Manage users and organsiations

Introduction to Users

General information about users and organisations

In most situations, every user is associated with an organisation and has exactly one out of five default roles inside this organisation. The five default roles are cumulative, i.e. a Theme Manager can do everything a Data Manager can do:

  1. User (US): A user who can log in to the system and doesn’t have a specific role in an organisation. Can typically only read public resources.
  2. Data Manager (DM): A user who can log in to the system and is responsible for uploading and maintaining data sets.
  3. Theme Manager (TM): A user who can log in to the system and manages themes, schemas and transformation projects.
  4. Superuser (SU): A user who can log in to the system and is responsible for an organisation.
  5. Administrator (AD): A user who can log in to the system who has access to all system functionality and all resources. The Administrator’s access is not defined through his organisation role.

The structure of organisations is hierarchical. Each organisational structure has a root organisation, such as in this example:

  • State A
    • County A1
      • Municipality A1a
      • Municipality A1b
    • County A2
      • Municipality A2a
      • Municipality A2b
      • Municipality A2c

Usually, every user has exactly one role inside one organisation. The user gets access to resources and functions of the system via privileges defined for the role. Some privileges depend on the hierarchical structure of the organisation sof the logged in user and the owner of a resource.

Example: A user belongs to «County A1» with role «Superuser». As a «Superuser», the user will be able to see all data sets for all suborganisations, and be able to create new user accounts and suborganisations in these suborganisations. If this is not desired, suborganisations can be created directly as children of the root organisation. You can create as many levels of suborganisations as you need.

When you create a new user as an administrator, the system enforces association of the user with an organisation and a role.

Switch application language

Click on the «Language» Symbol in the header to display which languages are installed on the instance you’re using. Pick the language you’d like to work with.

Please note that system errors are usually not translated and may be displayed in English, independent of your language settings.

Configure Roles and Privileges

Roles and Privileges can not be configured via the application’s web interface. Instead, they can only be edited via a JSON file that is accessibly to the system administrator. The settings can not be changed for public cloud instances. For Private Cloud instances, please request the change you would like to make by contacting support. As a system administrator for an On Premise instance, follow the steps explained below to make changes to roles and privileges.

Resource permissions

Resource permissions are permissions granted on individual resources or on types of resources. To check a resource permission, the resource type name (e.g. ‘User’) is needed, and often also a concrete resource object or ID that can be used for checking the permission conditions.

There are four default resource permissions for each resource type that can be extended with other custom permissions if needed. The four default permissions are:

  • read: Resource may be read and viewed
  • edit: Resource may be edited
  • delete: Resource may be deleted
  • create: Resource of a type may be created

The system manages different resource types, depending on which services are part of it. A resource type is usually managed by a specific service. By convention, resource types start with an uppercase character. The following are the resource types currently available in hale-connect:

  • User: A registered user
  • Organisation: A registered organisation
  • Bucket: A data set consisting of files and metadata
  • Theme: A theme which defines common settings for data sets
  • Schema: A data model which can be referenced from themes
  • TransformationProject: A hale»studio transformation project

Conditions

When a user requests access to a resource or functionality of the system, at least one access condition has to be evaluated to true. The system supports the following condition checks:

  • owner: - The user is the owner of the resource (not an organisation)
  • organisation: - The resource is owned by the role organisation or is the role organisation itself
  • suborganisations: - The resource is owned by a suborganisation or is a suborganisation of the role organisation
  • parentOrg: The resource is owned by the a parent organisation or is a parent organisation of the role organisation
  • public: The resource is marked as public
  • shared: The resource is shared for with the user (usually read access)
  • collaborator: The user is a collaborator on the resource (usually edit access)

Example roles.json

{
  "anonymous": {
    "resource": {
      "Bucket": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "Schema": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        }
      },
      "Theme": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "TransformationProject": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "createTask": {
          "requires": "edit"
        },
        "replyToTask": {
          "requires": "read"
        }
      }
    },
    "application": {
      "awsGrantAccess": false
    }
  },
  "user": {
    "extends": "anonymous",
    "label": {
      "en": "Registered user",
      "de": "Standardnutzer"
    },
    "resources": {
      "User": {
        "read": true,
        "edit": ["self"]
      },
      "Organisation": {
        "read": true
      }
    }
  },
  "dataManager": {
    "extends": "user",
    "label": {
      "en": "Data manager",
      "de": "Daten-Manager"
    },
    "resources": {
      "Bucket": {
        "create": ["organisation"],
        "read": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"]
      },
      "Theme": {
        "read": ["organisation", "parentOrg"]
      },
      "Schema": {
        "read": ["organisation", "parentOrg"]
      },
      "TransformationProject": {
        "read": ["organisation", "parentOrg"]
      }
    }
  },
  "themeManager": {
    "extends": "dataManager",
    "label": {
      "en": "Theme manager",
      "de": "Themen-Manager"
    },
    "resources": {
      "Theme": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "Schema": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "TransformationProject": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      }
    }
  },
  "orgAdmin": {
    "extends": "themeManager",
    "label": {
      "en": "Superuser",
      "de": "Superanwender"
    },
    "resources": {
      "User": {
        "create": true,
        "delete": ["organisation", "suborganisations"],
        "disable": ["organisation", "suborganisations"],
        "accessDisabled": true,
        "accessNotActivated": true
      },
      "Organisation": {
        "create": ["organisation", "suborganisations"],
        "edit": ["organisation", "suborganisations"],
        "delete": ["organisation", "suborganisations"],
        "assignRole": ["organisation", "suborganisations"]
      },
      "Bucket": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Theme": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Schema": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "TransformationProject": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      }
    },
    "application": {
      "viewSystemInfo": true
    }
  }
}

Registration

Self-registration

Your system administrator can configure the application so that users can self-register. For private cloud instances, contact support to configure this functionality. On public cloud instances, it is currently not available.

If self-registration is enabled, go to the start page and click «Register». Provide your e-mail and a password, and then proceed. After registration you should receive an activation e-mail to complete the registration via double opt-in. The activation link is valid for 24 hours. This duration is configurable on on-premise and private cloud instances.

All newly registered users have to set a password before their first log-in. The password field has an indicator for password security on the right side; a secure password gets at least three out of four points. To get three points, your password has to have eight or more characters, and needs to contain at least three different classes of characters (small letters, capital letters, numbers, special characters). After setting the password, you can proceed to log in.

Add users

As a system administrator, you can enable self-registration of users. If self-registration is not enabled, administrators and organisation superusers need to create all user accounts.

To create a new user account, follow these steps while logged in as an administrator or organisation superuser:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Pick «Create New User» at the bottom of the user list
  4. Enter a name (we strongly recommend using first and last name)
  5. Pick a username from the suggestions listed under the portrait
  6. Provide a unique e-mail address (every e-mail address may be assocaited with only one user account)
  7. Pick an organisation for the new user
  8. Pick a role (Data Manager, Theme Manager or Organisation Superuser)
  9. Optionally add a description, contact info and custom fields
  10. Click «Create»

The person you’ve created the account for now receives an activation e-mail. The account will be activated only when the person has clicked the link in the notification and successfully sets a password.

Login and Logout

Logging in works via the «Login» link visible on the top right of the application. Login either with your e-mail or with your user name and your password. In case you’ve forgotten your password, click the link «Forgot your password?». You will then receive a new confirmation e-mail. Click on the link it contains to set a new password. This link is valid for two hours.

To log out, go to your user profile (person icon in the main toolbar) and click on «Logout». When you close the browser or the tab, in which the application was running, you are automatically logged out.

You can use the application in multiple tabs or windows, but need to login separately to each tab or window. This has the advantage that it is possible to use multiple user accounts at the same time.

Edit Users

Edit user profile

Every user can edit their own profile. In addition, administrators and organisation super users can edit some properties of a user account, such as the role and organisation it is associated with. To edit the profile, click on the profile icon in the main toolbar. On the profile page, you have the following options:

  • Change Password: Similar to the process used when confirming a registration, you can change your password here. Please keep in mind that the same rules for safe passwords apply!
  • Change E-Mail address: Every profile needs to have a unique, valid e-mail address.
  • Add Contact Information: These standard contact info fields help other users reach out to you and can be used for the metadata autofill rules.
  • Assign an Organisation: As organisation superuser or administrator, you can change your organisation association and role within the organisation.
  • Add user-defined fields: Such fields are used to save user-defined values for metadata autofill rules. You and your organisation should agree on the keys for these user-defined fields so that they can be used effectively in the autofill rules.
The username cannot be edited.
If you'd like to see a proper portrait picture or avatar, use Gravatar to add a picture of your choice to your e-mail address.

Delete User

When logged in as an Administrator or organisation superuser, follow these steps to delete a user:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Select the user you need to delete from the list
  4. Click on the «Delete» button
  5. Confirm deletion
When you delete a user, the user account is permanently deactivated. The user account is still stored in the data base, which means that no user with the same username can be created. Furthermore, all resources that the user created are kept in the system and remain accessible to other members of the organisation.
As an Administrator or organisation superuser, you can delete your own profile! You should only do so if you are entirely sure that is what you want. When the only administrator account is deleted, the system will recreate one with a default password on restart. To restart the system and to receive the default password, please contact support.

Manage Organisations

Create an organisation

To create a new organisation, follow these steps while logged in as an administrator:

  1. Go to settings (gear symbol)
  2. Go to «Organisations»
  3. Pick «Create New Organisation» at the bottom of the organisation list
  4. Enter an organisation name (we recommend a short memorable one)
  5. Provide the «name of the legal entity»
  6. Optionally, provide a description and contact information
  7. Click «Create»

To create a new organisation, follow these steps while logged in as an administrator or organisation superuser:

  1. Go to settings (gear symbol)
  2. Go to «Organisations»
  3. Select the organisation for which you’d like to create a new suborganisation
  4. Click «Create Suborganisation»
  5. Enter an organisation name (we recommend a short memorable one)
  6. Provide the «name of the legal entity»
  7. Optionally, provide a description and contact information
  8. Click «Create»

Edit and delete organisations

When logged in as an Administrator or organisation superuser, follow these steps to delete an organisation:

  1. Go to settings (gear symbol)
  2. Go to «Organisations»
  3. Select the organisation you need to delete from the list
  4. Click on the «Delete» button
  5. Confirm deletion

To edit an organisation, follow steps 1 to 3 and provide updated information, e.g. for the description or for contact information.

When you delete an organisation, user accounts associated with the organisation remain active. These user accounts do not have an organisation and a role after this anymore and as a consequence have very limited privileges until they are linked to a new organisation.
The organisation name cannot be edited.