Manage users and organsiations

Introduction to users

General information about users and organisations

In most situations, a user is associated with an organisation and has exactly one of five default roles within the organisation. The five default roles are cumulative, i.e. a Theme Manager can do everything a Data Manager can do:

  1. User (US): A user who can log in to the system and does not have a specific role in an organisation. Can typically only read public resources.
  2. Data Manager (DM): A user who can log in to the system and is responsible for uploading and maintaining data sets.
  3. Theme Manager (TM): A user who can log in to the system and manage themes, schemas and transformation projects.
  4. Superuser (SU): A user who can log in to the system and is responsible for an organisation.
  5. Administrator (AD): A user who can log in to the system and access all system functionality and resources. The Administrator’s access is not defined through his organisational role.

The structure of organisations is hierarchical. Each organisational structure has a root organisation, such as in this example:

  • State A
    • County A1
      • Municipality A1a
      • Municipality A1b
    • County A2
      • Municipality A2a
      • Municipality A2b
      • Municipality A2c

Usually, a user has exactly one role inside an organisation. The user gets access to resources and functions of the system via privileges defined for the role. Some privileges depend on the hierarchical structure of the organisations of the logged in user and the owner of a resource.

Example: You belong to «County A1» with role «Superuser». As a «Superuser», you can see the data sets belonging to your organisation «County A1», and the data sets belonging to any suborganisations associated with your root organisation. You can create new user accounts and suborganisations for your organisation, or for any of its suborganisations. You can create as many levels of suborganisations as you need.

When you create a new user as an administrator, the system enforces association of the user with an organisation and a role.

Switch application language

Click on the «Language» Symbol in the header to display the languages that are installed on the instance you’re using. Pick the language you’d like to work with.

Please note that system errors are usually not translated and may be displayed in English, independent of your language settings.

Configure Roles and Privileges

Roles and Privileges cannot be configured via the application’s web interface. Instead, they can only be edited via a JSON file that is accessible to the system administrator. The settings cannot be changed for public cloud instances. For Private Cloud instances, please request the change you would like to make by contacting support. As a system administrator for an On Premise instance, follow the steps explained below to make changes to roles and privileges.

Resource permissions

Resource permissions are permissions granted on individual resources or on types of resources. To check a resource permission, the resource type name (e.g. ‘User’) is needed, and often also a concrete resource object or ID that can be used for checking the permission conditions.

There are four default resource permissions for each resource type that can be extended with other custom permissions if needed. The four default permissions are:

  • read: Resource may be read and viewed
  • edit: Resource may be edited
  • delete: Resource may be deleted
  • create: Resource of a type may be created

The system manages different resource types, depending on which services are part of it. A resource type is usually managed by a specific service. By convention, resource types start with an uppercase character. The following are the resource types currently available in hale-connect:

  • User: A registered user
  • Organisation: A registered organisation
  • Bucket: A data set consisting of files and metadata
  • Theme: A theme which defines common settings for data sets
  • Schema: A data model which can be referenced from themes
  • TransformationProject: A hale»studio transformation project

Conditions

When a user requests access to a resource or functionality of the system, at least one access condition must be met. The system supports the following condition checks:

  • owner: - The user is the owner of the resource (not an organisation)
  • organisation: - The resource is owned by the role organisation or is the role organisation itself
  • suborganisations: - The resource is owned by a suborganisation or is a suborganisation of the role organisation
  • parentOrg: The resource is owned by a parent organisation or is a parent organisation of the role organisation
  • public: The resource is marked as public
  • shared: The resource is shared with the user (usually read access)
  • collaborator: The user is a collaborator on the resource (usually edit access)

Example roles.json

{
  "anonymous": {
    "resource": {
      "Bucket": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "Schema": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        }
      },
      "Theme": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "editMetadata": {
          "requires": "edit"
        }
      },
      "TransformationProject": {
        "comment": {
          "requires": "read"
        },
        "createNote": {
          "requires": "read"
        },
        "createTask": {
          "requires": "edit"
        },
        "replyToTask": {
          "requires": "read"
        }
      }
    },
    "application": {
      "awsGrantAccess": false
    }
  },
  "user": {
    "extends": "anonymous",
    "label": {
      "en": "Registered user",
      "de": "Standardnutzer"
    },
    "resources": {
      "User": {
        "read": true,
        "edit": ["self"]
      },
      "Organisation": {
        "read": true
      }
    }
  },
  "dataManager": {
    "extends": "user",
    "label": {
      "en": "Data manager",
      "de": "Daten-Manager"
    },
    "resources": {
      "Bucket": {
        "create": ["organisation"],
        "read": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"]
      },
      "Theme": {
        "read": ["organisation", "parentOrg"]
      },
      "Schema": {
        "read": ["organisation", "parentOrg"]
      },
      "TransformationProject": {
        "read": ["organisation", "parentOrg"]
      }
    }
  },
  "themeManager": {
    "extends": "dataManager",
    "label": {
      "en": "Theme manager",
      "de": "Themen-Manager"
    },
    "resources": {
      "Theme": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "Schema": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      },
      "TransformationProject": {
        "create": ["organisation"],
        "edit": ["organisation"],
        "delete": ["organisation"],
        "view": {
          "requires": "read"
        }
      }
    }
  },
  "orgAdmin": {
    "extends": "themeManager",
    "label": {
      "en": "Superuser",
      "de": "Superanwender"
    },
    "resources": {
      "User": {
        "create": true,
        "delete": ["organisation", "suborganisations"],
        "disable": ["organisation", "suborganisations"],
        "accessDisabled": true,
        "accessNotActivated": true
      },
      "Organisation": {
        "create": ["organisation", "suborganisations"],
        "edit": ["organisation", "suborganisations"],
        "delete": ["organisation", "suborganisations"],
        "assignRole": ["organisation", "suborganisations"]
      },
      "Bucket": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Theme": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "Schema": {
        "create": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      },
      "TransformationProject": {
        "create": ["suborganisations"],
        "read": ["suborganisations"],
        "edit": ["suborganisations"],
        "delete": ["suborganisations"]
      }
    },
    "application": {
      "viewSystemInfo": true
    }
  }
}

Registration

Self-registration

Your system administrator can configure the application so that users can self-register. For private cloud instances, contact support to configure this functionality. On public cloud instances, it is currently not available.

If self-registration is enabled, go to the start page and click «Register». Provide your e-mail and a password, and then proceed. After registration you should receive an activation e-mail to complete the registration via double opt-in. The activation link is valid for 24 hours. This duration is configurable on on-premise and private cloud instances.

All newly registered users have to set a password before their first log-in. The password field has an indicator for password security on the right side; a secure password gets at least three out of four points. To get three points, your password has to have eight or more characters, and needs to contain at least three different classes of characters (small letters, capital letters, numbers, special characters). After setting the password, you can proceed to log in.

Add users

As a system administrator, you can enable self-registration of users. If self-registration is not enabled, administrators and organisation superusers need to create all user accounts.

To create a new user account, follow these steps while logged in as an administrator or organisation superuser:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Pick «Create New User» at the bottom of the user list
  4. Enter a name (we strongly recommend using first and last name)
  5. Enter a username under the portrait
  6. Provide a unique e-mail address (every e-mail address may be associated with only one user account)
  7. Pick an organisation for the new user
  8. Pick a role (Data Manager, Theme Manager or Organisation Superuser)
  9. Optionally add a description, and contact info
  10. All role types can add custom metadata fields. Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. Theme Managers and Superusers configuring metadata should come to an agreement with Data Managers on the custom metadata fields that will be implemented. Themes configured to use custom metadata fields in user profiles will access the value from the user profile of the person creating the dataset. The custom fields added to user profiles are available in the Autofill assistant when a Theme Manager or Superuser uses the metadata editor. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  11. Click «Create»

The person you’ve created the account for now receives an activation e-mail. The account will be activated only when the person has clicked the link in the notification and successfully sets a password.

Alternatively, you can create a new user account while managing your organisation. Go to settings (gear symbol), go to «Organisations» and click «Create user» under the portrait.

Login and Logout

Logging in works via the «Login» link visible on the top right of the application. Login either with your e-mail or with your user name and your password. In case you’ve forgotten your password, click the link «Forgot your password?». You will then receive a new confirmation e-mail. Click on the link it contains to set a new password. This link is valid for two hours.

To log out, go to your user profile (person icon in the main toolbar) and click on «Logout». When you close the browser or the tab, in which the application was running, you are automatically logged out.

You can use the application in multiple tabs or windows, but need to login separately to each tab or window. This has the advantage that it is possible to use multiple user accounts at the same time.

Edit users

Edit user profile

Every user can edit their own profile. In addition, administrators and organisation super users can edit some properties of a user account, such as the role and organisation it is associated with. To edit your profile, click on the profile icon in the main toolbar. On the profile page, you have the following options:

  • Change Password: Similar to the process used when confirming a registration, you can change your password here. Please keep in mind that the same rules for safe passwords apply!
  • Change E-Mail address: Every profile needs to have a unique, valid e-mail address.
  • Add Contact Information: These standard contact info fields help other users reach out to you and can be used for the metadata autofill rules.
  • Assign an Organisation: As organisation superuser or administrator, you can change your organisation association and role within the organisation.
  • Add user-defined fields: Such fields are used to save user-defined values for metadata autofill rules. You and your organisation should agree on the keys for these user-defined fields so that they can be used effectively in the autofill rules.
The username cannot be edited.
If you'd like to see a proper portrait picture or avatar, use Gravatar to add a picture of your choice to your e-mail address.

Delete User

When logged in as an Administrator or organisation superuser, follow these steps to delete a user:

  1. Go to settings (gear symbol)
  2. Go to «Users»
  3. Select the user you need to delete from the list
  4. Click on the «Delete» button
  5. Confirm deletion
When you delete a user, the user account is permanently deactivated. The user account is still stored in the data base, which means that no user with the same username can be created. Furthermore, all resources that the user created are kept in the system and remain accessible to other members of the organisation.
As an Administrator or organisation superuser, you can delete your own profile! You should only do so if you are entirely sure that is what you want. When the only administrator account is deleted, the system will recreate one with a default password on restart. To restart the system and to receive the default password, please contact support.

Manage organisations

Create an organisation

To create a new organisation, follow these steps while logged in as an administrator:

  • Go to settings (gear symbol)
  • Go to «Organisations»
  • Pick «Create New Organisation» at the bottom of the organisation list
  • Enter an organisation name (we recommend a short memorable one)
  • Provide the «name of the legal entity»
  • Optionally, provide a description and contact information
  • Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. The custom fields that you add to your organisation are available in the Autofill assistant when you use the metadata editor. The Autofill assistant automatically populates your metadata with the information provided in your custom fields. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  • Click «Create»

To create a new suborganisation, follow these steps while logged in as an administrator or organisation superuser:

  • Go to settings (gear symbol)
  • Go to «Organisations»
  • Select the organisation for which you’d like to create a new suborganisation
  • Click «Create Suborganisation»
  • Enter an organisation name (we recommend a short memorable one)
  • Provide the «name of the legal entity»
  • Optionally, provide a description and contact information
  • Custom fields enable you to create your own key, value pairs for use in metadata. Click «+Add field» to enter a key, value pair. You can add as many custom fields as you need. The custom fields that you add to your organisation are available in the Autofill assistant when you use the metadata editor. The Autofill assistant automatically populates your metadata with the information provided in your custom fields. For more information about using the metadata editor and working with autofill rules, visit the Edit metadata configuration section of our help.
  • Click «Create»

Edit and delete organisations

When logged in as an Administrator or organisation superuser, follow these steps to delete an organisation:

  1. Go to settings (gear symbol)
  2. Go to «Organisations»
  3. Select the organisation you need to delete from the list
  4. Click on the «Delete» button
  5. Confirm deletion

To edit an organisation, follow steps 1 to 3 and provide updated information, e.g. for the description or for contact information.

When you delete an organisation, user accounts associated with the organisation remain active. These user accounts no longer have an organisation or role and as a consequence have very limited privileges until they are linked to a new organisation.
The organisation name cannot be edited.

Harvesting Metadata

Access the harvesting endpoint

We provide a harvesting endpoint for catalogue services that want to harvest metadata from the haleconnect platform. The harvesting URL can be built using the following pattern:

https://haleconnect.com/services/bsp/metadata/org/<your org num>

Catalogue services retrieve a zip file containing all of the metadata for an organization from the harvesting URL.

As a system administrator, you can access a preview page which displays the metadata that is accessible from the harvesting endpoint. The harvesting preview page URL can be built using the following pattern:

https://haleconnect.com/services/bsp/metadata/org/<your org num>?preview=true
To find your organisation number, navigate to your organisation's account page in settings (gear symbol). Your organisation number is displayed in the browser URL. For example: https://haleconnect.com/#/organisation/1 indicates that your organisation number is 1.

The Harvest-Preview page displays the harvesting URL, the preview page URL and the number of resources at the endpoint. There are also options to control the inclusion of remote metadata resources and keyword filters through the use of toggles. The includeremote toggle allows you to include remote metadata in the endpoint. The keywords toggle allows you to filter the list of metadata resources for datasets with the keyword ‘inspireidentifiziert’. You can add additional keywords by adding one or more keywords in a comma separated list to the preview page URL after the keywords parameter.

For example, to filter on the keyword ‘infoFeatureAccessService’, construct the following URL:

https://haleconnect.com/services/bsp/metadata/org/1?preview=true&keywords=infoFeatureAccessService

The Harvest-Preview page lists the metadata resources in tabular format at the bottom of the page. Metadata resources are listed in rows with the following columns:

  • Type: The type of service
  • Title: The title of the service
  • Simple Keywords: The keywords extracted from the keywords field in the metadata file
  • Fileidentifier: The file identifier number
  • Filename: The name of the metadata file
  • Link: A hyperlink to the metadata file