Administrative Users

Introduction

LUCY offers role-based access control (RBAC), which restricts system access to authorized users. Permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff are assigned particular roles, which grant them the necessary permissions to perform specific LUCY functions.

Configuring User Settings

Add New User

Select "New User"

Role:

There are four types of admin accounts in LUCY:

Password:

Password Policy -> Adjustable in the advanced settings.

SSO Authentication -> Possible via SAML 2.0 or OAuth 2.0 (Entra ID) for automatic user authentication.

Import Administrative Users

Importing administrative users can be directly done from your company directory either via LDAP or Azure (Entra ID).

Select "Import"

LDAP

Azure

Select your pre-defined server from the server list:

Add the relevant LDAP search syntax to query your Administrative Users.

For example, locating an Administrative User in the following directory structure:

Base DN -> Beck.ai OU -> Admin Users OU -> Distribution Groups Group -> IntuneLucy-DevOps

A well-formulated Active Directory search filter to obtain an Administrative user in the Group = IntuneLucy-DevOps:

Copy

(&(objectClass=user)(memberOf=cn=IntuneLucy-DevOps,ou=Distrubution Groups,ou=Admin Users,dc=beck,dc=ai))

&: This is the logical operator "AND". It indicates that all the conditions enclosed within the parentheses must be true for the query to return a result. This operator combines multiple search filters.

(objectClass=user): This filter specifies that the object being searched should be of the type "user". The objectClass attribute in LDAP is used to define the schema or type of an object in the directory.

(memberOf=cn=IntuneLucy-DevOps,ou=Distrubution Groups,ou=Admin Users,dc=beck,dc=ai): This filter is used to find users who are members of a specific group. Here's a breakdown of the group's distinguished name (DN):

• cn=IntuneLucy-DevOps: "cn" stands for Common Name. In this case, it refers to the name of the group.

• ou=Distrubution Groups: "ou" stands for Organizational Unit.

• ou=Admin Users: Another Organizational Unit, indicating a higher-level grouping within the directory.

• dc=beck,dc=ai: "dc" stands for Domain Component. These components are part of the LDAP naming context and represent different levels of the domain.

This query is structured to ensure that only objects that are users (objectClass=user) and are members of the specified group (memberOf=...) are returned.

---

Select your user(s) and import:

Once "Import" is selected, a pop-up will appear to define the Role.

Import Role

Define the Role of the imported user group.

---

Azure Application

Select the specific Azure Entra ID tenant.

---

Filter Azure Groups

Select the desired group to import from the drop-down.

---

Filter

Filter by Search Parameters -> Enter Microsoft search filters

Scenario 1: Filter by Email Domain

To import only recipients whose email domain ends with "@lucysecurity.company", use the endswith function:

Copy

(mail, '@lucysecurity.com')

This filter ensures that only users with emails ending in "@lucysecurity.company" are included in the import.

Scenario 2: Filter by Name Prefix

To import recipients whose names begin with "User", utilize the startswith function:

Copy

startswith(displayName, 'User')

This filter will match and import users whose display names start with "User".

Scenario 3: Filter by Location

To find all users located in 'Ext1', you can directly match the officeLocation attribute:

Copy

officeLocation eq 'Ext1'

This query ensures that only users with 'Ext1' listed as their office location are selected.

Scenario 4: Filter by Phone Number Exclusion

To exclude recipients whose phone number is '911', apply the ne (not equal) operator:

Copy

mobilePhone ne '911'

This filter imports users whose mobile phone number is not '911'.

---

Multitenant Capable Administration

Use Case 1: Customer Access to Campaign Statistics

Scenario: You create a campaign for your customer and want to give them access to view the statistics without allowing them to change the campaign configuration.

Create View-Only Account

• Navigate to Users -> Administrative Users

• Create a new user account with "view-only" status. This account will only have permission to view campaign statistics.

Assign Campaign to Client

• When creating a campaign, you will be prompted to enter the Client for the campaign. This client can be yourself, an organizational unit, or a third party.

Add User to Campaign

• Add the view-only user account to the campaign by navigating to the created campaign, selecting Advanced Settings -> User Settings.

Assign Viewing Rights

• Assign the necessary permissions to the view-only user to allow them to view the campaign statistics.

Use Case 2: Customer Creates Their Own Campaigns

Scenario: A customer wants to create their own campaigns, but should only have access to their own campaign data and not see data from other customers.

Create a Limited User Account

• Navigate to Users -> Administrative Users

• Create a new user account with the role of "user".

Assign Create/Delete Campaign Rights

• Give the user the "Create/delete campaign" permission. This allows the user to create and delete their own campaigns.

Customer Access

• When the customer logs in, they can create their own campaigns and will only see data related to the campaigns they created.

• The user will not have access to other menu items or data from other customers.

Administrative Permission List