

Download the User Management App

To download the User Management App, complete the following steps.

1. Log in to Hyland Community.
2. Download the saperion-usermanagement-provider-service-<version>.zip file.
3. Extract the ZIP file at your preferred location.

Configure the User Management App

The User Management App coordinates with the ECM and authentication services. To configure the User Management App, complete the following steps.

1. Navigate to [Drive:]/{directory where the User Management App is downloaded}.
2. Open the usermanagement-provider-service.xml file.
3. Under the <service> tag, add the following settings:

<startargument>--server.port=8000</startargument>
<startargument>--authenticationService.url=http(s): http(s)://{Web address or IP address of the system where the Authentication service is installed}:8084}</startargument>
<startargument>--ecmService.url=http(s)://{Web address or IP address of the system where the ECM service is installed}:8083</startargument>

Example of the setting:

<service>
	<startargument>--server.port=8000</startargument>
	<startargument>--authenticationService.url=http://myAuthenticationService.company.com:8084</startargument>
	<startargument>--ecmService.url=http://myEcmService.company.com:8083</startargument>
<service>

4. Save the usermanagement-provider-service.xml file.
5. Navigate to [Drive:]\{Directory where ECM service is installed}\config directory.
6. Open the application.yaml file.
7. Under "cors", set allowedOrigin: http(s)://<my User Management Service>.<domain name>.com:8000
8. Set exposedHeaders: "Authorization, Cache-Control, Content-Type, X-ECM-Protocol-Version, X-ECM-LicenseType, X-ECM-LicenseToken, X-ECM-Impersonate, X-ECM-Tenant, X-ECMS-ERROR-CODE, X-ECMS-ERROR-MESSAGE"
9. Save the application.yaml file.

Install the User Management App

To install the User Management App, complete the following steps.

1. Open the command prompt.
2. At the command prompt, type usermanagement-provider-service.exe install.
3. Open services.msc.
4. Start the “Saperion Usermanagement Provider Service”.

Set up HTTPS for the User Management App

This section describes how to set up HTTPS for the User Management App.

Prerequisites

• ECM services are HTTPS enabled
• ECM and AUTH service URL in the [Drive:]/{directory where the User Management App is downloaded}/usermanagement-provider-service.xml file is properly configured to point to the HTTPS enabled URL
• Certificates of ECM and AUTH services are installed in the system where the User Management App is running, and the certificates are added to the Trusted Root Certification Authorities in Windows.

About generating a self-signed SSL certificate

For generating a self-signed SSL certificate, you must generate a keystore and SSL certificate from the cryptographic keys in the keystore. The two most common formats used for keystores are JKS, a proprietary format specific for Java, and PKCS12, an industry-standard format.

Generate a keystore

This section provides the steps to generate the keystore in the PKCS12 format. To generate the keystore, complete the following steps.

1. Open the command prompt.
2. Execute the command keytool -genkeypair -alias <alias_for_usermanagement> -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore-usermanagement.p12 -validity 3650 -storepass password -ext SAN=dns:<domain_name>.
3. In the form that appears, for the query "What is your first and last name", provide the domain name of the system on which the User Management App is installed. Rest of the fields are optional.

The following keystore file is generated:

• keystore-usermanagement.p12

Extract the SSL certificate from the keystore

When using a self-signed SSL certificate, browser or the client does not trust the application and warns the user that it is not secure.

To extract the SSL certificates from the keystore, complete the following steps.

1. Open the command prompt.
2. Execute the command keytool -export -keystore keystore-usermanagement.p12 -alias <alias_for_user management> -file certificate-usermanagement.crt.

The following certificates are generated for the respective services:

• certificate-usermanagement.crt

Install the SSL certificate

As the browser recognizes a self-signed certificate from the Trusted Root Certification Authorities of Windows, the browser still displays a secure connection as "not secure", if the certificate is not installed.

To install the SSL certificate, complete the following steps.

1. On the system where the User Management App is running, download the SSL certificate.
2. Add the certificate to the Trusted Root Certification Authorities of Windows.

Configure SSL in the User Management App

To configure SSL in the User Management App, complete the following steps.

1. Navigate to [Drive:]/{directory where the User Management App is downloaded}/config.
Open the application.yaml file.
Under the server.ssl section, update the following properties.
• key-store: <location_to_the_keystore_file>
• key-store-password: <password>
• key-store-type: <key_store_type> (for example, JKS, pkcs12)
• key-alias: <alias>
4. Set the server.ssl.enabled property to true.
5. Restart the User Management App.

Access the User Management App

After you configure and install the User Management App, you can open the app and log in using your login credentials. A user with the administrator role has full access to all the features available in the app. This section describes how to log in to the app and how an administrator can create and define user roles and privileges. In particular, you can add, edit, and delete users, groups, roles, ACLs, and tenants.

To log in to the User Management App, complete the following steps.

1. Open a web browser.
2. In the address bar, provide the URL of the server where the User Management App is deployed and press Enter. Format of the URL (<localhost or IP address where the app is deployed>/<port number>)
3. In the login page, provide the following credentials.
1. Username
2. Password
3. Tenant that you are using to log in
4. Click “Sign In”.

Create a new user

To create a new user, complete the following steps.

1. On the Home page, click "Users".
2. On the "Users" page, click "+", which is located at the top right corner.
3. On the "New User" pane, provide details of the new user.
4. Select the "Present" check box to associate a physical user. You can also associate a technical user, allow substitute access, and lock the user by selecting the appropriate check box.
5. Optional. In the Group section, click + to add the user to a group.
6. After all the details are provided, select the check mark at the top of the pane.

Result: The new user appears in the display pane.

Note You can set a location to the user only from the User Properties in Rich Client. Also, you can only synchronize a user with the operating system or LDAP and associate multiple tenants from the Rich Client.

Create a new group

To create a new group, complete the following steps.

1. On the "Home" page, click "Groups".
2. On the "Groups" page, click "+", which is located at the top right corner.
3. On the "New Group" pane, provide details of the new group.
4. Optional. In the Role section, click + to assign a role to the group.
5. Optional. In the Nested Group section, assign this group as a subsidiary of another group.
6. Optional. In the Nested User section, add this group as a subsidiary of a user.
7. After all the details are provided, select the check mark at the top of the pane.

Result: The new group appears in the display pane.

Note You can only add Email distributor to a group from the Rich Client.

Create a new role

To create a new role, complete the following steps.

1. On the "Home" page, click "Roles".
2. On the "Roles" page, click "+", which is located at the top right corner.
3. On the New Role pane, provide details of the new role, that is, role name, and assign the appropriate access commands to the role.
4. In the Groups section, add the groups to which you want to assign this role.
5. After all the details are provided, select the check mark at the top of the pane.

Result: The new role appears in the display pane.

Note You can only add access formula to a role from the Rich Client. Also, the password configuration settings are available from the Rich Client.

Create a new ACL

To create a new ACL, complete the following steps.

1. On the Home page, click ACLs.
2. On the ACLs page, click "+", which is located at the top right corner.
3. On the New Role pane, provide details of the new ACL, such as, ACL name.
4. In the Groups section, add the groups to which you want to assign the ACL.
5. In the Users section, add the users to which you want to assign the ACL.
6. To add or remove existing rights for the selected group or user, complete the following steps.
1. Click on the icons displayed beside a group.
2. In the popup that appears, select the rights you want to add or remove existing rights that you no longer require.
7. After all the details are provided, select the check mark at the top of the pane.

Result: The new ACL appears in the display pane.

Create a new tenant

To create a new tenant, complete the following steps.

1. On the Home page, click Tenants.
2. On the Tenants page, click "+", which is located at the top right corner.
3. On the New Tenant pane, provide details of the new tenant, such as, tenant name, description, and set a password.
4. After all the details are provided, select the check mark at the top of the pane.

Result: The new tenant appears in the display pane.

Note Usage report can only be generated from the Rich Client.

Edit users, groups, roles, ACLs, and tenants

To edit users, groups, roles, ACLs, or tenants, complete the following steps.

1. On the Home page, click any of the following items that you want to edit.
• Users
• Groups
• Roles
• ACLs
• Tenants
2. On the page of the respective item, select the specific user, group, role, ACL, or tenant that you want to edit.
3. Click the Edit icon at the top of the pane.
4. Modify the item and click the check mark at the top of the pane to save the changes.

Delete users, groups, roles, ACLs, and tenants

To delete users, groups, roles, ACLs, or tenants, complete the following steps.

1. On the Home page, click any of the following items that you want to edit.
• Users
• Groups
• Roles
• ACLs
• Tenants
2. On the page of the respective item, from the viewer pane, select the specific user, group, role, ACL, or tenant that you want to delete.
3. Click the Edit icon at the top of the pane.
4. Click the Delete icon from the top of the pane.

Logout

Automatic logout

By default, you are automatically logged out from the User Management App if you remain inactive for more than 60 seconds. You can modify the automatic logout threshold.

To modify the automatic logout threshold, complete the following steps.

1. Navigate to [Drive:]\{directory where the ECM services are installed}\ecms-authentication-service-<version> directory.
2. Open the ecms-authentication-service.yaml file.
3. Under “token” set the value of the expirationSeconds in milliseconds as the threshold value.

Manual logout

To log out manually, complete the following step.

1. At the bottom of the left pane, click "Logout".