Differences

This shows you the differences between two versions of the page.

--- user_management [2019/03/01 14:00] – lucy
+++ user_management [2019/07/25 12:49] – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ===== Introduction =====
-LUCY offers a role-based access control (RBAC), restricting system access to authorized users. The permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular LUCY functions.
+LUCY offers a role-based access control (RBAC), restricting system access to authorized users. The permissions to perform certain operations are assigned to specific roles within the user settings. Members or staff (or other system users) are assigned particular roles, and through that role, assignments acquire the computer permissions to perform particular LUCY functions.
  ===== Where can you configure the user settings? =====
@@ Line 39: / Line 39: @@
 {{ usr_mng_6.png?600 }}
+===== How to convert users to LDAP-based? =====
+Lucy has the ability to convert the account to LDAP-based, so existing user can be logged in through LDAP. You can convert multiple accounts at once by selecting the necessary users and clicking the button "Convert to LDAP-based":
+{{:convert_ldap.png?600|}}
+//Note:// Lucy admin should configure the connection to Active Directory service to be able to use this feature. Please find more information about LDAP Integration [[ldap_integration|here]].
 ===== Can I enforce a password policy or strong authentication? =====
@@ Line 45: / Line 53: @@
 Please find more [[password_policies_login_protection_strong_authentication|here]].
+===== Can I authenticate administrative users via SSO? =====
+Yes. It is possible using the AD Federation service and authenticate the users automatically. See [[sso_authentication|chapter SSO.]]
+===== How to set up a multitenant capable administration =====
+To set up a multitenant capable administration, you first need an administrator account. From there you can set up the appropriate users and rights. Here are two use cases and the corresponding configuration:
+**Use case 1**: You create a campaign for your customer, but want to give your customer access to the statistics within the campaign. It must be ensured that the customer only sees his own data and cannot intervene in the campaign configuration.
+{{ rolebased_acces_view.png?600 }}
+**Solution use case 1:** You create a view-only account (1) in "settings/users" and assign this account to your customer. As soon as you create a campaign, you will be asked to enter the customer of the campaign (2). The customer can be yourself, an organizational unit or a third party. Next, you should add the user to the campaign (3). You can then assign the rights to view the statistics to the user (4).
+**Use case 2:** You have a customer who wants to create their own campaigns. However, the customer should only have access to his statistics and not see other customers.
+{{ rolebased_acces_view2.png?600 }}
+**Solution use case 2:** You create an account with the status "user" in "settings/users". Give the user only the right "Create/delete campaign" (1). As soon as the customer logs in, he can then create his campaign and see only the data of the campaigns he created himself (regardless of the assignment of the customer). He wont have acccess to any other menu item (2). However, there are areas where this limited administrator has access to possibly sensitive data of other customers. Examples are custom created templates that may contain customer-related information. But also all recipient groups created on the system can be seen by this customer when assigning recipients.