Add or Configure a User

An Administrator of Aternity can create users and configure their permissions, to sign in to Aternity and access parts of the system, depending on their roles in your company.

Field Description
Local User

Enter and edit all details about the user locally in Aternity, including the username, password, department, privileges.

LDAP User

You can create LDAP-managed network users who enter their regular network usernames and passwords to sign in to Aternity. Their credentials are housed in your Microsoft Active Directory (AD), and therefore password changes are managed there. To configure, you must first connect your AD to Aternity. You can add Aternity users one AD user at a time, or add as an AD group of users (all with the same set of privileges).

Connect the enterprise LDAP directory to use network usernames and passwords

If you create a local username (not from an LDAP directory), and the username is the person's valid email address, the system automatically sends an email to that user, asking them to create a new password. Then new users can sign in with their own password and access the functionality granted in the permissions defined here. For locally defined users, a password must be at least 8 characters long, with at least one uppercase (A-Z), one lowercase (a-z), one number (0-9) and one non-alphanumeric character (like @, #, $). The system encrypts all locally managed passwords.

After creating local users, they set up their own passwords

If you add several AD groups, where the same user is a member of more than one group, that user receives a combination (union) of all those groups' rights. But if you define an AD user individually, and that user also appears in LDAP groups, the system only adopts the roles assigned to the individual user.

Tip

For on-premise deployments, you can force the system to require that local usernames are in the format of email addresses. Select the Gear Icon > Settings > Advanced Settings > security > userInEmailFormat and set it to Yes.

Procedure

  1. Step 1 Open a browser and sign in to Aternity.
  2. Step 2 Select the Gear Icon > Users.

    View the list of usernames already defined in the system to view your data.

    If a user from a group in your Active Directory (AD) accesses the system, their details appear in this list, but you cannot edit their properties, since they are managed as part of their AD group.

    Important

    This list of users are allowed to sign in to view Aternity. This is NOT the list of monitored usernames and device details which is obtained by the Aternity Agent running directly on the monitored device.

    View the list of users defined in the system
    Field Description
    Add Local User

    Select to create a new Aternity user, where you define the details (username, password, privileges) locally, not from an LDAP directory.

    For more information, see Add or Configure a User.

    Add Directory User

    Select to create a new Aternity user whose usernames and passwords are managed by your AD.

    For more information, see Add or Configure a User.

    Add Directory Group

    Select to create a set of Aternity users in one click, where the usernames and passwords are the same as a user group defined in your AD. Use this to assign all these users with the same privileges and roles.

    For more information, see Add or Configure a User.

    Add SAML User

    Select to create an SSO user who logs in once to your SSO identity provider. Learn more.

    User/Group Name

    Displays the username for accessing the system, typically the user's email address.

    Department

    Lists the department entry for the user as entered when you created that user.

    Type

    You can create a Local User or a SAML User.

    Local users have their credentials managed locally here, while SSO (SAML) users have their credentials managed with your SSO identity provider.

    You can also create a Directory User or a Directory Group, where your Active Directory manages the credentials.

    Change User Type

    Select to switch a local user to an SSO user, or from an SSO user to a local user.

    Local users have their credentials managed locally here, while SSO (SAML) users have their credentials managed with your SSO identity provider.

    After you switch, the system sends the user an automatic email detailing their new sign in instructions.

    Roles

    Displays the list of permissions allowed for this user.

    Tip

    To view a user's roles, you must have at least all the roles of that user. Otherwise the system displays No permission to view.

    Locked

    This user attempted to sign in with an incorrect password too many times (by default more than five times). You can unlock the user by deselecting the check box.

    Enabled

    Select to enable this user's access to the system.

    Actions

    Select any of the following options:

  3. Step 3 To create a local user whose username and password are manually defined in the system (not from an LDAP directory or an SSO identity provider), select Add Local User.

    Define the user's details, and their permissions or privileges.

    Add a user to the system
    Field Description
    User Name

    Enter the email address for this user, which serves as the username to sign in to Aternity. You do not define a password here. The system automatically an email to this address, containing a link for users to create their own passwords.

    If you have locally defined users whose usernames are not in email address format, you can reset it to the default password, or alternatively you can manually enter a new password on their behalf. The default password of the system, when you reset any locally defined user, is Q!w2e3r4. To change that default, select the Gear Icon > Settings > Advanced Settings > security > defaultPassword and set the value there.

    Note

    If you set the system to require local usernames to be email addresses, verify this is a valid email address, as the system sends the password link to that address. To require email addresses as usernames, select the Gear Icon > Settings > Advanced Settings > security > userInEmailFormat and set it to Yes.

    First Name

    Enter the user's first name.

    Last Name

    Enter the user's family name.

    Department

    (Optional) Enter the user's department.

    Description

    (Optional) Enter notes which you may find useful to remind yourself why this user has the permissions you set.

  4. Step 4 To add a single user as a network user whose credentials would be managed by your LDAP directory, select Add Directory User.
    Add a single user who is defined in your LDAP

    This option is only visible if you configured Aternity to connect to your LDAP directory.

    Field Description
    Domain

    Select the display name of your LDAP directory, as defined in the AD configuration.

    User Name

    Enter the exact name of the LDAP username who should have a login to Aternity.

    Validate

    Select to confirm the exact username exists in the AD. If it is validated, the system displays the name underlined, and displays the remaining fields so you can confirm the username is the person you intended.

  5. Step 5 To add a group of users from an LDAP-managed group, select Add Directory Group.

    All members of this group become Aternity users with identical roles and privileges. The LDAP directory manages the usernames and passwords.

    Create group of Aternity users with the same members as an LDAP group
    Field Description
    Domain

    Select the display name of your LDAP directory, as defined in the LDAP configuration.

    Group Name

    Enter the exact name of the LDAP group whose members should have a login to Aternity.

    Validate

    Select to confirm the exact name of the LDAP group is as you entered in Group Name. If it is validated, the system displays the name underlined.

    Description

    View the description of the group, if it is defined in the LDAP directory.

  6. Step 6 Add an SSO user by selecting + Add SAML User, if your deployment is aready enabled for single sign on (SSO).

    SSO deployments use a third party identity provider (IdP) to authenticate users, but you must still add these users inside Aternity to determine their privileges. For more information on setting up SSO in your deployment, see Integrate Single Sign-On (SSO) Access to Aternity.

    Tip

    If these users already exist as local users, select Change User Type to switch them directly to SSO users.

    Consider adding one user and testing it first, then adding all other users.

    Add an SSO user to Aternity
    Field Description
    User Name

    Enter the user's email address. This must be identical to the identifier sent from the IdP to Aternity after authentication.

    You must still add the appropriate roles and privileges for that user in Aternity.

  7. Step 7 Select the roles and permissions assigned to this user or group (listed below in alphabetical order).

    If you do not have permission to view or edit something in the system, that entry does not appear at all on the screen.

    Define the roles for this user or group

    The System Administrator is the most important role.

    Field

    Description

    System Administrator

    Select this role to grant the permission for ALL roles, and enable this user to create and configure other users in the system. The owner of this permission has full control over Aternity.

    Tip

    We recommend just two users with system administrator privileges in your enterprise, ideally from the IT team, preferably the Performance Monitoring group, who knows the deployment procedures of the company.

    The following table lists the other roles in the system:

    Field Description
    Aternity User

    (Only appears for those who upgraded from Aternity 8.x and altered the permissions of this role.)

    In version 8.x of Aternity, this role gave basic permissions to view dashboards, view devices, device details, view incidents, and use the legacy PN (deprecated).

    In version 9.x this is replaced with View Devices, View Dashboards, and View Reports.

    Edit Advanced Configuration

    Select to enable this user to:

    Edit Configuration

    Select to enable this user to view, configure and remove items from the existing list of monitored applications (see Add or View Managed Applications for Enhanced Monitoring) and location definitions (see Configure Business Locations (Site-Based Location Mapping)).

    Manage Devices

    Select to enable this user to view the list of all the Agents in your company, in the Agents window. This user can select a single Agent to:

    • Change an Agent's state and log level, or collect Agent logs in the Agent Control section in theAgent Dashboard window (see Agent Administration).

    • View the Agent events in the Agent Events sub-window.

    • View the history of the reports of a specific device (Agent) in the History sub-window.

    • View the incoming and the outgoing remote connections between a device and other devices in the Connections sub-window.

    • View and select the monitored applications on the device in the Monitors sub-window of the Agent.

    The owner of this privilege may also access the dashboards which summarize the device information, the device history, and the installed application list.

    OData Role

    Select to enable this user to access Aternity performance data directly, bypassing the dashboards, using the system's REST API using the OData format.

    View Advanced Configuration

    Select to enable this user to view, but not edit, the information listed for the Edit Advanced Configuration role.

    View Configuration

    Select to enable this user to view (not edit) the existing list of monitored applications (see Add or View Managed Applications for Enhanced Monitoring) and location definitions (see Configure Business Locations (Site-Based Location Mapping)).

    View Dashboards

    Select to enable this user to view the dashboards and incidents in Aternity. We recommend that every user have this capability.

    View Devices

    Select to enable this user to view, but not edit, the same information as listed in the Manage Devices role.

    View Performance Navigator

    Select to grant this user access to the PN (deprecated) to execute advanced queries on Aternity gathered data.

    View Reports

    Select to enable this user to access the report window and schedule automatic reports. This feature is deprecated.

  8. Step 8 Select Create.