The user page is the central manager for adding, editing and deleting users in Pyramid.
The upper panel shows the list of existing users in the system. Clicking on a specific user will show his / her details in the bottom panel. Use the check boxes and the macro buttons at the top of the user panel to run actions across multiple users.
The user listing shows the following columns:
- Actions - a panel to edit and delete the user; edit the user's roles and see the audit trail
- Status - a button to enable or disable a user account (without deleting the account)
- User type - Pro or Viewer license
- Cert - The amount and level of certificates that the user has earned in the Learning Hub.
- User Name - the login ID of the user (for database, LDAP and AD). SAML this is merely the matching database ID for the user.
- Domain - the AD / LDAP domain (only shown if using AD or LDAP)
- First Name - user's first name
- Last Name - user's last name
- Admin Type - normal user, domain (tenant) admin, enterprise admin
- Tenant - the name of the tenant that the user belongs to
- Profile - the profile set for the user. If blank, the default profile is used.
- Phone - the phone numbers of the user.
- Use the quick search box to find users by username, first name or last name. For a more refined search, click the little search icon at the top of each column in the user listing grid.
- Use the multi-select checkboxes to bulk select users. Once selected:
- Use the enable / disable macro button to bulk enable / disable users
- Use the delete macro button to bulk delete users
User Security Buttons
Depending on settings made in the system, various buttons will be presented on a user's security card.
- Impersonate: This button is available to all admins all the time, to login as a user and impersonate the user's experiences in Pyramid.
- Clear Token: This button is available if multi-factor authentication has been enabled for one or more web servers. It allows admins to clear the given user's MFA token, forcing them to re-enroll with their authenticator app.
- Reset Password; This button is available when using the internal authentication provider (database) only. It allows admins to force the user to enter a new password when they next login. Admins can control the strength of the password required in the reset through the internal authentication settings.
- Revoke Access Cookie: This button is available to admin all the time to revoke and cancel all the current sessions of the selected user - forcing the user to re-login again (see below).
Click here for more details on these items.
Adding and Editing Users
To Add a user, click one of the macro buttons in the top right hand corner:
- Add Pro User - to add a user with a Pro license
- Add Viewer User - to add a user with a Viewer license
The fields required to setup a user changes based on the authentication provider chosen.
- Click here for more details on the Add User form.
- To add users in bulk, you can import a listing of users with a CSV file.
- Alternatively, admins can setup provisioning to auto-import and synchronize users with an Active Directory.
Click on the user row in the user listing to open the user panel on the bottom for editing.
The fields available for edit depend on the authentication provider chosen. For more detail on the specifics see the "Add User" help.
The following settings are common to all user setups, regardless of authentication provider.
User can be either “Professional” or “Viewer”. The choice will affect which application interface is presented to the user and their related capabilities. The number of available client licenses purchased will determine how many available seats are available for each type. See licensing for more details.
- Professional users can access the main client application and usually have access to all its functionalities (except for administrative capabilities). These can be limited by profiles, which can be set at the role or user level.
- Viewer users are provided with READ only access to the application through a simplified interface that allows them to view and interact with any discovery content (the green 'Discover' app), presentation content (the red 'Presentation' app) and rendered publications (output from the blue 'Publication' app).
Professional users can be elevated to administrative roles. There must be at least one administrator int he system at all times.
There are 2 types of admins int eh system:
- Enterprise Admins have complete access to the entire system and its settings.
- Enterprise Admins can grant roles from any tenant access to content in any other tenant (cross-tenant content).
- They can also assign users from different tenants to roles in another tenant (cross-tenant roles).
- Domain Admins have administrative access to users, roles, and data sources only within the context of their tenancy only.
Note: that in a multitenant environment, domain admins are limited to actions WITHIN the tenancy they belong to. Enterprise admins can work across tenants.
Every user must be long to a tenant. Initially, users belong to the first tenant in the system – “default”. In a single tenant environment, this is the only existing tenant and it will not affect much of the application. In a multitenant environment, there are numerous effects governing both end users and administrators.
Profiles are a way to customize the functions of the full client experience for Pro users. As such, the Profile option is available for normal (non-admin) Pro users only. Use the drop down to select a predefined profile for the user. Go to the profile page to add or edit profile definitions
- User Name: this is the key field for each user, it must be unique in the system. If using an LDAP or Active Directory as the authentication provider, the user name must be unique within each domain of the system.
- First Name / Last Name: these fields are optional. When integrated with Active Directory or LDAP, these fields are copied from the authentication system.
- Email: this field is optional, but is HIGHLY RECOMMENDED. Many automated communication systems in the product rely on this email address. When integrated with Active Directory or LDAP, this field is copied from the authentication system.
- Phone: this field is optional, but is recommended in order to ensure users receive any phone notifications.