1.3.3.2. Security groups

The Security → Security Groups page can be reached by clicking the  menu item.

Introduction to User Roles

Flowster Studio defines following user roles and permissions:

• SuperAdmins - users that have full control over parent tenant. They can access without restriction all components of Flowster Studio and have access to modify tenant's data. The matching security group type is SuperAdmins and is created during installation. 
• Admins  - users that have limited control over parent tenant. They can be created by superadmins or other admins. The limited permissions are defined and managed in Administrator → Security → Admin Permissions page. The matching security group type is Admin Group and is explicitly created by users in an unlimited number. 
• Users - users with no access on Administrator, they are permitted only to login and use Portal, Webpps and get explicitly permissions on Portal → Workflows from other users with superadmins/admins roles. The matching security group type is User Group and is explicitly created by users in an unlimited number. 

Users are grouped in Security Groups of the type presented above. The membership and permission of the user is valid only on the parent tenant. If the same user exists in another tenant, the role and permissions will be applied based on the Security Groups configuration on that tenant.

Security Groups 

SuperAdmins 

During installation, a super admin user must be entered in order to successfully install the application on a computer. The Super Admin set during installation, can be a custom user or selected from an Active Directory OU, is the only one that can access Flowster Studio components at login. He will be the only one that can define other Active Directory, Google, Azure or Local/Custom users/groups as super admins, admins or users, by adding them into specific security groups types.

NOTE:

• a custom user is a database user with no authentication provider

• a local user is a user whose username and encrypted password are stored on the computer itself (e.g. a Windows local user)

The predefined SuperAdmins group cannot be deleted from Administrator. Also, if there is only one user in the SuperAdmins group, it will not be deleted (there should be at least one user in this type of group). 

On the SuperAdmins group can be performed the following operations:

• create a sub group
• add other Active Directory, Google, Azure or Local users
• add other Active Directory, Azure or Local groups
• rename the group

The following operations cannot be performed on the SuperAdmins group:

• delete the group
• delete all users – there should be at least 1 user inside the group
• change the group’s type.

All users from this group type can access all Flowster Studio components without the need of creating a Permission Role (e.g. case for administrators groups). Only users from the SuperAdmins group will have visibility and control over this group in the Security Groups page.

Admin Group/User Group

Administrator gives users the possibility to create unlimited number of security groups and subgroups and adding members from all previously defined authentication providers or custom/local users if no authentication provider is defined.

Add group/subgroup

• Click the Add button to add a new security group. The Add new group window will open.

• Type a name and/or a description for the new group.
• Check User Group for an user type group, or Admin Group for an admin type group.
• Click the OK button.

In order to add a subgroup, right-click on an existent security group and select the Add subgroup option. The Add new group window will open.

• Type a name and/or a description for the new subgroup.
• Select the subgroup's type (admin or user group).
• Click the OK button.

Add group/subgroup children

In order to add a child to a group/subgroup, follow the next steps:

• Select a group from the groups list and click the Add Child button from the Selected Admin Group Info panel or right-click on the group and select Add New Child option. 
• The Choose Provider window will open allowing the user to select the provider for the new child:

• Selecting an AD provider:

• The AD Browser window will open.
• By default, the Search AD option is toggled.
• The searching operation can be made in three different ways: searching for groups, searching for users or searching for both (AD entries that have User and Group types assigned). The results will be displayed according to the given search criteria outside the AD tree, as seen in the image below. 
  In order to search for AD groups check the Groups option. Optional searching criteria may be added, like searching for sAMAccountName, name, displayName, distinguishedName or custom. For each of them the user can define a value (Value field). For custom there can be defined an AD attribute different than the ones listed in the Attribute combobox.
  In order to search for AD users check the Users option. Optional searching criteria may be added, like searching for sAMAccountName, name, displayName, distinguishedName or custom. For each of them the user can define a value (Value field). For custom there can be defined an AD attribute different than the ones listed in the Attribute combobox.

• The browsing operation can be made in three different ways: browsing all, browsing only groups and browsing only users. In order to browse all let the Both option checked.
  In order to browse only for AD groups check the Groups option. Optional browsing criteria may be added, like browsing for sAMAccountName, name, displayName, distinguishedName or custom. For each of them the user can define a value (Value field). For custom there can be defined an AD attribute different than the ones listed in the Attribute combobox.
  In order to browse only for AD users check the Users option. Optional browsing criteria may be added, like browsing for sAMAccountName, name, displayName, distinguishedName or custom. For each of them the user can define a value (Value field). For custom there can be defined an AD attribute different than the ones listed in the Attribute combobox.

• Perform a filter (the Browse AD tab) or a search operation (the Search AD tab) on Active Directory Forest.
• Click the Browse or Search button, depending on the toggle.
• Select the desired AD group(s) or user(s) and click Add Selected (for Browse AD). If performing an AD Search, there can be added all found Active Directory entries by clicking the Add All Found button.
• All selected and added information will be displayed in the Final List area. If desired, items can be removed from this area (select item(s) and click Remove Selected) or there can all be cleared (click Clear). If clearing the list, it is necessary  to add other data in order to completely finishing this operation.
• click Finish in order to add all selected items in the selected security group/subgroup.
• Check the group to see if the Active Directory or Local user/group was added under the selected group/subgroup.
• Select the child to visualize the properties Display Name, FQDN, Identifier, Category and Member of in Selected User Info panel.

• Selecting an OpenID Connect Provider:
  • The Add OpenID User window will open
  • insert  User ID
  • insert Display Name
  • Click Add User in order to save the configuration

• Selecting an Azure provider:
• The AD Browser window will open
• search after a User or a Group (if no value is set in the search filter then all the results will be displayed)
• select and add the desired users/groups into the Final List area and click Save Changes

• Selecting a Google provider:

• The AD Browser window will open
• insert a Google e-mail address
• insert a display name for the given address

• Selecting a Custom Provider 
  • The Add Custom Flowster User window will open
  • Insert Username - custom users cannot exist in multiple tenants with the same Username. Please insert a unique Username for the custom user 
  • Click Generate Password - the Password and Confirm Password fields will be prefilled with the generated password
  • Check Change password at next login if you want to change the generated password at next login
  • Insert Email address
  • Insert Name
  • Choose activation date (optional)
  • Choose expiration date (optional)
  • Click Add User in order to save the configuration

User can manage the defined groups by editing or removing them. The added children can also be managed by dragging them from a group to another one or by completely removing them.
In order to edit a group/subgroup, follow the next steps:

• Select a group.
• Right click over it and select the Edit Group option. The Edit Group window will open.

• type a new Group Name and/or a new Group description - the group's name cannot be modified with an already existing name.
• Click the Save Changes button.

NOTE: if a group is assigned to a Permission Role, the group cannot be edited.

In order to move a user from a group to another one, follow the next steps:

• select the group that contains the user and expand it if it is collapsed.
• select the user/group and begin to drag it to the desired group.
• check if the user is moved from the previous group to the new one.

For removing a group, follow the next steps:

• select the group.
• right click on the group and click the Delete button or click the Remove Group button.

NOTE: if a group is assigned to a Permission Role, the group cannot be deleted.

For removing a child, follow the next steps:

• select a group and move to the properties area.
• select the child that needs to be deleted from the Members grid.
• click the Remove Child button (if the user/group is not member in any other groups, it will be deleted, otherwise it will only be removed from the selected group).
• or select a child and right click on it from the context menu click on the Delete button
• if you delete a user, all the mapping from that user will be deleted as well (e.g. if a user is given rights to a tenant, when deleting the user, the mapping to the tenant will be deleted as well).

Execution Groups Assignment 

The super admin can configure which Security Group has access to which Execution Group (For more details regarding execution groups and agents, please visit Execution Groups page). An admin that belongs to a Role that has permission to configure security groups -> execution groups mappings can configure for other security groups only the execution groups that are visible to him.

In order to assign Execution Groups to a security group/subgroup , follow the steps:

• click on the security group/subgroup
• go to Execution Groups tab in the Selected Admin Group Info panel and check the desired Execution Group

Other Options

The Update cache for users button can be used when the data (ex. users) update from database was not automatically done.

Load only custom users: if this option is checked, the user can see only the custom users spread through all security groups.

Export Custom Users: 

• click on Export Custom Users
• the custom users will be exported in a csv file

Import Custom Users:

• click Choose file 
• select the csv file that you want to import
• click Import - If an user is imported that already exists on another tenant, it will be ignored during the import process.

 Note: Passwords can be filled in the csv file and imported with the user's data. Dates can be modified, but the format must be kept dd/mm/yyyy.