User List screen

On the user list screen, the user can see all the users of the applications in the system and the status of them. Users can add, edit or delete these users from system.

List of User

To add a new user, the user clicks the Add button to go to the Add User screen. The Add User screen consists of three tabs: The Profile tab, the User Group tab and the Application tab.

Profile tab: Display the basic information of the user including: First name, last name, user type and other information corresponding to each type.
User Group tab: Displays the user groups this user is added to
Application tab: Displays applications to which this user is added to

To create a user, the user only needs to enter the required information at the Profile tab, other tabs can be added or not.

Profile tab

On the Profile tab, the user selects the corresponding User Type. There are two user types: Local User and Azure AD. For each type, the user needs to enter the corresponding information.

Local User: Local Users are users created and managed at Asset Health system, users of this type will use Upn/Email and Password to log in to the system.

To create a user with Local User type, the user needs to enter First Name, Last Name and UPN/Email. In addition, user can enter Phone number if necessary, select Force Rest Password to ask User to set new password, change state of Lock toggle to lock/unlock user's account and turn on MFA toggle to ask user to confirm multi-factor authentication after Login with correct email and password. If the user is locked, the user will not be able to login to the system.

Add Local User

In addition, if in the list of groups that this user is assigned to, there is a group that is locked, the Lock toggle in the User's Profile tab will be disabled and changed to the Locked state.

Edit User - User Locked by Group

Azure AD: Azure AD are users created and managed at the Azure system, users of this type will log in to Azure before accessing the Asset Health system. After user login successfully, system will get First Name and Last Name of user from Azure system. To create an Azure AD user, the user needs to enter the UPN/Email that the user has registered on the Azure system.

Add Azure AD User

After a user is added successfully, it user type cannot be changed.

User Group tab

The User Group tab displays all the User Groups which this user is assigned to. A user may not be assigned to a User Group or assigned to one or more ones.

Add/Edit User - User Group Tab

To add a User Group, the user clicks the Add button to open the Add User Group modal. Then the user selects a User Group that has not been added to the User Group tab and clicks the Add button. Then, the newly added User Group will be displayed on the User Group list.

Add/Edit User - Add User Group

Application tab

The Application tab displays all the applications which this user is assigned to. A user may not be assigned to a application or assigned to one or more ones. Users are assigned to an application in at least one role. In addition, users can be added to an application with multiple roles.

Add/Edit User - Application Tab

To add a Application, the user clicks the Add Application button to open the Add Application modal. Then the user selects a Application that has not been added to the Application tab and clicks the Add button. Then, the newly added Application will be displayed on the Application list.

Add/Edit User - Add Application

Next, the user then needs to select a role by clicking the Add Role button to open the Add Role modal. Then the user selects a Role of selected Application that has not been added to the Role list of Application tab and clicks the Add button. Then, the newly added Role will be displayed on the Role list.

Add/Edit User - Add Application - Add Role

After selecting the role, for most applications except User Management and Tenant Management applictions, it is necessary to determine the Projects that the user is allowed to access. By default the user will be allowed to access all projects. However, the user can also select option: "Assign to some projects" and select at least one project to allow the user to access the selected projects only.

Add/Edit User - Add Application - Set Project Permission

Users with Project permission is: "Assign to all projects" are the default users in the projects of the respective applications.

User access rights

A user/user group can have many roles, a user can belong to many user groups and a user group can have many users.

Therefore, a user's access rights will be merged from its own privileges and all the roles it is assigned to and all the user groups which it belongs to. A user group's access rights will be merged from its own privileges and all the roles which it is assigned to.

Reference to [Data Management role-based security](/asset-mgt/role-based security.md)