Tools → Security Manager

About the Security Manager

The Security Manager allows you to create and manage users and groups so as to both enable sharing and restrict access. By using built-in Security Roles, you are able to assign access permissions to groups of users. Known as a Role-Based Access Control (RBAC), you can easily enforce access to certain features and functionality within Incorta.

You can also use the Security Manager to send and manage invitations to external users to access your tenant after enabling the feature in the CMC.

Using the Security Manager

The Super User tenant administrator or any user with the SuperRole or User Manager roles can access the Security Manager and manage users and groups; however, only the Super User tenant administrator or a user with the SuperRole can send and manage invitations. A user with only the User Manager role can see the list of invitations without being able to manage them.

By default, the Super User (the Tenant Administrator) has the SuperRole. Roles are immutable permission settings that can be applied to groups. You cannot create, edit, or delete a role. As a user with the ability to manage security, you create groups and assign permissions to them using one or more roles. You can assign one or more groups to a user to give them the desired permissions.

Security Role Management

Incorta’s security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights.

Role Based Access Control

Role-Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Service. There is no direct way to assign a role to a user, with two exceptions:

  • All users inherit the User role.
  • A tenant administrator inherits the Super User role unless otherwise configured for the tenant.

In Incorta, a user belongs to zero or more groups, and a group is assigned to zero or more roles.

Note

While RBAC, through permissions, controls access to features and functionality, access rights refer to the individual access to an object. For example: The user Tom gives access rights to Joe to view a dashboard Tom has created.

Important: User Permissions

Permissions in Incorta are determined by a combination of assigned roles and access rights granted when sharing objects. Together, these factors define the functionalities and features available to users.

For example:

  • If a user, Joe, belongs only to a group with the User role, which only permits viewing access to the Catalog (Content Manager), and another user, Tom, grants Joe edit rights to a dashboard, Joe can only view the dashboard.
  • Similarly, if Joe belongs to a group with the Analyze User role, which allows users to manage the Catalog, and Tom grants Joe view access to a dashboard, Joe will be restricted to viewing the dashboard.

Role properties

The following table describes the roles and associated permissions, accessible from the Roles tab in the context menu of the Security Manager:

RoleRole TypeDescription
UserUser RoleCan view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders.
Analyze UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules.
Advanced Analyzer UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules. Can use Augmented Analytics and Business Notebook. Can install SDK Components from marketplace.

Note: This role is available starting 2024.7.x. After upgrading to 2024.7.x, users who created business Notebooks in a previous release must be assigned this role to continue to have access to their business Notebooks.
Copilot UserUser RoleCan use Copilot and view shared dashboards and business schemas
This role is available starting 2024.7.2 and is required for any user who intends to interact with the Copilot capabilities in the different contexts. For example, a schema manager should be assigned this role as well to leverage Copilot's natural language to SQL capabilities when building materialized views while an Individual Analyzer requires it to leverage natural language to Insight capabilities.
Schema ManagerAdmin RoleCan create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify groups and users. Can add roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.
Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to.
Important

You can limit users with "User" or "Individual User" roles to not to download insights. You can do that by disabling the Download insights option found under Default Tenant Configurations > Security in the Cluster Management Console (CMC).

Note

For a detailed breakdown of Role capabilities, permissions, and content access refer to Security Roles

Important

Users with only the Analyze User or Individual Analyzer roles have limited access to the Business Schema Manager where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.

User Manager role improvements

A user that belongs to a group with the User Manager role or other roles other than the SuperRole cannot manage the assignment of the SuperRole. Only a Super User or a user that belongs to a group with the SuperRole can manage the assignment of the SuperRole and perform the following actions:

  • Assign the SuperRole to a group
  • Add a user to a group with the SuperRole
  • Roll back or unassign the SuperRole from a group
  • Remove a user from a group with the SuperRole
  • Delete a user that belongs to a group with the SuperRole
  • Delete a group with the SuperRole

Group Management

You can create, edit, or delete groups. You assign a group one or more roles from the Edit Group drawer. In addition, you are able to add users to a group through the Edit Group drawer.

Group Properties

The following are the group properties found in the Groups tab of the Security Manager:

PropertiesDescription
NameThe group name
DescriptionOptional group description
Add User(s)Visible by hovering over the desired group. Open the Add User(s) to Group(s) window.
DeleteVisible by hovering over the desired group. Delete the selected group.
Add Role(s)Visible by hovering over the desired group. Open the Add Role(s) to Group(s) window.

Create a Group

The following are the steps to a create a group:

  • In the Navigation bar, select Security.
  • In the Action bar, select + New.
  • From the drop down menu, select Add Group.
  • In the Add Group dialog, enter a group Name.
  • Optionally, enter a group description.
  • Select Add.

Edit Group Properties

When you select a group from the Groups tab, the Edit Group drawer will open. The Edit Group drawer is split into three sections.

Edit Group Info properties

The following are the properties of the Edit Group drawer Info section:

PropertyDescription
NameThe group name
DescriptionOptional group description

Edit Group Users properties

From the Users section of the Edit Group drawer, you are able to view the user name and email of users in the group. You can easily search for users within the group using the search bar.

The following are the properties of users in the Users section of the Edit Group drawer:

PropertyDescription
NameThe user name
EmailThe users email

Add users to a group

From the Groups tab or the Edit Group drawer, you can access the Add User(s) to Group(s) window. Using this window, you can add one or more users to a group. From the Edit Group drawer, access the Add User(s) to Group(s) window in the Users section and select the Add User(s) icon (+ icon).

The Add User(s) to Group(s) window will only display users not currently in the group. You can search users using the search bar at the top of the window. Usernames and emails will be displayed in the window.

Note

After accepting the invitation, an invitee user automatically joins the group that you specify when sending the invitation and you can add this user to more groups afterward. However, you cannot add an invitee with a pending or expired invitation to a group.

The following are the steps to access the Add User(s) to Group(s) window and add one or more users to a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Hover over the desired group, select Add User(s) (people icon).
    • Optionally, you can select the desired group to open the Edit Group drawer.
      • Select Users.
      • Select Add User(s) (+ icon).
    • You may use the checkboxes in the Groups tab to select multiple groups before selecting Add Users(s) (people icon). This will allow you to add users to multiple groups at once.
  • Select one or more users from the list. You may use the search bar to filter the list.
  • Select Add.
Note

Users that you add to a group inherit the permissions assigned to this group via roles. However, when enabling or disabling public API access for this group, you enable or disable public API access to users that currently exist in the group. Users added afterward don't inherit public API access. Removing a user from a group doesn't affect the access API permission of this user.

Remove a user from a group

The following are the steps to remove one or more users from a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Users.
  • Select one or more users.
  • Select Remove (trash icon).

Edit Group Roles properties

The following are the role properties in the Roles section of the Edit Group drawer:

PropertyDescription
RoleThe role name
PermissionsThe granted permissions of the role.

Add roles to a group

The following are the steps to add roles to a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Roles.
  • Select Add Role(s) (+ icon).
  • From the Add Role(s) to Group(s) drawer, select the desired roles for the group.
  • Select Add.
Note

Optionally, you can select more than one group from the Groups tab. After selecting groups, select Add Role(s) from More Options (⋮ vertical ellipsis). This will open the Add Role(s) to Group(s) window.

Remove roles from a group

The following are the steps to remove roles from a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group.
  • In the Edit Group drawer, select Roles.
  • Select one or more roles from the drawer.
  • Select delete (trash icon).

Group API access Enablement

Only a Super User or a user with SuperRole can manage API access for groups and users. You can enable or disable access to the Incorta Public API for one or more groups from the Groups tab. Users will still need to generate their personal access tokens once access has been granted.

The following are the steps to enable or disable API access for groups:

  • In the Navigation bar, select Security.
  • In the Action bar, select Groups.
  • Select one or more groups.
  • Select More Options(⋮ vertical ellipsis).
  • Select Enable Public API or Disable Public API.
Note

Any user or user group with the SuperRole will always have the ability to access the public API. This functionality cannot be disabled.

Recommendation

If you disable API access for all users in a group, the active access tokens for those group users become immediately invalidated. For this reason, managing API access via groups is not recommended.

Delete a group

The following are the steps to delete a group:

  • In the Navigation bar, select Security.
  • In the Context bar, select Groups.
  • Select the desired group(s).
  • Select delete (trash icon).
Warning

When you delete a group, the group and all role permissions for that group are removed from all users that were in the deleted group. If the deleted group is assigned to an invitee, the invitee can still accept the invitation and access the tenant with the default User role.

User and Invitation Management

The list view of users shows both the users and the invitations. All users with security edit access can manage users and view invitations; however, only the Super User or a user with SuperRole can manage invitations.

User properties

The following are the properties of a user in the Users tab of the Security Manager:

PropertyDescription
NameThe user display name
EmailThe user email.
Authentication TypeThe Authentication type for this user. Authentication types are controlled in tenant Security of the CMC.
Public APIThe status of the public API access: Enabled or Disabled. This property is visible only to the Super User or a user with SuperRole, and it is always enabled for them.
Last Signed InThe last time the user signed in.

Invitation properties

The following are the properties of an invitation in the Users tab of the Security Manager:

PropertyDescription
NameThe invitee's email address that will be also the default display name and login name of the invitee's user account
EmailThe invitee's email
Authentication TypeThe Authentication type for this invitee user. Incorta Authentication is the default authentication type for all invitees. You can change it after the invitees accept the invitation.
Public APIThe status of the public API access: Enabled or Disabled. This property is visible only to the Super User or a user with SuperRole.
Last Signed InThe invitation status. Hover over the status of a pending invitation to view the remaining time, rounded down to the nearest number of days, before the invitation expires.

Edit User properties

You can access the detailed properties of an individual user by selecting them from the Users tab. However, you cannot edit the properties of an invitation.

User general properties

The following are the user properties in the General section of the Edit User drawer:

PropertyControlDescription
Login NameimmutableThe user login name.
Profile Imagefile selectionUpload an image to use as the user profile image. The file type must be a JPEG or PNG, and the file size is limited to 2MB.
Display Nametext boxEnter the user’s display name.
Emailtext boxEnter the user email.
Languagedrop down menuSelect the user’s UI language. Supported languages are:
Arabic, Chinese(Simplified), English, French, German, Italian, and Japanese.
Region Formatdrop down menuSelect the user’s country/region, which determines, along with the language, the date and number formats for this user in Incorta.
Time Zonedrop down menuSelect the user’s GMT based time zone.
Calendardrop down menuSelect the calendar format for the user.

User group membership properties

The following are the user properties in the Group Membership section of the Edit User drawer:

PropertyDescription
NameThe group name
DescriptionThe description of the group

User security properties

The following are the user properties in the Security section of the Edit User drawer:

PropertyControlDescription
Authentication Typeoption buttonOnly visible to a Super User when editing the properties of another user. Set how the system authenticates the selected user. Available options are:
  ●  SSO
  ●  Incorta
Enable Public APItoggleOnly visible to a Super User when editing the properties of another user. Grant public API access for the selected user.
Current Passwordtext boxOnly available in the drawer of the logged-in user. Enter the current user password.
Passwordtext boxOnly available in the drawer of the logged-in user. Enter a new password.
Confirm Passwordtext boxOnly available in the drawer of the logged-in user. Confirm new password.
Reset PasswordbuttonOnly available to users with Security management privileges. An email will be sent to the user with a link to reset their password.
Login AsbuttonOnly available to a Super User. Temporarily log in to Incorta as the selected user. For additional information, see Additional Considerations.
Delete UserbuttonDelete the selected user.
Create Personal Access TokenbuttonOnly visible to a user that has API access enabled and can access the Security Manager to generate API access tokens. The same option appears when users access their Profile Manager.
RevokebuttonOnly visible to a user that has API access enabled and can access the Security Manager to delete or cancel API access tokens. The same option appears when users access their Profile Manager.
Note

Any user or user group with the SuperRole will always have the ability to access the public API. This functionality cannot be disabled.

User Appearance properties

The appearance properties section is only visible to the currently logged-in user.

The following are the user properties in the Appearance section of the Edit User drawer:

PropertyControlDescription
Dark ThemetoggleEnable Incorta dark mode.
Reduce MotiontoggleEnable a visually reduced motion for Interaction with chart legends.
Accessibility ModetoggleEnable the accessibility mode.

Create a new user

The following are the steps to create a new user:

  • In the Navigation bar, select Security.
  • In the Context bar, select + New.
  • Select Add User.
  • Enter the desired user properties.
  • Select Add.

Add a group to a user’s group membership

The following are the steps to add a group to a user’s group membership:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • Optionally, you can select multiple users and select the Add to Group(s) (people icon).
  • In the Edit User drawer, select the Group Membership section.
  • Select the Add to Group(s) (+ icon).
  • Select the desired groups to add the user to.
  • Select Add.

Remove a group from a user’s group membership

The following are the steps to remove a group from a user’s group membership:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • In the Edit User drawer, select the Group Membership section.
  • Select the desired groups to remove from the user.
  • Select delete (trash icon).

Import and synchronize users and groups

Incorta offers two different methods to insert new users and groups, update their details, or update the user-group assignment without the need to add or edit them one by one or to use a command-line interface (CLI). Those two methods are to:

  • Import and synchronize Incorta users and groups with a physical schema in Incorta
  • Import and synchronize Incorta users and groups with domain users and groups using LDAP

As a CMC administrator or a Super User, you can access the Security Manager and synchronize users, groups, and their assignments in a domain or an Incorta physical schema. Users and groups you need to synchronize must fulfill the naming convention and other rules (such as the name length) that apply to users and groups in Incorta; otherwise, they will not be synchronized.

Note

By design, the synchronization process continues on failure or error. Thus, if an item (user, group, or relation) fails to synchronize, the process will continue to synchronize other items, if any.

Import and synchronize Incorta users and groups with an Incorta physical schema

You can synchronize Incorta users and groups with users and groups that are stored in an Incorta physical schema in the same tenant using the Security Manager.

You can create a .properties configuration file that maps the columns in the physical schema objects to user and group details in the Incorta metadata database. You can also download a template of this file to help you provide the required information. Then, you can upload this file to Incorta and have users, groups, and relations imported to or updated in the metadata database.

Incorta physical schema prerequisites

The physical schema that you can use to synchronize users and groups must have the required details of the users, groups, and their relations or assignments (users’ group membership).

Note

These user and group details can exist in one or more physical schemas, and in one or more objects.

The physical schema(s) must have the following minimal information:

ObjectInformationComments
UsersLogin NameRequired
Unique
EmailRequired
Unique
Display NameRequired
GroupsGroup NameRequired
DescriptionOptional

Incorta supports two different modes to define the user-group relations: groups mode and roles mode. Users and groups can have direct relation (groups assignment mode), or they can be related using a common property or attribute, such as the department, location, or job (roles assignment mode). As a result, the assignment details can exist in the physical schema as follows:

  • A single physical schema object that contains users and their assigned groups
  • Two physical schema objects; one to define the relation between users and the common attribute and the other to define the relationship between the group and the common attribute.
Important

The .properties file refers to the common attribute as role. Do not mix this up with Incorta Roles.

Note

The relation between users and groups is many-to-many. A group can have multiple users and a user can be a member in multiple groups. Thus, the same user or group can have multiple records or rows in the assignment table(s).

The following table shows the information that must be available in the physical schema in the case of using the groups assignment mode (users and groups are directly related):

ObjectInformationComments
User-group assignmentUserRequired
GroupRequired
OperationOptional
A value that you want to check to either skip a record or to include it in the synchronization process

The following table shows the required information in the case of using the roles assignment mode (users and groups are connected through a common attribute):

ObjectInformationComments
User-property assignmentUserRequired
AttributeRequired
OperationOptional
A value that you want to check to either skip a record or to include it in the synchronization process
Group-property assignmentGroupRequired
AttributeRequired
OperationOptional
A value that you want to check to either skip a record or to include it in the synchronization process
Preparing the properties file

You must have a .properties file that maps the physical schema object columns to Incorta user and group details. You can either create the file from scratch or download a template file and update it. You must enter the column fully qualified name in the following format: physical_schema.object.column, for example, securityInfo.users.email.

Here are the steps to download and update the template file:

  • Sign in to Incorta as an Incorta Super User or CMC administrator.
  • In the Navigation bar, select Security.
  • In the Context bar, select + NewUser Sync.
  • In the Sync users via a properties file dialog, on the via Incorta Schema tab, select Download a template properties file.
  • Update the file with the required information and then save it.

The following table shows the contents of the .properties file for the users and groups:

PropertyRequiredDescription
user.loginYesEnter the fully qualified name of the column that maps to the user login name
user.emailYesEnter the fully qualified name of the column that maps to the user’s email
user.nameYesEnter the fully qualified name of the column that maps to the user’s display name
user.langYesEnter the fully qualified name of the column that maps to the user language, or enter it in the following format: "Language"
The default is English.
user.countryYesEnter the fully qualified name of the column that maps to the user’s country, or enter it in the following format: "Country"
The default is US.
user.timezoneYesEnter the fully qualified name of the column that maps to the user’s timezone, or enter it in the following format: "TimeZone"
The default is GMT-08:00.
user.calendarYesEnter the fully qualified name of the column that maps to the user’s calendar, or enter it in the following format: "Calendar"
The default is Gregorian.
user.typeYesEnter the fully qualified name of the column that maps to the user authentication type, or enter it in the following format: "Type".
Valid options are:
  ●  SSO
  ●  Internal
  ●  LDAP
  ●  Azure_AD
group.nameYesEnter the fully qualified name of the column that maps to the group name
group.descriptionYesEnter the fully qualified name of the column that maps to the group description
group.typeYesEnter the fully qualified name of the column that maps to the group type, or enter it in the following format: "Type".
Valid options are:
  ●  SSO
  ●  Internal
  ●  LDAP
  ●  Azure_AD

The following table shows the contents of the .properties file that you must provide in the case of using the groups assignment mode:

PropertyRequiredDescription
user-group.groupYesEnter the fully qualified name of the column that maps to the group name or the group’s unique identifier in the user-group assignment table
user-group.userYesEnter the fully qualified name of the column that maps to the user name or the user’s unique identifier in the user-group assignment table
user-group.operationNoEnter the fully qualified name of the column that maps to the operation column in the user-group assignment table
user-group.deleteOperationNoEnter a value that you want to check against the Operation column in the user-group assignment table. Rows or records with a matched value will be skipped during the synchronization process.

The following table shows the contents of the .properties file that you must define in the case of using the roles assignment mode:

PropertyRequiredDescription
function-roles.functionYesEnter the fully qualified name of the column that maps to the group name or the group’s unique identifier in the group-role assignment table
function-roles.roleYesEnter the fully qualified name of the column that maps to the role name or the role’s unique identifier in the group-role assignment table
function-roles.operationNoEnter the fully qualified name of the column that maps to the Operation column in the group-role assignment table
function-roles.deleteOperationNoEnter a value that you want to check against the Operation column in the group-role assignment table. Rows or records with a matched value will be skipped during the synchronization process.
user-roles.userYesEnter the fully qualified name of the column that maps to the user name or the user’s unique identifier in the user-role assignment table
user-roles.roleYesEnter the fully qualified name of the column that maps to the role name or the role’s unique identifier in the user-role assignment table
user-roles.operationNoEnter the fully qualified name of the column that maps to the Operation column in the user-role assignment table
user-roles.deleteOperationNoEnter a value that you want to check against the Operation column in the user-role assignment table. Rows or records with a matched value will be skipped during the synchronization process.

The following table shows the contents of the .properties file related to the global configurations:

PropertyRequiredDescription
autoGenerateGroupYesEnter true or false. When set to true, all groups that exist in the physical schema object are added, as appropriate. When set to false, the groups section in the .properties file is skipped, so no groups will be added.
fullsyncYesEnter true or false. When set to true, it removes all assignments related to each group in the physical schema before adding the group’s new assignments. When set to false, it adds the new assignments while keeping existing ones.
assignmentModeYesDefine the assignment mode: groups or roles
Import and synchronize Incorta users and groups with an Incorta physical schema

Here are the steps to import and synchronize Incorta users and groups with users and groups in a physical schema using the .properties file that you have prepared:

  • Sign in to Incorta as an Incorta Super User or CMC administrator.
  • In the Navigation bar, select Security.
  • In the Context bar, select + NewUser Sync.
  • In the Sync users via a properties file dialog, on the via Incorta Schema tab, select Upload file, and then select the .properties file you have prepared.
    • If you want to select another file, select Delete (trash can icon) next to the selected file name, and then select Upload file again to select the file you want.
  • Select Execute.
Note

If the file you provide does not have all the required information, an error message appears after executing the synchronization process denoting the missing or wrong information.

Review the synchronization report

In the case of a successful synchronization process, only a message will denote that the synchronization is successful. However, if the synchronization partially fails, the confirmation message will show the number of synchronized items and the number of failed ones. There will be a link to show the details of failed items. Select the link and review the list of failed items with the related error. You can copy the details of failed items to the Clipboard to save them.

Import and synchronize Incorta users and groups with domain users and groups

The Security Manager allows you to import and synchronize domain users and groups with Incorta using the LDAP protocol. As a CMC administrator or a Super User, you can access the Security Manager and synchronize domain users, groups, and their assignments.

You can create a .properties configuration file that maps the LDAP attributes to user and group details in the Incorta metadata database. You can also download a template of this file to help you provide the required information. Then, you can upload this file to Incorta and have users and groups imported to or updated in the metadata database.

There is a report that shows the status of the synchronization process, whether succeeded or failed. You can view a detailed report and download it as well. For successful completion, you will have a list of newly added and updated items. In the case that there are failed items, the status report shows them as well.

As a result of a successful synchronization process, both the SYNC_DIRECTORY_RESULT and SYNC_DIRECTORY_ITEMS tables in the metadata database will be updated.

  • A new record will be available in the SYNC_DIRECTORY_RESULT table with the details of the latest run.
  • The SYNC_DIRECTORY_ITEMS will have new records for the new, updated, and failed items, whether users, groups, or assignments (relations). Each record will have the ID of the run to allow tracking. In the case of failed items, the reason will be available.
Prepare for the LDAP synchronization

You need to have a .properties file that maps the LDAP attributes to Incorta user and group details. You can either create the file from scratch or download a template file and update it.

Here are the steps to download and update the template file:

  • Sign in to Incorta as an Incorta Super User or CMC administrator.
  • In the Navigation bar, select Security.
  • In the Context bar, select + NewUser Sync.
  • In the Sync users via a properties file dialog, select the via LDAP Directory tab.
  • Select Download a template LDAP configuration file to download a template of the .properties file.
  • Update the file with the required information and then save it.

The following table shows the contents of the .properties file:

PropertyRequiredDescription
ldap.base.provider.urlYesThe LDAP server URL, for example, ldap://ldap.mycompany.com
ldap.base.dnYesThe base domain name (Base DN) that is the root where the LDAP protocol will start searching for users in the directory service, for example, dc=ldap,dc=company,dc=com
ldap.user.dnYesThe username of a user that has access to the LDAP server to fetch user data from it
ldap.user.dn.passwordYesThe password of the user to authenticate to the LDAP server
ldap.user.mapping.loginNoThe attribute in the LDAP server user object that maps to the user’s login name in Incorta
ldap.user.mapping.nameNoThe attribute in the LDAP server user object that maps to the user’s name in Incorta
ldap.user.mapping.mailNoThe attribute in the LDAP server user object that maps to the user’s email address in Incorta
ldap.group.mapping.nameNoThe attribute in the LDAP server group object that maps to the group name in Incorta
ldap.group.mapping.memberNoThe attribute in the LDAP server group object that maps to the list of users that exist in the group
ldap.user.search.filterNoAn LDAP query to filter users
ldap.group.search.filterNoAn LDAP query to filter groups
user.typeNoThe user authentication type. Possible values are the following:
  ●  Internal (authentication by Incorta)
  ●  sso
  ●  ldap
The default value is ldap.
Note that this must match the Authentication Type in the Tenant Configurations to allow authenticating the user when signing in.
ldap.follow.referralNoIf you have your entire directory on one domain controller, set this property to false, which is the default value.
If your domain has a partitioned directory that is distributed among multiple domain controllers, you can set this option to true to indicate that the contacted domain controller (LDAP server) may not have the user and group objects you need. In such a case, the contacted domain controller will reply with another location (LDAP server URL) that is likely to have these objects, which is a process that may result in slower LDAP queries.
Import and synchronize Incorta users and groups with LDAP domain users and groups

Here are the steps to import and synchronize Incorta users and groups with domain users and groups using the .properties file that you have prepared:

  • Sign in to Incorta as an Incorta Super User or CMC administrator.
  • In the Navigation bar, select Security.
  • In the Context bar, select + NewUser Sync.
  • In the Sync users via a properties file dialog, select the via LDAP Directory tab.
  • Select Upload file, and then select the .properties file you have prepared.
    • If you want to select another file, select Delete (trash can icon) next to the selected file name, and then select Upload file again to select the file you want.
  • Select Execute.
Note

If the file you provide does not have all the required information, an error message appears when you upload the file denoting the missing or wrong information.

Review and download the synchronization report
  • After uploading the file and starting the synchronization, a message appears denoting the synchronization process. When the process is completed, the message shows the result.
  • In the message, select See details.
  • In the dialog, review the synchronization result.
    • For successful synchronization, a list of synchronized items is displayed.
    • For synchronization with errors, a list of these errors is displayed.
  • To download the report in a .csv file format, select Download Sync Status Report.

The LDAP Sync Report shows all synchronized items, their type (user, group, or relation), their import status (created, updated, or failed), and the error in the case of failed items.

User API Access Enablement

Only a Super User or a user with SuperRole can manage API access for groups and users. You can enable or disable access to the Incorta Public API for one or more users from the Users tab. Users will still need to generate their personal access tokens once access has been granted.

The following are the steps to enable or disable API access for users:

  • In the Navigation bar, select Security.
  • In the Action bar, select Users.
  • Select one or more users.
  • Select More Options(⋮ vertical ellipsis).
  • Select Enable Public API or Disable Public API.
Note

You can also enable or disable API access for a single user when editing the user account.

Delete a user

When you delete a user, Incorta will inform you of what content they have created and have ownership of. The content must either be deleted or ownership transferred to another user. You cannot delete more than one user at a time and a user cannot delete their own account.

Warning

When you delete a user that has sent invitations to others, the invitations that are still pending or expired are automatically deleted as well.

The following are the steps to delete a user:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • Select the desired user.
  • Select delete (trash icon).
  • In Check:
    • Incorta will inform you if the selected user owns content.
    • If the user owns no content:
      • You can select Next and proceed to Confirm.
    • If the user owns content:
      • Incorta will list the quantity of each type of entity the user owns.
      • You must select one of the following options:
        • Delete the entities owned by the user.
        • Or, transfer ownership to the current/another user.
  • In Transfer:
    • Select if sharing permissions, sharing access rights, are transferred to the new owner.
    • Select to transfer to the current user or another user.
    • When you select Next, the ownership transfer is completed immediately.
  • In Confirm:
    • Select Delete.

Deactivate a user

When you deactivate a user, Incorta prompts you to suspend all scheduled jobs or no. You can choose to suspend all scheduled jobs for this user or just leave them active.

Important

You can select multiple users and deactivate them in one step.

The following are the steps to deactivate a user:

  • In the list view bar, select one or multiple users.
  • In the Action bar, select More Options (⋮ vertical ellipsis icon).
  • Select Deactive user(s).
  • In the confirmation pop-up, select whether you want to suspend scheduled jobs.
  • Select Yes, deactivate.

Activate a user

When you activate a user that you have previously deactivated, Incorta activates this user and send them an email to re-login to their account at once.

The following are the steps to activate a user:

  • In the list view bar, select one or multiple users.
  • In the Action bar, select More Options (⋮ vertical ellipsis icon).
  • Select Active user(s).

Manage invitations

Only the Super User tenant administrator or a user with the SuperRole in an Incorta cluster can invite external users to have access to their tenant via email. They can also manage all pending and expired invitations. For each valid email address that you specify and does not exist in the cluster, an inactive user account is created and an invitation is sent. The invitation email contains a link that allows an external user to:

  • Accept the invitation
  • Create the account password
  • Activate the user account
  • Access the shared tenant.

The email address will be the display and login names of the invitee’s user account. Other user account settings, such as the language and the calendar, will be the same as the inviter user. The Super User tenant administrator or a user with the SuperRole can manage all pending and expired invitations.

Important

The Super User tenant administrator must properly set the email configurations in the CMC for the respective tenant. In addition, the inviter user must have at least one assigned group.

For more information, see Enable Inviting Users via Email and User invitation considerations.

Invite users

Here are the steps to invite users:

  • Sign in to Incorta Analytics as the Super User tenant administrator or a user with the SuperRole.
  • In the Navigation bar, select Security Manager+ NewInvite User via Email.
  • In the Invite Users dialog, in Email Address, enter the email addresses of the users that you want to invite. Use a comma or a space after entering an email to enter another one. You can add up to 50 email addresses.
  • In Security Group, select the group to which you want to assign the invitees when they accept the invitation. The available options are your assigned groups displayed in ascending order.
  • Optionally, select Add Personal Message. A template message appears. Edit the message as required, or select Remove Personal Message to remove it.
  • Select Invite.

A notification message appears denoting the number of sent and failed invitations.

Note

You can invite users using the Security Manager or the Home page. On the Home page, select Invite Contributors, and then follow the previous steps.

Resend an invitation

You can resend only one invitation at a time. Resending an invitation is just a reminder; it does not reset the invitation’s expiration date.

Here are the steps to resend an invitation:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • In the list view of users, do one of the following:
    • For an invitation row, select More Options (⋮ vertical ellipsis), and then select Resend.
    • For the invitation that you want to resend, select the check box, and then in the Search bar, next to Selected, select More Options (⋮ vertical ellipsis) → Resend.
  • In the dialog, select Resend.
Delete an invitation

You can delete only one invitation at a time. Invitees cannot use the link in a delete invitation to accept the invitation or access the shared tenant.

Here are the steps to delete an invitation:

  • In the Navigation bar, select Security.
  • In the Context bar, select Users.
  • In the list view of users, do one of the following:
    • For an invitation row, select More Options (⋮ vertical ellipsis), and then select Delete.
    • For the invitation that you want to delete, select the check box, and then in the Search bar, next to Selected, select More Options (⋮ vertical ellipsis) → Delete.
  • In the dialog, select Delete.

Additional Considerations

Login As feature

A user that inherits the SuperRole has the ability to impersonate a user. The Super User is able to use the Login As feature to impersonate another Incorta user. You can access the feature from the Edit User drawer. Once active, you will be restricted to the same permission and shared access as the impersonated user. Any changes you make to the user’s content or user settings will be reflected in the user’s account. To return to your Super User account, select Switch Back from the profile menu in the top right corner of the Action bar.

An impersonated user receives an email notifying them of their impersonation. However, this requires SMTP configuration for the Incorta Cluster.

To limit the possibility of unwanted user impersonation, Incorta strongly encourages that security administrators limit the number of users that inherit the SuperRole as well as configure SMTP for the Incorta Cluster.

Enable Inviting Users via Email

While this feature is enabled by default for Cloud trial users, Incorta customers have this feature disabled by default. The Super User tenant administrator must enable it in CMC per tenant.

Here are the steps to enable inviting users via email in a specific tenant:

  • Sign in to the CMC as the Super User tenant administrator.
  • In the navigation bar, select Clusters, and then select Tenants.
  • For a given tenant, select Configure.
  • On the Security tab, turn on the Enable Inviting users option.
  • Select Save.

Here are the steps to enable inviting users via email in the default tenant configurations:

  • Sign in to the CMC as the Super User tenant administrator.
  • In the navigation bar, select Clusters, and then select your cluster.
  • Select Cluster ConfigurationsDefault Tenant ConfigurationsSecurity.
  • Turn on the Enable Inviting users option.
  • Select Save.

User invitation considerations

  • If you disable the inviting users via email feature while there are pending invitations, invitees can accept these invitations as long as the invitations are still valid.
  • You can send up to 50 invitations at a time.
  • The default authentication type of invitee users is Incorta Authentication. You can change it after they accept the invitation.
  • The Default tenant in a trial Cloud cluster has a MyTeam built-in group that is by default assigned the Analyze User, Security Manager, and User Manager roles, and the tenant administrator belongs to this group. Other user-created or imported tenants do not have this built-in group.
  • An invitation is valid for 7 days from the date of sending the invitation. When you hover over the Last Signed In column for a pending invitation, the time remaining before the invitation expires appears rounded down to the nearest number of days.
  • Invitees cannot use the link of an expired, deleted, or accepted invitation to accept the invitation or access the shared tenant.
  • When you delete a user that has sent invitations to others, these invitations are deleted as well.
  • Resending an expired invitation resets its expiration date while resending a pending invitation does Not reset its expiration date.
  • You cannot share any item (physical or business schema, dashboard, or folder) with invitees whose invitations are pending or expired. You can share items with active users only.
  • You cannot add or invite a user with the same email address as an invitee whether the invitation is pending, accepted, or expired.
  • When you export a tenant, invitees with expired or pending invitations are not exported.