Versions Compared

Version Old Version 5 New Version Current
Changes made by

wiki

wiki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

The Security → Security Groups page can be reached by clicking the  menu item.

Info
titleUser Account Control

Active Directory Authentication types

Flowster Studio uses two values for the authentication type in the Active Directory entries: Secure and Secure Socket Layer.

The Secure one: requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating. 

The Secure Socket Layer one: Attaches a cryptographic signature to the message that both identifies the sender and ensures that the message has not been modified in transit. Active Directory Domain Services requires the Certificate Server be installed to support Secure Sockets Layer (SSL) encryption.

Active Directory supports both Kerberos and NTLM. Windows will first try Kerberos and if all the requirements are not met, it will fallback to NTLM. 

Keberos is the default authentication method for AD but it can fallback to NTLM in some cases, but that is handled by Windows itself. Kerberos is used every time a login to an AD is made.

As an example, accessing file share by name like \server1\share would invoke Kerberos and should succeed given proper permision. But accessing same file share using IP address would invoke Kerberos first and fail (as there is no SPN for IP Address) and then fail over to NTLM.

Here are some links for a better understanding of how the two protocols are working:

https://msdn.microsoft.com/en-us/library/bb742516.aspx

https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/

...


Introduction to User Roles

Flowster Studio defines following user roles and permissions:

  • SuperAdmins - users that have full control over parent tenant. They can access without restriction all components of Flowster Studio and have access to modify tenant's data. The matching security group type is SuperAdmins and is created during installation. 
  • Admins  - users that have limited control over parent tenant. They can be created by superadmins or other admins. The limited permissions are defined and managed in Administrator → Security → Admin Permissions page. The matching security group type is Admin Group and is explicitly created by users in an unlimited number. 
  • Users - users with no access on Administrator, they are permitted only to login and use Portal, Webpps and get explicitly permissions on Portal → Workflows from other users with superadmins/admins roles. The matching security group type is User Group and is explicitly created by users in an unlimited number. 

Users are grouped in Security Groups of the type presented above. The membership and permission of the user is valid only on the parent tenant. If the same user exists in another tenant, the role and permissions will be applied based on the Security Groups configuration on that tenant.

Security Groups 

SuperAdmins 

During installation, a super admin user must be entered in order to successfully install the application on a computer. The Super Admin set during installation, can be a custom user or selected from an Active Directory OU, is the only one that can access Flowster Studio components at login. He will be the only one that can define other Active Directory, Google, Azure or Local/Custom users/groups as super adminsadministrators admins or users, by adding them into specific security groups types.

NOTE: A

  • a custom user is a

...

  • database user

...

  • with no authentication provider

  • local user is a user whose username and encrypted password are stored on the computer itself (e.g. a Windows local user)

The predefined SuperAdmins group cannot be deleted from Administrator. Also, if there is only 1 one user in the SuperAdmins group, it will not be deleted (there should be at least 1 one user in this type of group). 

...

All users from this group type can access all Flowster Studio components without the need of creating a Permission Role (e.g. case for administrators groups). Only users from the SuperAdmins group will have visibility and control over this group in the Security Groups page.

...


Admin Group/User Group

Administrator gives users the possibility to create unlimited number of security groups and subgroups , as well as adding Active Directory, Google, Azure or Local users or groups into manually created groupsand adding members from all previously defined authentication providers or custom/local users if no authentication provider is defined.


Add group/subgroup

  • Click the Add button to add a new security group. The Add new group window will open.

...

  • Selecting an OpenID Connect Provider:
    • The Add OpenID User window will open
    • insert  User ID
    • insert Display Name
    • Click Add User in order to save the configuration

...

  • Selecting a Custom Provider 
    • The Add Custom Flowster User window will open
    • Insert Username - custom users cannot exist in multiple tenants with the same Username. Please insert a unique Username for the custom user 
    • Click Generate Password - the Password and Confirm Password fields will be prefilled with the generated password
    • Check Change password at next login if you want to change the generated password at next login
    • Insert Email address
    • Insert Name
    • Choose activation date (optional)
    • Choose expiration date (optional)
    • Click Add User in order to save the configuration

...

  • type a new Group Name and/or a new Group description .
  • Click the Save Changes button.

...

  • - the group's name cannot be modified with an already existing name.
  • Click the Save Changes button.

NOTE: if a group is assigned to a Permission Role, the group cannot be edited.

...

  • select a group and move to the properties area.
  • select the child that needs to be deleted from the Members grid.
  • click the Remove Child button (if the user/group is not member in any other groups, it will be deleted, otherwise it will only be removed from the selected group).
  • or select a child and right click on it from the context menu click on the Delete button

...

  • if

...

Image Removed

...

  • you delete a user, all the mapping from that user will be deleted as well (e.g. if a user is given rights to a tenant, when deleting the user, the mapping to the tenant will be deleted as well).

...


Execution Groups Assignment 

The super admin can configure which Security Group has access to which Execution Group (For more details regarding execution groups and agents, please visit Execution Groups page). An admin that belongs to a Role that has permission to configure security groups -> execution groups mappings can configure for other security groups only the execution groups that are visible to him.

...

  • click on the security group/subgroup
  • go to Execution Groups tab in the Selected Admin Group Info panel and check the desired Execution Group


Other

...

Options

The Update cache for users button can be used when the data (ex. users) update from database was not automatically done.

...

  • click Choose file 
  • select the csv file that you want to import
  • click Import - If an user is imported that already exists on another tenant, it will be ignored during the import process.

 Note: Passwords can be filled in the csv file and imported with the user's data. Dates can be modified, but the format must be kept dd/mm/yyyy.

...