User's access is controlled through the User Maintenance screen via the Users screen at the system level for users who physically log into the system. Users with the appropriate access can create user using this screen. There are user access that can be created from certain screens:
Employee (assignee) users - created from the Employee Details screen
Employee Delegates - created by the Employee using the Mobile Employee Experience using the Employee delegate section
Vendor - created from the Vendor Details screen
API Subscribers - created from the API Subscription Manager screen
The security role(s) granted to the user, determine the user’s rights to screens and screen sections and grant security role(s) which determines how the user can access the data, what assignments are available
User Maintenance
The User Maintenance screen is found at the Configuration level. The screen shows all existing users in grid form when a search is performed. New users are added by clicking
in the upper left hand corner of the grid. Existing users can be maintained by clicking the pencil icon.
The User Maintenance screen, General tab is split into three sections: User Maintenance, Security Role Association and Company Access.
Populate the following mandatory fields:
User Type – this defines the type of view a user has. This has the following options are:
External Client are utilized for HR, business users or other clients to have access to the portal
External Payroll is used for payroll providers to access the system via the Payroll portals
Internal is typically used for resources managing the GM program, super user and system administrators
Internal Read Only users are given View Only access, regardless of Role Security rights.
API Subscriber users are selected for users managing the API connection
Note: Employee (assignee) users are created from the Employee Details page and Vendor users are created from the Vendor Details screen. External Employee Delegate users can only be created by the Employee user in the Mobile Employee Experience.
User ID – a unique identifier for the user. Once the User ID has been created and saved, it cannot be changed manually. It is a best practice to use a consistent format across users (e.g. first initial and last name: ATest)
First Name – the user’s first name.
Last Name – user’s last name.
Email – user’s email address. This needed to send the automatically generated email supplying the user with his/her login credentials (User ID and password) if SSO is not used. This is also used by the system as relates to emails to/from the user.
Security Role – Users can have one or multiple security roles. The available security roles are listed in a type ahead search drop-down list. Select the appropriate security role from the list. When selected a navigation link appears taking the user directly to the security role.
Company Access – Users can have access one or multiple companies. By default, the Default All Company Rights check box is unchecked. The user will not have access to any companies. To grant access to one company, click the [New] button and select a company from the drop-down list. To grant access to multiple companies, type the number in the number box and click [New]. Select one company from the drop-down list per row. To grant access to all companies, check the Default All Company Rights check box.
Click the appropriate Save button depending on how many users are to be created:
To create only one user click
- this will save the record.
To create multiple users, click
- this will save the record and display all three sections of the User Maintenance screen ready for the next user to be added. Click
to save the new record.
To create a new user by duplicating an existing record, click
- this will save the record and display only the User Maintenance section of the User Maintenance screen. After populating this section and clicking
will the Security Role Association and Company Access sections be duplicated from the existing record. Note that the fields from the Security Role Association and Company Access sections are the only data fields to be copied from the existing user record. Fields on the other tabs (e.g. Company Segment Security) of the User Maintenance screen are not duplicated.
Note that the screen tabs only appears once the record is saved after populating the mandatory fields (*) and/or the Has All Assignment Rights is not ticked for External Client, Internal and Internal Read Only users. When creating a new user, send the user's login credentials to user's email address by clicking the
button.
Additional data is also available and may appear once the record is saved:
Locked Date – is a display only field. It will show a date if the account has been automatically locked (from too many failed log in attempts, for example).
Lock Reason – will give the reason the account was automatically locked (‘Failures’ for example).
Unlocked by – will show the User ID of the user who last unlocked the account.
License Acceptance Date – displays the date and time the user accepted the license, if license agreements are configured.
Last Sign In – shows the date and time the user last attempted to log into the system.
Expiration Date – will inactivate the user on a specific date. Once the expiration date is reached, the user will no longer have access to the application.
External System Identifier – is only displayed if the Single Sign On (SSO) system preference is turned on. This field can be used to capture what will be authenticated by SSO, if not using an existing system field (such as User ID).
User Description – Relates to Single Sign On (SSO) and is only displayed if the SSO system preference is turned on. If using a non-unique identifier to authenticate SSO users, and the user has multiple IDs within the Equus Platform, this is how this particular account will be presented to the user for log in.
SSO User – is only displayed if the Single Sign On (SSO) system preference is turned on. If the site can be accessed by users via SSO, this checkbox is ticked and the IDP field is displayed beneath it. When checked, it will prevent the system from generating login credential emails to the user via the [Generate & Email Password] button within User Maintenance or the Forgot your User ID or Password? link. Also, the user will not be able to change the password after logging in – the Change Password page is not available.
The IDP field (mandatory field when SSO User is ticked) when populated specifies the IDP that the SSO connection should use when a SSO user accesses the system. When the SSO User field is ticked, the IDP automatically defaults to the Display Value with the Lookup Classification code of "EQIDDF". Clicking on the field displays a list of IDP lookup values and additional values can be added using the System Maintenance screen thus supporting multiple tenants through SSO.
If there are no values for IDP both on the web.config file or active IDP lookup values, the SSO User checkbox is disabled and the user will be presented with a tooltip, "Request assistance from the administrator to enable SSO in this environment".
Show SSO User Association Fields (SHWEXTUSRF) is the system preference that must be turned on to display the SSO fields.
Auto Create Resource – when ticked, a basic profile on the Resources screen (located on the Configuration tab) will be created, associated with the User ID. The resource record will be created with the Resource Name equal to the User’s User ID. Note: updates to the user will automatically update the user’s profile on the Resources screen if the user and the resource have been associated via a User ID.
Last emailed by – the user id of the person who last emailed the id/password to the user. It also shows the date that email was sent.
Has All Assignment Rights – If the User Type is Internal or Internal Read Only this field is available. When ticked, the user has access to all assignments, for all companies. Therefore, the Company Access section of the page disappears along with Company Segment Security, Special Security Group Security, and Country Security tabs.
Restrict Coordinators To Their Own Assignments – This is available when the User Type selected is External Client, Internal or Internal Read Only. Tick this box if the user is a resource and should be restricted to only those assignments he/she is associated with in one of the following roles:
On the employee record: HR Contact. The user may access up to and including the Employee record, all authorizations associated with the employee, and the employee’s associated assignments with rights per the assigned Role Security.
On an authorization: Authorization Coordinator. The user may access up to and including the authorization on which the user is the coordinator for, the related Employee record, and the assignment record associated with the authorization, with rights per the user’s assigned Security Role.
On an assignment: Assignment Coordinator, Accounting Coordinator, Assignment Additional Resources 1-30. The user may access the assignment on which the user is identified, as well as related employee record and associated authorization with rights per the user’s assigned Security Role.
Restricted users will still be able to view and create authorizations and employee records where no assignments are associated, even if they are not identified as one of the named roles.
Note: If a record is modified such that the role the restricted user is set as is no longer that restricted user, the user will lose access to the record immediately. This includes when the restricted user himself/herself updates the record.
Restrict to Access Group Assignments – This is available when the User Type selected is External Client, Internal or Internal Read Only. Tick this box to grant user rights to all assignments tagged with the selected access groups. To add an access group, check out this article for more details.