User Security Management

Learn how to set up a new user login account, assign access and security profiles, and define contact properties.  

Note:  Administrator permissions are required to access security forms.

For instruction on user security management, click the following links or use the scroll bar to scan the page.

Overview of User Security Management

User login accounts must be established for each Essential user and are required for users to log into the Essential database. Add new user login accounts to Essential on the User Manager form. Assign security profiles, grant administrative permissions, and define contact properties for a user login account on this form.

There are two ways to establish user login accounts in Essential:

• Database Authentication: Use Database authentication to establish user login accounts for users who may need to access the Essential database outside of Essential with a database login ID and password. Reserve this type of login account for users who absolutely need it and are trusted with that level of access. For example, you might create a user login account using Database authentication for an alliance partner who will need to upload data into your database using a third-party tool. It is possible for users with Database authentication accounts to view and potentially modify any information in your Essential database using a third-party tool.

• Application Authentication: Use Application authentication to create login accounts for most users. Application authentication does not allow the user to access the Essential database outside of Essential because the database login ID and password are separate and distinct from the application login and password. This is the strongest database security, and it prevents any access to the Essential database other than through the Essential client interface. The user login is mapped to a separate database login that is hidden from the user at all times.

It is not necessary to create separate database logins for each user. Any number of user logins can be associated with the same database login. For example, you may set up a database login called “airdataentry” and assign the 10 users who perform data entry for the Essential Air module to this database login, each with a separate user name and password. The following fields are available to track the changes made to Essential data by specific users:

• app_create_user = the Essential user login name of the user who created the record; this value is never overwritten.

• app_ create_date = the date the record was created; this value is never overwritten.

• app_modify_user = the Essential user login name of the user who most recently updated the record. This value is overwritten each time the record is updated.

• sys_update_user = the date of most recent update to the record. This value is overwritten for each update.

Create database login accounts using the appropriate Oracle or SQL Server database tools. For Application authentication, the database login account also needs to be mapped to Essential. The DataBase Login form is available to set up and map database login accounts for Application authentication. Refer to Setting up Database Logins for Application Authentication.

Windows authentication is available for login accounts created with Database authentication or Application authentication. However, it is strongly recommended that Windows authentication users also be Application authentication users.

Setting up Database Logins for Application Authentication

A database login must be assigned to each Essential user login account established with Application authentication. It is recommended that most users be assigned the pwsys database login provided with the software. However, different database login accounts can be set up in the database using the appropriate Oracle or SQL server database tools or in Essential using the Database Login form. When a database login account is set up in the database, it must be mapped to Essential via the Database Login form. If the mapping relationship is not validated and the unmapped database login is assigned to a user login account, the user's login attempts will fail. When a database login account is set up using the Database Login form, the mapping relationship is automatically established; no additional validation is required. Once a valid database login mapping relationship exists, the database login will be available for selection from the Database Login field list in the Authentication Method subsection on the User Manager form.

Note:  Only unmapped database logins can be applied to user login accounts established with Database authentication. A mapping relationship can be removed as long as the database login has not been assigned to any Essential user login accounts. See To Remove Mapped Database Logins for additional information.

Caution:  Consult your database administrator before adding, deleting, or modifying database login account information on the Database Login form.

To add a new database login for application authentication

1. Click Administration > Database Logins and Passwords in the Navigation Tree.
   
   The Database Logins list appears.

2. Click New.
   
   The Database Login form is displayed.

3. Click the Create Database Login/User check box and enter a database login ID in the Mapped Database Login field.

4. Enter the password for the login in the Password field and retype the password in the Confirm Password field.

5. Click Save.
   
   The database login is now available to be associated with an Essential user login account assigned Application authentication.

6. Repeat steps 2 through 5 to add other database logins for Application authentication.

To map an existing database login for application authentication

Tip:  You must know the existing database login password to set up a mapping relationship.

1. Click Administration > Database Logins and Passwords in the Navigation Tree.
   
   The Database Logins list appears.

2. Click New.
   
   The Database Login form is displayed.

3. Select a database login from the list for the Mapped Database Login field. Only unmapped database logins appear in the list.

4. Enter the password for the login that corresponds to the password in the database in the Password field.

5. Retype the password in the Confirm Password field.

6. Validate the login and password combination entry by clicking the Verify Database Login button.
   
   A confirmation message is displayed.

7. Click OK to complete the validation process.

8. Repeat steps 2 through 7 to map additional database logins to Essential.

To remove mapped database logins

Note:  The option to delete both the database login and mapped database login record, or just the mapped database login record is provided. It is important to note that a mapping relationship cannot be removed if the database login is associated with an Essential user login account.

1. Click Administration > Database Logins and Passwords in the Navigation Tree.
   
   The Database Logins list appears.

2. Locate the login and click the link to open the Database Login form.

3. Click the Delete button and use the following guidelines to determine your next step:

1. • Click OK to delete both the database login and mapped database login record, then click OK to confirm.

   • Click Cancel to delete the mapped database login record only and click OK to confirm. The database login will be available for Database authentication assignment on the User Manager form since it is now an unmapped database login.

   • Close the window to stop the removal process and click Cancel to confirm.

Establishing User Login Accounts

Use Application authentication to establish user login accounts when your users have no need to access the Essential database using a third-party tool and Database authentication when they do.

• Establishing an Application authentication login account in Essential involves entering the user’s name, entering a user login and password, selecting the database login ID, specifying the appropriate access and security profiles, and defining contact properties.

• Establishing a Database authentication login account in Essential involves entering the user’s name, selecting the database login ID that was set up in the database, selecting the appropriate access and security profiles, and defining contact properties.

Windows authentication is available for login accounts created with Database authentication or Application authentication. However, it is strongly recommended that Windows authentication users also be Application authentication users.

Limit the length of time a user login account is active by specifying an Account Expiration Date. Access to Essential will be denied the day after the specified expiration date. Days are counted from midnight to midnight. A notification message is displayed at login prior to the expiration date alerting the user to the approaching expiration. An application configuration setting is available to define the number of days prior to the expiration date the notification message will begin to appear. The default is five days. The notification messages will continue until one of the following occurs:

• The expiration date is removed from the user login account.

• The expiration date is modified to a date that is later than the default configuration setting.

• The configuration setting is changed to a shorter time period and the day when the notification is to first appear has not occurred yet.

• The expiration date has passed.

Alternatively, a user login account can be disabled after a specified period of inactivity. If the account is not used to log in to Essential within a specified number of consecutive days, the account is disabled. A disabled account cannot be used to log in to Essential. An application configuration setting is available to define the number of inactive days. The setting applies to all user login accounts, including those set up with application or database authentication and with or without Windows authentication. Days are counted from midnight to midnight. A disabled account can be reactivated by clicking the Clear button next to the Last Login Date field on the User Manager form. This field is only displayed when a value has been defined for the inactive days configuration setting; the default is zero.

Note that you can also manually deactivate an account at any time; see Deactivating User Login Accounts.

A filter to view inactive user login accounts is available on the User Manager browse view, along with a filter to view CyberRegs Users Only and one to view user login accounts without a contact association. The Select All and Select None options are available to quickly add or remove both filters.

Tip:  The Show Users Without a Contact filter applies to user login accounts established prior to the release of Essential 7.7 when a contact association became mandatory. A new Data Importer template configuration, Users Without Contact, has been added to the Contact/User template to bulk update the user login account records that are missing contacts. Refer to the Essential - User Manager Contacts release document for additional information.

A Password Policy can be enforced for user login accounts established with the Application authentication method. Define your policy on the Password Policy form and implement the policy for a user login account by selecting the Enforce Password Policy option.

Add new user login accounts to Essential on the User Manager form. Before you begin, validate your users on the Contacts and Personnel form.

To establish a user login account

1. Click Administration > User Manager in the Navigation Tree.
   
   The User Manager list appears.

2. Click the New button.
   
   The User Manager form is displayed.

3. Type a User Name for identification purposes. This value is displayed as a link next to the Welcome label in the Navigation Tree. The link provides access to the User Settings form where passwords can be changed and filters for the governing bodies and rules shown in form field lists can be defined.

Tip:  This is NOT the name the user will use to log in with. The name entered in the User Login field in the User Information section is the name the user will log in with.

4. Select a Culture from the list to define the language, numeric, and date environment for the user. If no localized files have been translated and configured for the chosen Culture, the default Culture setting, English – United States, is applied. For additional information, refer to Culture Settings and Localization.

5. Select a Contact from the list. A contact can only be assigned to one user login account; the contact/user login account association must be unique.
   
   If the appropriate contact is not listed, click the Ellipsis button and add the contact. Move your mouse over the Show Record Details icon to view information about the selected contact. Or, click Edit Contact to open the Contacts and Personnel form where you can view or update the record for the selected contact.

6. Limit the length of time a user login account is active by entering an Account Expiration Date, or by clicking the Calendar button and selecting a date. Access to Essential will be denied the day after the specified expiration date.

7. Select the applicable Authentication Method. Use Application authentication to establish user login accounts when your users have no need to access the Essential database using a third-party tool and Database authentication when they do.

8. Select the This is a Window Authenticated User option when applicable. Refer to Implementing Windows Authentication for additional information.

9. Enter the User Login for the Application authentication method or select it from the list for the Database authentication method. This is the name the user will enter to log in to Essential.

Tip:  User logins are case-sensitive.

10. Select a Database Login from the list for the Application authentication method. Otherwise, skip to step 13.

11. Type the user password in the Application Password and the Confirm Application Password fields for the Application authentication method. This is the password the user will enter to log in to Essential.

Note:  A Windows-authenticated user does not require a password to access the Essential software. The password-related fields are not displayed when the This is a Window Authenticated User option is selected. Skip to step 13.

12. Ensure the Enforce Password Policy option is selected. Refer to Password Policy for additional information.

13. Select the User must change password on next login option when applicable.

14. Click the Save button on the form.

15. Assign the access profile and add module security in the Security Settings section, define contact properties in the Assigned Enterprise Entities section, and add any notes or comments in the Notes section. The Assigned Enterprise Entities section is displayed when a contact has been selected and an Entity Access profile has been specified.
    
    Refer to Cyberegs User Management for information about the Essential/Cyberegs integration process.

16. Click the Save button on the form. Repeat steps 2 through 15 to add other login accounts.

Deactivating User Login Accounts

Regardless of whether a user account is set to expire on a certain date (see Establishing User Login Accounts), you can immediately deactivate the account. When you do this, you revoke its ability to login to Essential. You can also select whether to retain or remove the account's permissions and security profile assignments.

To deactivate a user login account

1. In the navigation tree, go to Administration > User Manager.
   
   The User Manager list appears.

2. In the User Name column, click the name of the user account you want to deactivate.
   
   The account's properties are displayed.

3. Next to the Account Expiration Date field, click Deactivate User.
   
   A User Deletion dialog opens.

4. Select how you want to deactivate this user (that is, what data you want to remove):

• Only Populate Inactive Field: Select to deactivate the account, revoking its ability to login only. This option retains all of the account's related security permissions and profiles.

• Populate Inactive Date field and remove User's Security Permissions and Security Profile Assignments: Select to deactivate the account and remove all of the following data related to the account:

• Account's associations with the module-specific General Security Profile, Essential Hierarchy Security Profile, and Entity Access Profile

• Account's selections for Contact Properties (Contact / Compliance Owner / Available for Task Assignments / Task Administrator) for all Enterprise Entities

• Account's mapping to a CyberRegs user account

• Account's permission selections on its Security Settings tab: Administrator Permission, User Defined Browse Permission, Sensitive Data Permission, Custom Localization Permission, and Global Compliance Category Permission

• Account's status as a Parameter Group Administrator / Power User

• Account's associations with parameter groups

• Account's permissions (Available for Task Assignments / Task Administrator) on all Enterprise Entities (found in each Entity's properties under Task Management > Permissions)

5. Click Deactivate User.
   
   The user account is deactivated. It now appears in the User Manager list only when Show Inactive Users is selected.

Tip:  To reactivate any deactivated account, simply clear its Account Expiration Date and save this change. This will re-enable the account to login, but will not recover any related data you might have removed during deactivation.

Setting User Security

Assign security for a user login account in the Security Settings section on the User Manager form. The options available are described below.

• Entity Access Profile: Select the profile that includes all entities the user can access.

• Security Profiles: For each module that applies to the user login account, assign a General Security Profile and a Hierarchy Security Profile. General Security profiles grant access to and specify the authorization level (read, update, add, delete) for each entity-independent object and element. Hierarchy Security profiles grant access to entity-dependent objects and elements, as well as define the authorization level at each entity.

• Administrator Permission: This setting provides the user with access to all of the forms in the Administration folder in the Navigation Tree. When combined with the User Defined Browse Permission setting, public/shared user-defined browse views can be created, updated and deleted.

• Global Compliance Category Permission: Only users with the Global Compliance Category permission can manage Compliance Categories that are available to all Entities. For Compliance Categories that are not marked “Available to All Entities,” only users with the selected Entity in their Entity Access Profile and appropriate permissions in their General Security profile for the Compliance Categories form can manage Global Compliance Categories.

• User Defined Browse Permission: This setting allows a user to create, update, and delete user-defined browse views within Essential for private use. Administrator Permission must also be assigned to allow a user to create, update, and delete public/shared browse views in addition to the views for private use. If a user without user-defined browse permissions attempts to access the User Defined Browse form, a message advising the user no permissions for the page have been granted is displayed.

Note:  If authorization to create user-defined browse views is granted and subsequently revoked for a user, all private browse views created by that user are automatically deleted from the database. Browse views where that user has applied a private user-defined browse view will revert back to the default view. All existing public/shared user-defined browse views established by that user remain unaffected by the change in permissions.

• Sensitive Data Permission: For the Essential Incident module, assign capabilities to view sensitive data entered in fields on incident-related forms and reports. Sensitive data might include personal details about other users, classified information, passwords, etc. When sensitive data authorization is not granted, a bullet symbol is displayed for each character instead of the actual data – comparable to the symbol shown when entering the login password. For the Incident and Emergency modules, Incident Type sensitive data authority can be assigned, which overrides the sensitive data permissions assigned here.

• Custom Localization Permission: This setting enables a user to modify existing language translations within Essential to meet business or regional needs. The Custom Localization folder and form link in the Navigation Tree are not displayed for users with no custom localization permissions.

Note:  If the Custom Localization Permission option is not displayed, localization has not been implemented. A Language Key is required when Essential is installed to enable localization.

Tip:  Authorization for establishing user-defined resource records and language translations for the Emergency and Incident modules is assigned via the General Security profile. Refer to Localization Resources for additional information.

To set user security

1. Locate the login account on the User Manager list, click the account link to open the User Manager form, and expand the Security Settings section when necessary.

2. Select an Entity Access Profile from the list.

3. Select a General Security Profile and a Hierarchy Security Profile for a module from the list for each field.
   
   Just the Hierarchy Security profiles associated with the Entity Access profile specified are listed and can be assigned to the user.

4. Repeat step 3 to assign security profiles for other modules.

5. Click the Administrator Permission check box to assign administrative privileges.
   
   The Administrator Permission setting provides the user with access to all of the forms in the Administration folder in the Navigation Tree. When combined with the User Defined Browse Permission setting, public/shared user-defined browse views can be created, updated and deleted.

6. Select the User Defined Browse Permission option to assign authorization for creating, editing, and deleting private custom browse views.
   
   Administrator Permission and User Defined Browse Permission are required to assign authorization for creating, editing, and deleting public/shared user-defined browse views in addition to private views.

7. Click the Sensitive Data Permission check box to allow the user to view sensitive data entered in fields on Essential Incident module forms and displayed in incident-related reports.

8. Select the Custom Localization Permission option to grant authorization for existing language translation modifications.

9. Click the Save button on the form.
   
   All of the entities that are part of the selected Entity Access profile can be viewed by clicking the Manage Enterprise Entities button in the Assigned Enterprise Entities section. Define contact properties when applicable.

Defining Contact Properties

Contact properties provide a user with entity-specific capabilities. Designate the user as an entity contact, the entity compliance owner, and/or an entity task administrator for one or more entities. Identify the user as available for task assignments and/or associate contact types with users designated as entity contacts. Click the Manage Enterprise Entities button in the Assigned Enterprise Entities section on the User Manager form to view each entity a user can access and define contact properties. The entities are listed in the organizational structure established for your enterprise. The properties available for a user login account depend on the security profiles assigned, module access, and other settings such as Enterprise Entity Type attributes. The following sections describe contact property requirements and processing details:

• Entity Contacts and Contact Types

• Compliance Owner

• Task Administrator

• Available for Task Assignment

• Applying Contact Properties to Multiple Entities

• To Define Contact Properties

Note:  Contact properties apply to user login accounts where a contact has been specified.

Entity Contacts (C) and Contact Types

Entity contacts can be designated for entities associated with Enterprise Entity Types where the Contacts section attribute has been made available. The designation can be made independent of the user's module security access and one or more users can be designated as a contact for a single entity.

Click the Ellipsis button to associate contact types with the entity contact. Contacts can be referenced on reports or be granted access to other forms based on the contact type. Assigned contact types are displayed next to the Contact (C) check box. The contact and any contact types added in the Assigned Enterprise Entities section on the User Manager form are also displayed in the Contacts section on the Enterprise Entity form and the Entity Contacts form (Event Tasking). Contact type edits made on any one of the forms update the information on all three forms.

Compliance Owner (CO)

Compliance Owners are responsible for Citation Linking/Notification functionality at an entity. (In earlier versions of Essential, task administration was part of Compliance Owner capabilities. The new Task Administrator role has assigned permissions to all Task Assignment records at the designated entity.) The following conditions must be met before the Compliance Owner property is available for a user login account:   

1. The Compliance Manager module has been selected for the user login account, and

2. The Hierarchy Security profile associated with the Compliance Manager module contains an Entity-Dependent Security profile with Entity Compliance Owner security object permissions assigned to the applicable entity (and if the default Entity-Dependent Security profile is different, it contains at least Read permissions to the object), and

3. The entity is associated with an Enterprise Entity Type where the General section attribute has been made available.

Just one Compliance Owner can be designated for an entity. When a Compliance Owner has been specified, the user's name is displayed next to the CO check box for the entity in the Assigned Enterprise Entities section on the User Manager form. The Compliance Owner is also displayed in the General section on the Enterprise Entity form. Edits made to the Compliance Owner designation on either form update the information in both sections.

Task Administrator (TA)

Task Administrator capabilities apply to all Task Assignment records at the designated entity. The access permissions (read, update, add, delete) assigned to each security object listed below, as well as any security elements associated with the objects, determine the extent of the Task Administrator's capabilities.  

1. • New Task Assignment

   • Task List

   • Task List - Bulk Copy

   • Task List - Bulk Update

One or more users can be specified as a Task Administrator at each entity and an individual user can be designated as a Task Administrator at multiple entities. The following conditions must be met before the Task Administrator property is available for a user login account:

1. The Task Manager module has been selected for the user login account, and

2. The entity is associated with an Enterprise Entity Type where the Create and/or Manage Task Assignments attribute has been selected.

A contact designated as a Task Administrator in the Assigned Enterprise Entities section on the User Manager form is also displayed in the Permissions subsection of the Task Management section on the Enterprise Entity form, and the Task Management section on the Entity Contacts form (Event Tasking). Task Administrator designation edits made on any one of the forms update the information on all three forms.

Available for Task Assignment (ATA)

The Available for Task Assignment contact property can be applied to a user login account when the following conditions are met:

1. The Task Manager module has been selected for the user login account, and

2. The entity is associated with an Enterprise Entity Type where the Create and/or Manage Task Assignments attribute has been selected, and

3. The Not Available for Task Assignment option on the Contacts and Personnel form is NOT selected.

A contact designated as available for task assignment in the Assigned Enterprise Entities section on the User Manager form is also displayed in the Permissions subsection of the Task Management section on the Enterprise Entity form, and the Task Management section on the Entity Contacts form (Event Tasking). Available for task assignment designation edits made on any one of these forms update the information on all three forms.

Applying Contact Properties to Multiple Entities

The entities available for contact property assignment to a user login account are listed in the organizational structure established for your enterprise. Multiple contact properties can be assigned to one or more entities at the same time. The Apply All option has been included to quickly propagate contact property assignments to child entities. As a result, many records in your Essential database may require updates and take several minutes to complete. When extensive database changes are necessary, a processing status is displayed showing the progress. The total number of records to be processed, along with the number already processed, is provided. The Assigned Enterprise Entities window must remain open during the entire update process. Otherwise, all processing will stop and no changes will be saved.

Tip:  When copying a user login account record, the data in the Assigned Enterprise Entities section is also copied.

To define contact properties

Tip:  To assign the designations made for an entity to the entity's children, click Apply All (or press the Shift key and click the parent entity). If the processing status is displayed, be sure the Assigned Enterprise Entities window remains open until processing is complete. Otherwise, all processing will stop and no changes will be saved. Refer to Applying Contact Properties to Multiple Entities for additional information.

1. Locate the login account on the User Manager list, click the account link to open the User Manager form, and expand the Assigned Enterprise Entities section when necessary.

2. Click Manage Enterprise Entities.

3. Designate the user as a Contact (C) by clicking the check box adjacent to the entity.
   
   If the user has already been added in the Contacts section on the Enterprise Entity form, the corresponding check box will already contain a check mark. Any assigned contact types are displayed next to the Contact (C) check box.

4. Click the Ellipsis button to associate one or more contact types with the user at the entity. Otherwise, skip to step 7.
   
   The Ellipsis button is available when the Contact property is selected.

5. Select the Available Contact Types and click the right arrow button to assign them to the contact.
   
   Unassign a contact type by selecting it in the list of Assigned Contact Types and clicking the left arrow button.

6. Click Save and then close the window to return to the list of assigned entities.
   
   Assigned contact types are displayed next to the Contact (C) check box. Multiple types are separated by a comma. Pause your mouse pointer over the visible type(s) to see all assigned types.

7. Designate the user as a Compliance Owner by clicking the check box adjacent to CO for the entity.
   
   When a Compliance Owner already exists for the entity, the user's name is displayed next to the CO check box. Override the designation by clicking the CO check box in the open user login account record.

8. Designate the user as Available for Task Assignments by clicking the check box adjacent to ATA for the entity.
   
   The Available for Task Assignment contact property will not be displayed if the Not Available for Task Assignment option on the Contacts and Personnel form has been selected.

9. Designate the user as Task Administrator by clicking the check box adjacent to TA for the entity.

10. Click OK to save your contact property designations.

Permit Owner Authorization

A Permit Owner is automatically granted Update permissions for the permit record. To be eligible as a Permit Owner, a user account must be established for a contact that provides at least Read authorization for the Permit form (Permit security object) and grants access to at least one of the entities associated with the permit. When applicable, a Permit Owner's privileges can be expanded to include Add and/or Delete privileges via the Permit security object.

Permit Owners are assigned in the Permit Owners section on the Permit form. One or more users can be specified as a Permit Owner at each entity and an individual user can be designated as a Permit Owner at multiple entities. The authority of a Permit Owner does not automatically include privileges for the Permit Owners section; a separate Permit Owner security object governs user access to this section. When applicable, grant access permissions (read, add, update, delete) to a user via the Permit Owner security object.

Whether you decide to fully implement Permit Owner functionality, or use it in a limited manner or not all, user authorization to the Permit form can still be controlled via the permit-related security objects. That is, any user with Update permissions and access to one of the entities associated with a permit can edit the permit record regardless of whether the user has been designated as a Permit Owner or not.

Parameter Group Authorization

Grant Parameter Group Administrator/Power User authority to a user login account in the Parameter Group Admin section on the User Manager form. Users with this authority have access to all parameter groups and all parameter master groups and can assign parameter groups on the Parameter Group form and master groups on the Parameter Master Group form to user login accounts. This is especially useful when setting up access for user login accounts with no access, or limited access, to parameter group forms. Parameter Group Administrator/Power User authority is also required to create and update parameter sets. Refer to Parameter Set Security for additional information.

Parameter groups apply to the modules listed below. Parameter master groups apply to the same modules except the Process Data Manager module, which uses non-data entry-related groups.

• Air

• Air Parameter Data Entry

• Water

• Water Parameter Data Entry

• Compliance Parameter Data Entry

• Compliance Parameter Management

• Process Data Manager

User login accounts without access to a parameter group or without Parameter Group Administrator/Power User authority cannot access that group on the Parameter Group Data Entry form. Nor will the group be accessible in Process Data Manager module forms, browse views, and field lists.

To expedite the parameter group data entry process, default parameter groups for a user login account can also be identified in the Parameter Group Admin section. One parameter master group or one-to-many individual parameter groups the user login account has access to can be selected to automatically appear on the Parameter Group Data Entry form when it is opened by the user. The order in which individual parameter groups are listed can also be defined. The User Settings form is available for users to change default group settings at any time. Edits made on either the User Settings form or the User Manager form are reflected on both forms. Refer to Identifying Default Parameter Groups for additional information.

To assign parameter group authorization and/or identify default groups

1. Locate the login account on the User Manager list, click the account link to open the User Manager form, and expand the Parameter Group Admin section when necessary.

2. Select the Parameter Group Administrator / Power User option to assign the user login account access to all parameter groups and parameter master groups as well as authorization to specify which user login accounts have access to a particular parameter group.

3. Click Default Parameter Groups for Data Entry to identify the groups that are displayed by default on the Parameter Group Data Entry form for the user. Otherwise, skip to step 10.

4. Select a Parameter Master Group from the list and skip to step 9. Or, leave the field blank and continue to step 5 to select one or more individual groups.
   
   Tip:  A user must also have access to the parameter groups within in the parameter master group or be granted Parameter group Administrator/Power User authorization in order to view the groups on the Parameter Group Data Entry form. For additional information about parameter groups, refer to Parameter Master Groups and Parameter Groups.

5. Click Add Parameter Group.
   
   A list of the parameter groups assigned to the user is displayed. If the appropriate group(s) are not listed, either assign the Parameter Group Administrator / Power User option or add the user to the group(s) on the Parameter Group form.

6. Select the appropriate groups by clicking the check box adjacent to each parameter group.

7. Click the Add Parameter Group button.
   
   Each group selected is added as a line item.

8. Use the up/down arrows at the end of the line items to change the order of the groups, when applicable.
   
   The order defines the sequence in which the groups will appear when the Parameter Group Data Entry form is opened.

9. Click Save and close the window to return to the User Manager form.

10. Click the Save button on the User Manager form.

Unlocking a Locked User Account

A user becomes locked out when more than the allowable number of attempts have been made to log in with an invalid user/password combination. The default is four times. This value can be changed using the Configuration utility. Refer to Configurable Settings for additional information. Unlock user login accounts on the User Manager form.

To unlock a locked user account

1. Locate the locked login account on the User Manager list and click the account link to open the User Manager form.

2. Click the Unlock button next to the User Name field.

3. Assign a new password when necessary by completing the Application Password and Confirm Application Password fields in the User Information section.
   
   Passwords are case-sensitive and must contain a minimum of 7 characters.

4. Click the Save button on the form.

Resetting a Locked User Account

The allowable number of attempts to log in with an invalid user/password combination is set in configureappsettings.aspx. The account can be reset by (A) increasing the allowable attempts via the Configuration utility, or (B) overriding (to a lower number) the number of failed attempts that have been logged for the user. Both methods are described below.

Method A

1. Access the Configuration utility and find the MaxLoginAttempts setting. When necessary, refer to Configurable Settings for more information.

2. Temporarily increase the Key Value to allow more attempts to log in successfully.

3. Set the value back to your desired setting after a successful login.
   
   Turn off the account lockout feature entirely by setting this value to -1.

Method B

1. Find the LOGIN_ATTEMPTS table in the UISupport database.  

2. Change the value of the ATTEMPTS field for the user to a number below the MaxLoginAttempts value in the Configuration utility.

Resetting User Passwords

On the User Manager form, the user login account password, i.e., the password the user enters to log in to Essential, can be reset. Just user login accounts established with the Application authentication method require a password.

To reset user passwords

1. Locate the login account on the User Manager list and click the account link to open the User Manager form.

2. Click the Reset Password button.

3. Type the user password in the New Password and the Confirm Password fields.

4. Ensure the Enforce Password Policy option is selected. Refer to Password Policy for additional information.

5. Select the User must change password on next login option when applicable and click OK.

6. Click the Save button on the User Manager form.

Implementing Windows Authentication

Specific settings are required in IIS and on the Essential User Manager form to set up Windows authentication for a user. Follow the steps below.

Caution:  It is strongly recommended that all Windows authentication users be Application authentication users. Refer to Overview of User Security Management for additional information.

To implement Windows authentication for Windows 2008 server

1. Locate the login account on the User Manager list and click the account link to open the User Manager form.

2. Select the This is a Windows authenticated User option in the User Information section.

3. Enter just the Windows network login name (without the domain) in the User Login (Application) field.  
   
   For example, assuming user Mike Murphy logs into the MYOFFICE domain as MYOFFICE\mikem, the User Login field entry would be mikem.

4. Click Save.

5. Navigate to Authentication for the <Essential-EHS> virtual directory in IIS.

6. Change the Anonymous Authentication status to Disabled.

7. Change the forms Authentication status to Disabled.

8. Change the Windows Authentication status to Enabled.

Tip:  Refer to Windows Authentication Session Management when there are issues with the number of concurrent users exceeding the maximum license count.

Related topics