This article provides comprehensive information about user management in EFS, including creating and managing user accounts, teams, and exchange teams. It covers various aspects of user administration, rights management, and system security features.
Users
Each user account is assigned to one or more teams. Membership in a respective team determines the individual functions to which the user has access. In the menu Users → Users you will find a list of all user accounts created in the system.
The following information is displayed for each account:
- User name
- Name: The content of this field is composed of the separate fields “First name” and “Name”.
- The most important address data of a user
- Member of the following teams: All of the teams that the user belongs to.
- Logins: The number of logins for a user since their creation.
- Last login: Date of the last login.
- Failed attempts to log in: Number of consecutive failed login attempts.
- Login expiry date: With limited-time accounts, the date when the login expires will be displayed. The account can be used up until the day before expiration.
- Suspended until: After a defined number of consecutive failed login attempts, the user account will be blocked automatically for likewise a defined period.
- Can login? If a login has expired or it has been deactivated by “brute force” protection, then a red lamp will be displayed.
If you are missing information, open the dialog for changing the display by clicking on View and activate the desired column.
You have the following editing options:
- By clicking on the user name, you can open the detail view of a user and for example view information on team affiliation and available rights (the information detail page lists ACL rights as well as rights to layouts).
- By clicking on the login expiry date, you open a dialog, in which you can change the login expiry date. Members of the system administrator team can furthermore change the password expiry date or deactivate the login, i.e. block a user from accessing EFS. If blocked users try to log in, they will be asked to contact the person responsible for the EFS installation.
- Clicking on the Send password icon opens the dialog for sending an e-mail containing a link for setting a new password.
- You can delete user accounts that have not yet expired and are not owner of a team.
Creating user account
To create a new account, click on the Create user account button. Specify the language in which the admin area is to be shown for the new user. Enter the initial password for the new user twice. On their first login new users are automatically requested to change their password.
- Select the team to which the new user should be added. The team affiliation defines the rights of the users.
- Select the user’s primary team. Among other things, the primary team is always automatically granted read and write rights for projects created by this user.
- The “Organization” field indicates to which accounting organization the new user belongs.
- If the wrong organization is indicated, please contact the person responsible for the installation.
- If you hold the right “orgadmin”, you can alter the accounting organization yourself.
- Choose the expiry date of the account.
- You can optionally select the time zone to be displayed in the “Local date” field of the left-hand menu.
- You may store additional information in the section “Additional data”.
- Define the next editing steps:
- You can have the password displayed on the next page, e.g. in order to copy it to a notification mail.
- If you wish to add more accounts afterwards, tick the corresponding checkbox: Only then will a blank “Create user account” form be opened directly.
- Confirm by clicking on Create user account.
- The account will be created.
The Generate password function will help you to generate a good password: When you click on the Generate a password link a randomly generated password is issued in a pop-up window. If you click on this it will automatically be transferred to the entry fields.
Account names and e-mail addresses of users must be unambiguous. In the case that an account name or an e-mail address is already being used by another user, a corresponding error message will be displayed.
Importing user accounts
If you wish to create a larger number of user accounts, you can utilize the import function. This function is located in the Users → User import menu.
- In order to use this function, you need to write rights to cr_teamaccount.
Please proceed as follows to perform the import:
Create a table in CSV format containing the staff data. For example, you can create such a table in MS Excel and then save it in CSV format. The file must have the following structure.
The first row of the CSV file may optionally contain the column headings. How to upload the file:
- Select the correct file.
- If required, select the appropriate character set.
- If the first row of the CSV file contains the column headings, the corresponding checkbox must be ticked.
The following properties are defined en bloc for all new accounts:
Confirm by clicking on Import.
Specifying temporal limitations for user accounts
In principle, user accounts always have an expiry date, and they are automatically deactivated after expiring. This measure aims primarily at improving safety in the admin area: This reduces the risk of an out-of-use user account being hacked and used unwittingly. At the same time this standardization makes the administration of large user teams and collective installations easier: Setting the expiry dates carefully when creating accounts saves you from having to “tidy up” old accounts manually later.
Accounts without a time limit can only be created by administrators with a root account. Normally only our support and customers with their own server have root accounts.
- For owners of a root account, an additional checkbox entitled “Set time limit for user account ” is displayed in the form above (Figure 17.4), which must be deactivated to cancel the time limit.
- By clicking on the login expiry date in the user list, you open a dialog, in which you can change the login expiry date.
If you wish inactive admin accounts to be expired after a given time of inactivity too, please contact support for the setup of appropriate policies. Expired accounts can no longer log into EFS. To re-enable an expired account, an admin account with sufficient user administrative rights is required.
Changing user account data
With the necessary rights, you can view the account data of other users, correct their data if required, and send them a link for resetting the password.
- Via the user list, owners of root accounts can access the account data by just clicking on the desired user. Via Change user data, you can access the edit dialog. Via Send password, you can access the dialog for resetting the password.
- With read rights for the ACL right org_groupadmin, you can open your teams and access the account data of the team members. With read rights, you can change the account data or send a link for resetting the password.
Sending a link for resetting the password by e-mail
With the necessary access rights, you can send your users links for resetting their passwords.
- If you have a root account, search for the desired user in the user list. Then, open the dispatch dialog via the Send password icon.
- If you have read rights for org_groupadmin, open the desired team, click on the appropriate team member, and choose the Send password button.
The text of the mail is predefined. In the dispatch dialog, only the basic contact data are displayed.
Checking user accounts for brute force suspension
The admin area has protection against brute force attacks, i.e. hacking of an account using automated, rapidly consecutive entries of possible passwords. There is only a limited number of incorrect entries possible; exceeding this value will deactivate the staff account for a predetermined period. The person logging in will then see an error message, in which the remaining waiting period will be displayed.
By default the account will be suspended after six incorrect entries, the waiting period is 30 minutes. A suspended account can be reactivated by the system administrator (root team) or by a user with write rights to groupadmin.
- If you have leased your own installation and you would like to have the values changed, please contact support.
Checking suspended accounts
If a user reports that his or her account was suspended, or if you suspect that a brute force attack has occurred, you can check this in the overview of the Users menu:
- The failed login attempts and the remaining time on suspended accounts are listed in the columns “Failed attempts to login” and “Suspended until”.
- The number of logins and the date of the last successful login are also displayed.
Further details on individual login processes, such as the exact time and the IP address, can be found in the login log, provided you hold the relevant rights.
If these columns are not visible, open the dialog for configuring the overview table by clicking on View, activate the checkboxes for these columns and confirm with Send.
Reactivating suspended accounts
A suspended account can be reactivated prematurely by the system administrator (root team) or by a user with write rights to “groupadmin”. By clicking on the red-marked end date for the suspension period, the suspension will be reverted.
Delegating the administration of user accounts
You can delegate the administration of the user accounts of a specific organization. This is the purpose of the ACL right org_groupadmin: If you assign this right, instead of the more general right groupadmin, to a user team, its members can access all user accounts of their own organization.
- With read rights, they can view the account data of the users of their own organization.
- With write rights, they can manage the users of their own organization (e.g. extend accounts, edit account data, or delete accounts).
Teams
Within a team, there are normal members (member), administrators (admin), and owners (owner). These statuses determine the operations a team member may perform within their team. Team statuses have no effect on rights within user administration or on object or function rights in EFS Survey. In general, you can simply ignore the statuses within teams. Exception: If you wish to delete an account of someone who is a team owner, you must first transfer leadership to another team member, before you can delete the account.
Statuses
Creating teams
With the groupadmin ACL right, you can create and configure new teams.
- Switch to the Users → Teams menu.
- Click on the Create team button.
- The following details are required:
- Team name: This is used in surveys in the standard URL. If you create a team entitled “Test account for student interns”, projects for members of this team will be created under the URL http://www.mydomain.com/sc/Test_account_- for_student_interns/something/. As umlauts and blank spaces are not permitted in URLs, EFS automatically replaces impermissible characters upon team creation.
- Team title: Internal name.
- Description: Serves internal purposes as well.
- When creating a new team, you can define the owner. You have a choice of yourself as the creating administrator and the team “Administrator“.
- Assign access rights to the desired areas of EFS to the new team. It will then receive ‘write’ rights to the corresponding area rights.
- In the drop-down list “Rights template”, you can select a user-defined rights template. By default, no rights template has been selected.
- A list of the teams you have created is displayed under the caption “Which teams shall receive free access to the new team?”. If you grant an existing team access to the new team, the existing team will see the new team in user administration.
- Click on the Create team button to confirm the operation.
Now you have created a new team that moreover does not have any members and no ACL rights (except those for areas defined in step 4), unless you did not expressly choose any in step 5. Your next steps are to:
- Create accounts and assign them to this team as a primary group.
- Configure the ACL rights of the team.
- Change owner of the team, in case one of the newly created users should be owner of the team.
Editing teams
You can edit all teams in which you have owner status. Choose Users → Teams and click on a team name in the list. The edit form is divided into three sections:
Adding members
Click on the Add members button in the detail view of your selected team. A list of users in the system appears from which you can select new members. If you wish to add a certain user to your team, you can easily locate them using the “Search” function above the list of members.
Once located, select the user by ticking the checkbox in the “Add” column. Now just click on the Add member button to add the user to your team.
Members added are initially assigned the status “Member”.
Viewing the staff list and editing memberships
The list of the members contains all members of the team. The list has its own search function which searches the fields “Account name”, “E-mail”, “Name” and “Rights”. Furthermore, you have the option to extend the view to include other available information. You can do this by clicking on View and making your choice from the available database fields.
The drop-down list provides you with the following editing options:
- Set right of member: Changes the status to “Member rights”.
- Set right of admin: Changes the status to “Administrator rights”.
- Delete from team: The member will be deleted from the team.
- Export user data: An Excel file will be generated, which includes the data of the selected members.
- Write e-mail: The standard mail form opens, and you can write to the selected team members.
Deleting teams
To delete a team you must have owner rights (Users→ List of teams → {Selected team} → Delete team). This deletes all team members from the team. The team cannot be restored.
- Deleting a team does not necessarily delete the pertinent account. An account is only deleted if the user is no longer a member of any other team after the team has been deleted.
Changing team info
- To change the title, name, and description of the selected team, navigate to Users → Teams → {Selected team} →Change team info. This function is useful if you have selected a team name that leads to unattractive URLs.
Transferring leadership
To change leadership for a team, navigate to Users → Teams → {Selected team} → Change ownership. To do so, you must have the owner status in the team. You are thus transferring the leadership to another team member. It is irrelevant whether this person is an admin or a simple member of your team. As an owner may not leave their team, you must transfer leadership if you wish to leave your own team.
Leaving teams
The Leave team function removes you from the list of members for the selected team. You may not leave the team if you are the team owner. You must first Change owner.
Viewing and changing the ACL rights of a team
In the “Rights of the team (whole system)” section you can see the ACL rights for the selected team, i.e. which functions it can access.
- With the right “groupadmin”, you can edit the rights configuration. To open the corresponding dialog, click on the Change rights of this team button.
- You can also subsequently assign a rights template to the selected team. To open the corresponding dialog, click on the Assign rights template button. In order to be able to use this function, you must belong to an admin team or hold admin rights in the selected team. In addition, you need an access right for the desired rights template.
After changing the rights configuration of a team, you create a test account that is a member of this team only, log in via this account, and check whether the configuration meets the requirements.
Granting Read rights to a specific team to other teams
As the owner of a user team, you can grant read rights to your team to other selected admin teams. The members of authorized teams can then see the team in question in the Teams menu, select it, and view the available information.
- If you are the owner of a staff team, you can find in the Users → Teams menu a Change rights icon in the “Action” column. Click on it.
- A dialog opens in which you activate the checkbox in the column “Grant access rights”, which enables you to grant read rights to your team to one or several other teams. You have a choice of all the teams available on the installation, not only those to which you belong.
- After that, confirm by clicking on Save.
These read rights make it possible to grant read access to a special team to other selected teams. If you would like to grant read access to all other teams to a specific team, it is recommended you use the ACL right groupadmin.
Exchange teams
In order to create a new exchange team you need the right exchange_teams as well as sufficient edit rights for the teams to be selected. Click on the Create Exchange Team button in the Exchange teams menu.
Enter the name into the “Team name” field. You can use the characters a-z, 0-9, _ and -.
- In the select box labeled “Members with upload rights” you can specify one or more teams whose members are to have read and write rights for their own files only. You do not already need to specify teams when creating the exchange team: You can always assign user teams to an exchange team at a later stage. The steps required are explained in the following chapter.
- In the select box labeled “Members with change rights” you can specify one or more teams whose members will be allowed to change the files of all team members.
- Confirm your entries by clicking on Create team.
Admin Teams
EFS can be configured to have special admin teams (“pools”) for complex university setups, allowing admin users to create ad-hoc teams and invite other admin users to their teams for collaboration. If you would like to use this feature, please contact support.
Assigning teams and rights administration
In EFS, users are assigned rights according to their team affiliation. This means that instead of assigning individual users to an exchange team you assign access rights for the files of an exchange team to one or more user teams. You may choose from different rights configurations:
- Upload right: Equivalent to the right “read” to the exchange team. The members of a team with upload rights may upload and download files. They may, however, change or delete only their own files.
- Change right: Equivalent to the right “write” to the exchange team. The members of a team with change rights can upload and download files and may change or delete all files of their exchange team.
- If you assign the rights “read” and “write” to a user team, the members of this team will have all rights to the exchange team and all upload and change rights. However, they will be ignored for the function “Send info mail to team”. This configuration is useful, for example, for teams of project managers who are not involved in the daily operations.
In order to subsequently assign one or more user teams to an exchange team or to change the initial settings, proceed as follows:
- Locate the Exchange team in the overview and click on the Rights icon.
- This opens the dialog for rights administration familiar to other EFS menus. Assign read and/or write rights for the respective exchange team to the desired user teams as required.
- Confirm your selection by clicking on Change rights.
Viewing the History
All important changes and actions executed using EFS Secure Exchange functions are logged. This allows you to subsequently check whether an action has been carried out and which user is responsible for this action. It is possible, for example, to reconstruct which users downloaded a particular file. In order to view the list of changes, switch to the Users→ Exchange teams → History menu.
For every change that has occurred the following information is listed:
By clicking on the View button you can, as usual, display a section that allows you to specify whether the various table columns are to be shown or hidden. After you have confirmed by clicking on Submit the table will be expanded accordingly. The column headings are clickable links: By clicking on a column heading you can resort to the table according to the contents of the respective column. You can search the history using the usual simple and extended search functions.
- Simple search: The fields “Changes” and “Changed by” are searched for the term you entered.
- Extended search: In addition to the keyword search in the fields “Changes” and “Changed by” you can also specify a certain change period or limit the display to the changes of a particular team. By clicking on the Reset button you can undo these restrictions.
FAQ
How can I reactivate a suspended user account?
A suspended account can be reactivated by a system administrator or a user with write rights to “groupadmin”. Click on the red-marked end date for the suspension period to revert the suspension.
Can I create user accounts without a time limit?
Accounts without a time limit can only be created by administrators with a root account. Normally, only support personnel and customers with their own servers have root accounts.
How can I delegate the administration of user accounts?
You can delegate the administration of user accounts for a specific organization by assigning the ACL right ‘org_groupadmin’ to a user team. This allows team members to manage users within their own organization.