User Management - Metasys - LIT-12011953 - Server - Metasys UI - 7.0.50

Metasys UI Help

Brand
Metasys
Product name
Metasys UI
Document type
User Guide
Document number
LIT-12011953
Version
7.0.50
Revision date
2024-03-19
Product status
Active
Language
English

What is the User Management feature?

The User Management feature facilitates the creation and management of users and their roles, category-based permissions, and privileges directly in Metasys UI, without the need to install software on client machines. Administrators can create and manage user details for Active Directory and Metasys local users. From Metasys Release 11.0, Active Directory includes Microsoft® Active Directory Federation Services (ADFS), including two-factor authentication (2FA) when the ADFS Server is configured for 2FA, in addition to Active Directory LDAP authentication. Refer to the Network and IT Guidance Technical Bulletin (LIT-12011279) for information about configuring an ADFS server for your Metasys site.

The User Management feature is also available in the Metasys Site Management Portal (SMP), but over time it will be available in Metasys UI only.

Note: For MVE on Metasys UI, see Administrative Tasks for MVE on Metasys UI for more information.

Who can access the User Management feature?

Only administrators can access the User Management feature. All users can view and edit certain information that relates to their specific user details in My Profile. You do not require a license to access User Management.

However, the ADFS for AD Integration and 2FA feature needs to be licensed. This add-on feature always appears in the Software Manager whenever Metasys UI is installed. The name of this feature license in the Software Manager is ADFS Authentication for Metasys. Refer to Software Manager Help (LIT-12012389) for more information about software licensing.

A user can access the Building Network tree in the Metasys UI only if the user has the User Can View the Item Navigation Tree (Default Tree) property selected in the User Details tab in the User Management feature in Metasys UI, or in their User Properties in SMP. For more information, refer to the Security Administrator System Technical Bulletin (LIT-1201528).

How can I access the User Management feature?

  1. Open the User menu.
  2. Tap or click Administrative Tasks.
  3. Tap or click User Management.
Note: The User Management feature is still available in SMP/SCT (Security Administration feature).

What can I do with the User Management feature in Metasys UI?

Administrators can complete the following tasks with the User Management feature:
  • Add, edit, and delete Metasys administrators.
  • Add, edit, and delete Active Directory users. From Metasys Release 11.0, this includes enabling tab (default) in the User Management feature on a desktop. Microsoft® Active Directory Federation Services (ADFS) for two-factor authentication (2FA).
  • Duplicate a Metasys user to create an Active Directory user and duplicate an Active Directory user to create a Metasys user.
  • Add, edit, and delete Metasys API users.
  • Create, edit, delete, and assign roles to Metasys users.
  • Assign authorization category permissions and system privileges to users and roles.
  • Navigate to Space Authorization to authorize spaces for users.
  • Apply system configurations and account policies to any user.
  • Filter users based on role, type, last login, and status.
  • Filter roles based on system privileges, access categories, and permissions.
  • View and change which users and roles have navigation enabled for each User View.

What is the layout of the User Management feature?

The following figure shows the layout of the Users tab in the User Management feature on a desktop.
Figure 1. User Management feature callouts
Table 1. User Management callouts
Number Name Description
1 Users tab This is the default tab. You can see information that relates to all users. If there are more than 25 users listed, navigate to the next page to see more users. Tap or click Next, or the relevant page number, in the bottom-left of the screen to navigate to the next page. Tap or click Previous, or the relevant page number, to navigate to a previous page.
Note: On a smartphone, select Users, Roles, Views, or Setup from the Users drop-down in the upper-left of the screen.
2 Roles tab Lists the role name, description of each role, and the number of users that are assigned this role. You can also edit roles, create a duplicate role, and delete a role in this tab. See also What is the layout of the Roles tab?
3 Views tab View and change which users and roles have navigation enabled for each User View. See also What is the layout of the Views tab?
4 Setup tab Configure the settings for Active Directory users. See also What is the layout of the Setup tab?
5 Export icon Exports a User Report of the users to a .csv or .pdf file.
Note: The export functionality is supported on desktop platforms only.
6 User search Search for a user name.
7 Filter menu Filter options include Role, Type, Last Login, and Status. See also How do I use filters in the User Management feature? What filters are available?
8 Actions column Edit the user. When you tap or click this icon, you can edit the User Details, Account Settings, Timesheet details, and you can edit the Category Access permissions for a user. How do I edit a user? What are my edit options?
Configure spaces. When you tap or click this icon, you are redirected to the Space Authorization window.
Note: This icon does not appear on smartphones, as Space Authorization is supported on desktop and tablets only.
Duplicate the user. When you tap or click this icon, the Duplicate User window opens. Select the settings you want to copy and enter a username and password. From Metasys Release 11.0, you can duplicate a Metasys user to create an Active Directory user, and you can duplicate an Active Directory user to create a Metasys user.
Note: If the Active Directory option is disabled in the Type drop-down menu in the Duplicate User window, enable and configure Active Directory/LDAP or ADFS in the User Management Setup tab.
Delete the user. When you tap or click this icon, the Delete User window opens. You can confirm if you really want to delete the user.
9 Status column Shows the status of the users. For example, Active, Disabled, Locked Out, or Expired.
Note: On a smartphone, the status appears underneath the username.
10 Last Login column

Shows the last login time of the users. The Dormant User icon appears next to dormant users.

11 Type column Lists the user type. For example, Metasys or Active Directory.
12 Role column Lists the roles of the users.
Note: When a user has more than one role, this field states the number of roles. Tap or click on the number to see all roles listed in a pop-up window.
13 Email column Lists the email addresses of the users.
14 Full Name column Lists the full names of the users.
15 Username column Lists the usernames of the users. This column is sortable.
16 Add user button Tap or click to create a new user. See also How do I create a new user in the User Management feature?

What is the layout of the Roles tab?

The following figure shows the layout of the Roles tab in the User Management feature on a desktop.
Figure 2. Roles tab callouts
Table 2. Roles callouts
Number Name Description
1 Add role button Tap or click to create a new role. See also How do I create a new role in the User Management feature?
2 Export icon Exports a Role Report of the users to a .csv or .pdf file.
Note: The export functionality is supported on desktop platforms only.
3 Role search Search for a role.
4 Filter menu Filter options include System Privileges, Access Categories, and Permissions. See also How do I use filters in the User Management feature? What filters are available?
5 Actions column Edit the role. When you tap or click this icon, you can edit the Role Details and you can edit the Category Access permissions for a role. For more details see How do I edit a role? What are my edit options?
Note: The edit functionality is supported on desktop platforms only.
Duplicate the role. When you tap or click this icon, the Duplicate Role window opens. Select which settings you want to copy and enter a role name and description.
Note: The duplicate functionality is supported on desktop platforms only.
Delete the role. When you tap or click this icon, the Delete Role window opens. You can confirm if you really want to delete the role.
Note: The delete functionality is supported on desktop platforms and tablets only.
6 Users column Lists the number of users that are assigned this role. When you tap or click on the number, a window with the role details and category access information opens.
7 Description column Lists the group that the role belongs to.
8 Role name Lists the role names.

What is the layout of the Views tab?

The following figure shows the layout of the Views tab in the User Management feature on a desktop.
Figure 3. Views tab callouts
Table 3. Views tab callouts
Number Name Description
1 User View selection Search and select the User View that you want to edit.
2 Enabled Roles Select the roles that can navigate to the User View.
3 Enabled Users Select the users that can navigate to the User View.
4 Enabled Navigation Summary Summarizes the enabled roles and users for a User View.

For more information about User Views, see Views.

What is the layout of the Setup tab?

In the Setup tab, you can enable Active Directory/LDAP authentication or Active Directory Federation Services (ADFS) authentication.
Note: For MVE on Metasys UI, see Administrative Tasks for MVE on Metasys UI for more information.
Note: A particular Active Directory user is associated with a single Metasys user account whether the Active Directory user authenticates through Active Directory/LDAP or ADFS. For Active Directory Metasys users, the control over password management and account settings remains with the respective parent portal.
Figure 4. Setup tab - Active Directory/LDAP
Table 4. Setup tab - Active Directory/LDAP callouts
Number Name Description
1 Active Directory/LDAP authentication type This authentication type is listed in the upper half of the Setup window. Any saved changes to this section are recorded as audits.
2 Enable Active Directory Authentication toggle Use the toggle to enable or disable Active Directory Authentication.
3 Settings: Windows Workstation SSO field Expand the Settings to see this field. Enable or disable Windows Workstation Single Sign-On (SSO) for Site Management Portal (SMP).
4 Settings: Login Page Default Domain Selection Expand the Settings to see this field. Specifies the default domain selection for the login page.
5 Settings: Active Directory Service Account(s) section Expand the Settings to see this field. Specifies the Active Directory Service accounts, with the respective username, domain, and actions. When you tap or click + ADD, the Active Directory Service Account window opens. You must enter a username, domain, password, and then verify the password to add a new account.
Metasys Release 11.0 introduces the licensable ADFS for AD Integration and 2FA feature. This feature provides Metasys support for Microsoft® Active Directory Federation Services (ADFS), including two-factor authentication (2FA) when the ADFS Server is configured for 2FA. When ADFS authentication is enabled, Metasys UI users with an Active Directory Metasys user account will have a way to authenticate through their company-provided sign-in process (with their organizational account) rather than entering their credentials into the Metasys UI Login page. This provides an opportunity for a single sign-on (SSO) experience for Metasys UI users when the required SSO conditions are met. It also provides the ability for the organization (customer) to enforce two-factor authentication for Metasys UI users.
Note: ADFS is supported on the ADS, ADS-Lite, OAS, and non-MVE ADX platforms. The ADFS settings appear in the Setup tab only when ADFS is supported.
Figure 5. Setup tab - Active Directory Federation Services (ADFS)
Table 5. Setup tab - Active Directory Federation Services (ADFS) callouts
Number Name Description
1 Active Directory Federation Services (ADFS) authentication type This authentication type is listed in the bottom half of the Setup window. Any saved changes to this section are recorded as audits.
2 Enable ADFS Authentication toggle Use the toggle to enable or disable ADFS Authentication.
Note: When ADFS authentication is enabled for Metasys UI, but Active Directory/LDAP authentication is disabled, users are not able to log on to SMP with an Active Directory Metasys user account. Under those circumstances, users are able to log on to SMP with a local Metasys user account only.
3 Settings: ADFS Client Identifier Expand the Settings to see this field.

The Client Identifier is an ADFS-generated globally unique identifier (GUID). It is generated when you configure the ADFS server. Copy the Client Id into the ADFS Client Identifier field. See Where do I find the ADFS Client Identifier? for more information.

4 Settings: ADFS Endpoint Expand the Settings to see this field.

The endpoint is a server URL ending in /adfs, for example: https://mui01-win16.corp.contoso.com/adfs. This is the URL that you enter when you configure the ADFS server. Enter your ADFS endpoint in the ADFS Endpoint field.

Note: Metasys UI will not validate that the ADFS server is reachable, but an Administrator can check this with a standard browser. See How do I validate the ADFS Endpoint? for more information.

Where do I find the ADFS Client Identifier?

The ADFS Client Identifier is generated when you configure the ADFS server. The following figure shows the location of the Client Id.
Figure 6. ADFS Client Identifier

Refer to the Network and IT Guidance Technical Bulletin (LIT-12011279) for detailed instructions about how to configure the ADFS server for a Metasys site.

How do I validate the ADFS Endpoint?

The ADFS Endpoint is a server URL ending in /adfs, for example: https://mui01-win16.corp.contoso.com/adfs.

To make sure that the base URL is accurate enter it in a browser with an extra /ls/idpinitiatedsignon. For example, https://mui01-win16.corp.contoso.com/adfs/ls/idpinitiatedsignon. This also allows you to test your Active Directory login.
Note: The IDP-Initiated SignOn feature that you use to verify the endpoint is a feature that can be disabled. You can enable it with the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

Refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-initiatedsignon for more troubleshooting information.

How do I use filters in the User Management feature? What filters are available?

On a desktop platform and on a tablet, you can use filters in the Users tab and in the Roles tab.

  1. Tap or click FILTER in the upper-right of the Users tab or Roles tab.
  2. Select the filters you want to apply.
  3. Tap or click APPLY. A green check mark appears next to the filter type(s) you selected in the filter dialog and next to the FILTER button on the main window.
  4. To clear unwanted filters, clear the check boxes you selected and tap or click APPLY. After the filters are cleared, the green check mark disappears.
    Note: In the Last Login filter, click on Select Range, then APPLY to clear the filter.

On a smartphone, you can use filters in the Users screen and in the Roles screen. You can change the screen by clicking on the drop-down in the upper-left of the phone screen.

  1. Tap FILTER in the upper-right of the Users screen or Roles screen.
  2. Select the filters you want to apply.
  3. Tap APPLY.
  4. To clear unwanted filters, clear the check boxes you selected. To clear all filters tap Clear All in the upper-right of the screen. Then tap APPLY.
    Note: In the Last Login filter, click on Select Range, then APPLY to clear the filter.
The following tables describe the different filters for each tab.
Table 6. Filters for Users tab
Tab Filter name Description
Users Role Search and select a role from the list.
Note: You can choose a maximum of ten roles.
Type Select a type from the list. You can select multiple types.
Last Login Select a time range from the list.
Note: Select Marked Dormant to filter for dormant users.
Status Select a status from the list. You can select multiple status options.
Table 7. Filters for Roles tab
Tab Filter name Description
Roles System Privileges Search and select from the following system privileges:
  • Manage Devices & Sites
  • View Metasys Status
  • Discard Acknowledged Events
  • Discard All Events
  • Snooze All Events
  • Manage Audit History
  • Clear Audit History
  • System Configuration Tool
  • Schedule Reports
  • Advanced Reporting
Access Categories Search and select a maximum of ten from the following access categories:
  • HVAC
  • Fire
  • Security
  • Services
  • Administrative
  • General
  • Lighting
  • Refrigeration
  • Critical Environment
  • Air Quality
  • Power
  • Energy
  • System
  • Custom 1 through 150
Permissions Search and select from the following category-based permissions:
  • No access
  • Operate
  • Intervene
  • Manage Energy
  • Manage Item Events
  • Configure Items
  • Modify Items
  • View
  • Diagnostic
  • Advanced View

How do I create a new user in the User Management feature?

  1. Open User Management.
  2. In the default tab (Users), tap or click + USER. The Create New User window opens.
    Note: On a smartphone, tap + to create a new user.
  3. Select the user type from the Type list. Selectable user types include Metasys and Active Directory users.
    Note: You can select Active Directory from the Type list only if at least one of the following Active Directory authentication types is enabled in the Setup tab in User Management: Active Directory/LDAP authentication or Active Directory Federation Services (ADFS) authentication.
  4. Enter a username in the mandatory Username field.
  5. Enter a password in the mandatory Password field. Review the password rules listed on the right of the Create New User window.
    Note: On a smartphone, tap the information icon next to Password to review the password rules.
  6. Confirm the password in the Confirm Password field.
  7. Select a user role from the Role list.
    Note: You must assign at least one role to a user.
  8. Tap or click CREATE AND EDIT to create the user and further edit the user details. Or, tap or click CREATE AND CLOSE to create the user with the details you entered.
    Note: If you use a MAC platform, double-click CREATE AND EDIT or CREATE AND CLOSE to save the details.

How do I create a user in the User Management feature who can access the public Application Programming Interface (API)?

Users with access type Standard or Tenant cannot get data from APIs. Only users with access type API can access the public APIs, such as alarms and trends. To create an API user, complete the following steps:

  1. Log on to Metasys UI as an Administrator.
  2. Open User Management.
  3. In the default tab (Users), tap or click + USER. The Create New User window opens.
    Note: On a smartphone, tap + to create a new user.
  4. Complete the fields in the Create New User window. See How do I create a new user in the User Management feature? for more information.
  5. Tap or click CREATE AND EDIT to create the user and further edit the user details.
    Note: If you use a MAC platform, double-click CREATE AND EDIT to save the details.
  6. In the User Details tab, select API from the Access Type drop-down menu.
  7. Tap or click SAVE.
  8. Log out of Metasys UI.
After the API user is created, the API user has to complete the following steps:
  1. Log on to Metasys UI with the API user details.
  2. Change the password if prompted.
  3. Accept the terms and conditions.
    Important: Accepting the terms and conditions is an important step. The API user cannot access the public API otherwise.

How do I edit a user? What are my edit options?

  1. Open User Management.
  2. In the default tab (Users), tap or click the Edit User icon in the Actions column. The edit user window opens.

You can edit the user details in the User Details (default) tab:

Figure 7. User Details tab