Add Users or Edit a User

An Administrator of Aternity can create users and configure their permissions, to sign in to Aternity, depending on their roles in your company.

Add a user to Aternity
To... Do this...

To create a user

Decide on the type of user you want to create, then create the user (see below).

  • Local User is defined entirely inside Aternity, hence their username, password, department, residency and privileges are stored locally inside Aternity.

  • SSO User signs in by securely connecting to a identity provider (IdP) to authenticate the username and password. Enable Aternity SSO with a third party IdP (learn more) or use your Microsoft Active Directory as the IdP (learn more). Then add these SSO users inside Aternity to define their roles and privileges.

    Access your Aternity homepage using SSO
  • SSO Group is Aternity's way of grouping a set of SSO users who all have the same property field and value in the identity provider (IdP). You define the same Aternity privileges for all SSO users who conform to that rule. For example, you can define privileges for a group for all SSO users in the IdP whose memberOf property has the value Engineering.

  • Directory User signs in to Aternity with the network username and password, which authenticates with your enterprise's LDAP. Since these credentials are in your Microsoft Active Directory (AD), you must manage any password changes there. To configure, you must first connect your AD to Aternity.

    Connect the enterprise LDAP directory to use network usernames and passwords
  • Directory Group is a user group already defined in your AD, where you want all of them to have access to Aternity, all with the same set of privileges.

To change a user's password

(Local users only) In the list of users, select the row's context menu on the right > Reset Password. Learn more.

To change a user's permissions

Edit the user's role (see below).

If you create a local username (not from an LDAP directory), and the username is the person's valid email address, Aternity automatically sends an email to that user, asking them to create a new password. Then new users can sign in with their own password and access the functionality granted in the permissions defined here. For locally defined users, a password must be at least 8 characters long, where at least one of them is uppercase (A-Z), one lowercase (a-z), one number (0-9) and one non-alphanumeric (like @, #, $). Aternity encrypts all locally managed passwords.

After creating local users, they set up their own passwords

If you add several AD groups, where the same user is a member of more than one group, that user receives a combination (union) of all those groups' rights. But if you define an AD user individually, and that user also appears in LDAP groups, Aternity only adopts the roles assigned to the individual user.

For on-premise deployments, you should force Aternity to require that local usernames are in the format of email addresses. Select the Gear Icon > Settings > Advanced Settings > security > userInEmailFormat and set it to Yes (the default is No).

You can set a residency requirement for users, so that only users with a particular residency can access a specific account.

Procedure

  1. Step 1 Open a browser and sign in to Aternity.
  2. Step 2 To view the usernames and groups who have access to sign in to Aternity, select the Gear Icon > Users.

    If a user from a group in your Active Directory (AD) accesses Aternity, their details appear in this list, but you cannot edit their properties, since they are managed as part of their AD group.

    View the list of users defined in Aternity
  3. Step 3 To create a single user, decide if you want a local user whose username and password are inside Aternity, or an SSO user or LDAP directory user where you store and manage the credentials elsewhere.
    • Select Add User/Group > Local User to create a user with locally stored and managed credentials.

    • Select Add User/Group > SSO User to create a user with credentials stored and managed in your enterprise's identity provider (IdP).

    • Select Add User/Group > Directory User to create a user with credentials stored and managed in your enterprise's Microsoft Active Directory (AD).

    Tip

    You can switch a local user to an SSO user or switch the other way. You can also add a single user to a group, or add one of the members of a group separately as a named user to override the group's roles for that user, by selecting the row's context menu on the right > Switch.... Learn more.

    Add a user to Aternity
    Field Description
    Domain

    (LDAP directory users only) Select the LDAP domain whose AD defines this username and password. Choose from the list of domains which you integrated to Aternity (learn more).

    Connect the enterprise LDAP directory to use network usernames and passwords
    User Name

    Enter the email address for this user, which serves as the username to sign in to Aternity.

    For SSO users, this must be identical to the identifier sent from the IdP to Aternity after authentication. You must first integrate SSO in your deployment (learn more).

    For LDAP directory users, this must be identical to the LDAP network sign in of this user.

    You do not define a password here. The system automatically an email to this address, containing a link for users to create their own passwords.

    If a locally defined username is NOT an email address, you can reset it to the default password, or alternatively you can manually enter a new password on their behalf. When you reset a local user's password to the default, it is Q!w2e3r4. To change that default, select the Gear Icon > Settings > Advanced Settings > security > defaultPassword and set the value there.

    If you set Aternity to require local usernames to be email addresses, verify this is a valid email address, as Aternity sends the password link to that address.

    To require email addresses as usernames, select the Gear Icon > Settings > Advanced Settings > security > userInEmailFormat and set it to Yes.

    Validate

    (LDAP Directory only) Select to confirm this exact name exists in the AD in that domain. Once confirmed, it displays the remaining fields so you can confirm the this is as you intended.

    First Name / Last Name / Department

    Enter the user's first name, family name and department. For LDAP directory users, Aternity fills this field from the AD.

    Description

    (Optional) Enter notes which you may find useful to remind yourself why this user has the permissions you set. For LDAP directory users, Aternity fills this field from the AD.

    Resident of

    Enter the user's residency if your enterprise restricts data access of data to users who are legally resident in a specific country or region. When you set up your account with Aternity, you can specify the residency of users who are allowed access to data. Select from:

    • USA

    • EU

    • APJ for Asia-Pacific and Japan

    • LATAM for countries in Central and South America

    • Israel

    • MEA for countries in the Middle East and Africa

    Roles

    Select the roles and permissions assigned to this user or group (listed below in alphabetical order).

    Tip

    If you do not have permission to view or edit something in Aternity, that entry does not appear at all on the screen.

  4. Step 4 You can also create a group of users who all have the same roles in Aternity.

    Select Add User/Group > SSO Group to define a group of SSO users with the same Aternity roles, where the users share the same property and value as defined in your SSO identity provider. For example, you can create an SSO group which all have a field called location with a value London or memberOf with a value of Sales.

    Note

    If a user is both a single named user AND a member of a group, Aternity only sees the roles in the named user. It ignores the group for that user.

    Select Add User/Group > Directory Group to assign the same Aternity roles to a user group which is already defined in your enterprise's Microsoft Active Directory (AD).

    Create a group of users with the same roles
    Field Description
    Domain

    (LDAP directory users only) Select the LDAP domain whose AD defines this username and password. Choose from the list of domains which you integrated to Aternity (learn more).

    Connect the enterprise LDAP directory to use network usernames and passwords
    Group Name

    (SSO group) Enter the name which you want Aternity to use to refer to this group of SSO users. You define a group of SSO users by a property which they share where they are stored in the identity provider (IdP).

    (Directory LDAP group) Enter the exact name of the LDAP group whose members should have a login to Aternity.

    Validate

    (LDAP Directory only) Select to confirm this exact name exists in the AD in that domain. Once confirmed, it displays the remaining fields so you can confirm the this is as you intended.

    Group Attribute

    (SSO group only) Enter the exact field name or attribute as defined in the IdP, which unites all SSO users in this group. For example, memberOf or Location.

    Group Value

    (SSO group only) Enter the value of the Group Attribute field which unites all the SSO users in this group. For example, if all users in this group should have memberOf=management, enter management.

    You can also enter any part of that string (matches on 'contains'). This is useful for attributes with very long sets of values. For example, for an attribute called ldap whose value shows this user's place in the LDAP tree, if you want all users in this group to have the word management somewhere in that tree, you can just enter management.

    Description

    View the description of the group, if it is defined in the LDAP directory.

    Resident of

    Enter the user's residency if your enterprise restricts data access of data to users who are legally resident in a specific country or region. When you set up your account with Aternity, you can specify the residency of users who are allowed access to data. Select from:

    • USA

    • EU

    • APJ for Asia-Pacific and Japan

    • LATAM for countries in Central and South America

    • Israel

    • MEA for countries in the Middle East and Africa

    Roles

    Select the roles and permissions assigned to this user or group (listed below in alphabetical order).

    Tip

    If you do not have permission to view or edit something in Aternity, that entry does not appear at all on the screen.

  5. Step 5 Select the roles and permissions assigned to this user or group (listed below in alphabetical order).

    If you do not have permission to view or edit something in Aternity, that entry does not appear at all on the screen.

    Define the roles for this user or group

    The System Administrator is the most important role.

    Field

    Description

    System Administrator

    Select this role to grant the permission for ALL roles, and enable this user to create and configure other users in Aternity. The owner of this permission has full control over Aternity.

    Tip

    We recommend just two users with system administrator privileges in your enterprise, ideally from the IT team, preferably the Performance Monitoring group, who knows the deployment procedures of the company.

    Other roles in Aternity are:

    Field Description
    Aternity User

    (Only appears for those who upgraded from Aternity 8.x and altered the permissions of this role.)

    In version 8.x of Aternity, this role gave basic permissions to view dashboards, view devices, device details, view incidents, and use the legacy PN (deprecated).

    In version 9.x this is replaced with View Devices, View Dashboards, and View Reports.

    Edit Advanced Configuration

    Select to enable this user to:

    Edit Configuration

    Select to enable this user to view, configure and remove items from the existing list of monitored applications (see Add or View Managed Applications for Enhanced Monitoring) and location definitions (see Configure Business Locations (Site-Based Location Mapping)).

    View Advanced Configuration

    Select to enable this user to view, but not edit, the information listed for the Edit Advanced Configuration role.

    Manage Devices

    Select to enable this user to view the list of all the Agents in your company, in the Agents window. This user can select a single Agent to:

    • Change an Agent's state and log level, or collect Agent logs in the Agent Control section in theAgent Dashboard window (see Agent Administration).

    • View the Agent events in the Agent Events sub-window.

    • View the history of the reports of a specific device (Agent) in the History sub-window.

    • View the incoming and the outgoing remote connections between a device and other devices in the Connections sub-window.

    • View and select the monitored applications on the device in the Monitors sub-window of the Agent.

    The owner of this privilege may also access the dashboards which summarize the device information, the device history, and the installed application list.

    View Devices

    Select to enable this user to view, but not edit, the same information as listed in the Manage Devices role.

    View Reports

    Select to enable this user to access the report window and schedule automatic reports. This feature is deprecated.

    View Performance Navigator

    Select to grant this user access to the PN (deprecated) to execute advanced queries on Aternity gathered data.

    Edit Monitor Tree

    View Configuration

    Select to enable this user to view (not edit) the existing list of monitored applications (learn more) and location definitions (learn more).

    View Dashboards

    Select to enable this user to view the dashboards and incidents in Aternity. We recommend that every user have this capability.

    OData REST API

    Select to enable this user to access Aternity performance data directly, bypassing the dashboards, using the REST API (learn more).

    OData REST API for System

    Select to allow this user who is a system administrator to access REST APIs visible only for system administrators.(learn more)

  6. Step 6 Select Create.