trueChart Help

User Management v2021.2.0 +

Owned by Derrich Schleich
Last updated: Mar 17, 2023
12 min read

Introduction

From v2021.2.0 onwards, users will find that the User Permissions screens have been updated with new functionality as well as an enhanced user interface. This was done in order to have a centralised space where they can manage their user's permissions.

Users can now manager their trueChart users, KPI Chat Data Permissions, Active Directory Integration as well as applying Bulk User changes in one centralised space. 


User Management

  • Log into trueChart Management Console click on “User Administration” 
    and you will a view of trueChart's new user management screen.
    • trueChart has 3 user types:
      • Active Directory User. This user does not belong to an Active Directory Group
      • Active Directory User. This user belongs to an Active Directory Group
      • Local user. This user does not exist within the Active Directory and was manually created
         

You have a view of the user type, and the privileges are assigned to each user.

  • Active Directory users not belonging to a group and Local users can be edited in line. Allowing for quick permission management
  • To add a new User:
    • Click on New User.
    • In the New User dialog, enter First nameLast nameUsernameLanguage, and capture the required permissions
    • Should you have a valid KPI Chat Licence and have KPI Chat Administrator privileges you will see the option to link this user to a Data Permission Role as well
    • Click on Save to create the new user.


Adding Named Users from Active Directory

  • Click on “Search in directory” and search for the user/group.
  • If more than 1 Active Directory is enabled, you may select a specific AD to search on
  • Enter the username of the user as it would appear in the Active Directory and select 
  • Select your user and enable the required permissions
  • Then click Save

NOTE: If this user is already part of a group, the group they belong to must be used in order to allocate the permissions

Changing existing users

  • Should a user require changes other than permissions, these can be updated by selecting edit on the corresponding line
  • Click on Save to apply the changes.

Disable Users

  • Should you need to disable specific users, you can by selecting edit next to the corresponding user.
  • In this users profile you can check/uncheck the checkbox next to "Disable User".

Changing existing user’s permissions on the user management screen

  • Search or scroll to the user.
  • Check or uncheck on a permission you would like to remove or add.

  • And click on Save.

NOTE: Only Local Users and Non Group AD Users can be edited on this screen. Should you require to change a Group's permissions, please edit the Group permissions under the Group Tab

Group Permissions

Active Directory groups and their permissions can be managed on the Groups Tab. 

Records are in line editable for faster adjustments

To add a new AD group, search for the group name on the "Search in Directory" screen

Local User Groups

  • To create a local user group, click on "Add Local Group"
  • Name your group next to "Local Group Name".
  • Add your groups permission and click on Save.

  • To apply permission using "Local User Groups", select edit next to the corresponding user.
  • In the users' profile next to "User Group" select a "User group" from the list and click on Save.

Bulk-import users

Manual import

Users can also import local user permissions in bulk 



At the bottom of the screen, you see the status of the current or last import procedure.

There are 2 ways for importing users through CSV import:

Users that have access to the TRUECHART Management Console will be skipped during the bulk import.

First, choose a file. The format of the file should match the following example.

username,firstname,lastname,language,email,consumer,designer,nm,kpichat_admin,kpichat_consumer
domain\ahf,Achim,Höffner,en_US,achim@domain.com,,1,1,,
domain\cml,Christian,Müller,de_DE,christian@domain.com,1,,,,


The content of the file will be displayed for manual validation of the user. Now you could start the import

  • Uploading the file

  • Starting a background job that runs the import

  • Where imports fail, users will be able to download the log file to view errors on the failed import

Automated import

You could activate and deactivate automatic CSV import at any time you want. You only need to place a file at the server, input its file path, and enter a Cron expression.

Some examples:
"0 0 * * * ?" - will run a hourly job
"0 0 1 ? * SUN" - will run a job every Sunday at 1 o’clock am

Further examples and the full syntax specification could be found at www.quartz-scheduler.org.

Data Permission Administration

Data Permission Roles in TCMC

Following the update in v2021.2.0, Data Permission Roles can now also be managed from within TCMC

Source - Specifies the source from which the Role is added. It can imported from an Excel file , Active Directory or Manually added 

Role - Set of security Roles which is identified as a role. 

Description - A short description of the role for ease of reference

Dimension 1+/Value 1+ - The first 2 Dimensions of the Role and their values

Data Security Roles Add/Edit

Roles can be edited or deleted . When editing a role, users will be presented with the below screen

User - For which user the Role is created 

Description - A short description of the role for ease of reference

Add Dimension - Add a new Dimension to restrict access for the selected Role

Dimension Value - The Dimension Name and it's values. Separated by a semicolon where multiple values are specified

Users Table - Select the users that will be linked to this Role

Data Permission Roles in KPI CHAT

Data Permission roles can be added from within the KPI Chat interface 

Users will be presented with the below screen

Source - Specifies the source from which the rule is added. It can imported from an Excel file , Active Directory or Manually added 

Role - Set of security rules which is identified as a role. 

User - For which user the Rule is created 

Dimension 1+/Value 1+ - The columns here are dynamically created by the Dimensions the user has selected for the roles

Data Security Rules Add/Edit

Added rules can be edited or deleted - Select a rule and Edit/Delete button will be enabled . 

Settings - Will open up the data permission in TRUECHART Management Console for importing the rule through modes File Import or Active Directory Import . See more on how to import file below

Create a Data Security Rule :

  1. Click on the +Add Button which opens the create data security rule page 

The user will be presented with the below:


  1. Enter the role name
  2. Click on +Add button to add a Dimension and its value
  3. Select Dimension and Enter the Value for the selected dimension .
  4. Select the user from the table

When creating a rule outside a BI Platform the user will be required to enter the Dimension name and not select it

Where multiple Dimensions are added, the permissions will be applied in an "AND" method . e.g. :

User "Bob" is only allowed to view and collaborate on his own client data. 

His role will be defined as :

Dimension 1 

Country                          UK

Dimension 2

Client                             Client XYZ, Client MNO

In order for Bob to utilize KPI-CHAT for his clients he must select both the UK  AND any 1(or more) client before KPI-CHAT will allow him access



Channel Users

Following the update for v2021.2.0 , Channel users can be managed from TCMC: 

  • Select a Channel
  • Select the administrator users for the channel 
    • NOTE: Only users with KPI CHAT Administrator rights will be shown here
  • Select the consumers or the channel either by specific users or by AD group
    • NOTE: Only users with KPI CHAT Consumer rights will be shown here
  • Then select Save


Channel Filters 

Users can manage Channel filters and their Data Permission Roles from within TCMC :

  • Select a Channel
    • If the channel is new, users may Refresh to update the list of channels
  • Select or Add a Filter Or Edit an existing Filter
    • Show in Chat Header will allow this Filter name to be shown in the Chat header of a KPI Chat window
  • Selecting a Filter will allow users to enable the required Roles for a Filter
    • View will allow the users linked to this Role to only view content in this Filter
    • Edit will allow users to participate in the Filter's chat

Bulk Data Permissions

  1. Open the TRUECHART Management Console and Click on User Administration
  2. Click on the Data Permission tab from the left side panel
  3. Click on Bulk Data Permissions.
  4. Click on File Import 

File Import



Import file (csv format) link can be given on FilePath . When the Activate check box is enabled. The file on the given path will be imported as per the Cron expression given .

Save the Changes once all parameters are given and security rules will be imported to database with the next Cron timer.

Sample Format of a csv import file can be found here Data Permissions Import Sample.csv

  • File is comma separated              ,
  • To separate values for Dimensions make use of a semicolon             ;

Additional Information how to create a Cron expressions can be found here 

Active Directory Import


Available active directory connection that  are added using the Active Directories panel from TCMC will be listed in available connections .

Here we need to set up the Security Schema Rule . The AD should have the same same schema that we mention here in order import rules successfully .

Rule DN - Distinguished Name . Eg cn=name , common name which is used to identity the security rule.

Rule object filter - expression used for search.

Attribute : Role name- identifying name role  (Mandatory)

Attribute : User - identifying name of user (Mandatory)

Additional attributes - Additional attributes can be mentioned here as comma separated values.

Sample Format files of a AD scheme definition (attributes and classes) cane be found here . This can be set up using AD handle tools (apache studio) in AD.

SecurityRuleClassImportable.ldif

SecurityRuleAttributes.ldif

Active Directory

Apart from the manual (local) creation and management of users, the TRUECHART Service can be linked to an existing LDAP service (such as OpenLDAP, Active Directory, eDirectory, etc.) to control access to users already existing in your directory.

NOTE: For users running trueChart prior to v2021.2.0 , this screen will be found under "Settings". Further functionality remains the same

Connect to an LDAP server

Follow these steps to connect the TRUECHART service to your directory via LDAP:

  1. Open the TRUECHART Management Console and go to the User page
  2. Select the Active Directory menu entry on the left
  3. Click on Add Directory in the upper right.
  4. In the New LDAP Connector dialog enter the following information:
    1. Name and Domain name of the LDAP server
    2. Host and Port the LDAP service is listening on
    3. Username and Password to authenticate to the LDAP service
    4. Sync interval and Search timeout
  5. Check to connection by clicking on button Test Connection
  6. Click on "Test connection", then Save changes by clicking on button Save

Connect to an LDAPS server

For using a secure connection to the LDAP server you need to follow the steps for connection to a LDAP server, except some adjustments:

Host: The Hostname must contain the protocol. So for a LDAPS connection the host must contain something like "LDAPS://ldap-host.com". The important thing is that it starts with "LDAPS://"

Port: Needs to be changed to the SSL port of the LDAP server . 636 (default - may differ)

In the LDAP(S) auth the checkbox for SSL must be checked and DC must have certificate also .

Edit the config

To edit the config of an already created LDAP directory connection follow these steps:

  1. Open the TRUECHART Management Console and go to the Settings page
  2. Select the User Directories menu entry on the left
  3. Select the directory configuration to edit in the center


Advanced settings

Server settings

Here the general access parameters must be specified.

Property

Description

NameThe name of the current directory setting
DomainThe domain name to be sync with
Host

The hostname or IP address to access

This should be your Domain Controller

Port

Enter 389

This is the default port. Enter this value unless you have some custom configuration for LDAP.

UsernameUsername to be used for access
PasswordThe password for given username to be used for access
Sync interval (in minutes)Sync interval is the time period (in minutes) the TRUECHART Service syncs the users and groups between the directory and itself. The default value is 60 minutes.
Search timeout (in seconds)Specify the timeout for search operation within the directory The default value is 60 seconds.
LDAP schema

Here the access names to the base directory and special user or user groups are specified.

Property

Description

Base DN

Base DN is the distinguished name of the directory.

Example: dc=TRUECHART,dc=de,dc=com

User DN (optional)

Optional value to give for user domain names.

The given OU "OU=TRUECHARTUsers" is the actual OU in the Active Directory that you chose to put your users in. Please note that this OU does not have to called "TRUECHARTUsers". It can be called anything you want or any OU that has the users you want to be in your TRUECHART Server instance. Please confirm the group is an OU and not a CN. If CN, you can use the designator CN=Users for example.

Group DN (optional)

Optional value to give for group domain names.

The given OU "OU=TRUECHARTUserGroups" is the actual OU in the Active Directory that you chose to put your users from groups in. Please note that this OU does not have to called "TRUECHARTUsersGroups". It can be called anything you want or any OU that has the users you want to be in your TRUECHART Server instance. Please confirm the group is an OU and not a CN. If CN, you can use the designator CN=Users for example.

User schema

In the following section, the TRUECHART Service attributes must be mapped from directory values to TRUECHART Service values for the users to be imported.

Property

Description

Property

Description

User objectExample: user
User object filterExample: (&(objectCategory=Person)(sAMAccountName=*))
Attribute: UsernameExample: sAMAccountName
Attribute: Username RDNExample: cn
Attribute: First nameExample: givenName
Attribute: Last nameExample: sn
Attribute: Display nameExample: displayname
Attribute: Principle nameExample: userPrincipleName
Attribute: EmailExample: mail
Attribute: Unique user IDExample: objectGUID
Attribute: User groupsExample: memberOf
Group schema

In the following section, the TRUECHART Service attributes must be mapped from directory values to TRUECHART Service values for the user groups to be imported.

Property

Description

Group objectExample: group
Group object filterExample: (&(objectCategory=Group)(name=*))
Attribute: Unique group IDExample: objectGUID
Attribute: Group nameExample: cn
Attribute: Group descriptionExample: description
Attribute: Group membersExample: member
Fetch group members recursivelyChecked/Uncheck to do so, also import users within sub or nested groups

Database Password Encrypter

  • To encrypt your database password in TCMC, you would need to click on settings.
  • Select "Security" in the bottom left corner.
  • Under "Password Encrypter" insert your current database password next to "Password to be encrypted".
  • Your encrypted password will be displayed next to "Encrypted Database User Password".
  • This encrypted password can now be captured in your trueChart xml config file.

Bulk User Administration:

Bulk users can can be imported/exported from within TCMC:

  • The import dialog could be accessed by selecting the User administration icon. After that select Bulk User Administration at the left navigation panel.
  • At the bottom of the screen, you see the status of the current or last import procedure.

There are 2 ways for importing users through CSV import:

Manual import:

  • First, create a file. The format of the file should match the following example.

Example CSV Format:

username,firstname,lastname,language,email,consumer,designer,nm,kpichat_admin,kpichat_consumer
domain\ahf,Achim,Höffner,en_US,achim@domain.com,,1,1,,
domain\cml,Christian,Müller,de_DE,christian@domain.com,1,,,,

  • The content of the file will be displayed for manual validation of the user. Now you could start the import.

The import consist of 2 steps:

  • Click on Choose File.

  • Starting a background is a job that runs the import.

  • If the import was successful, you will see the  following status: Import finished. 

Automatic import:

You could activate and deactivate automatic CSV import at any time you want. You only need to place a file at the server, input its file path, and enter a Cron expression.

Some examples:
"0 0 * * * ?" - will run a hourly job
"0 0 1 ? * SUN" - will run a job every Sunday at 1 o’clock am

Further examples and the full syntax specification could be found at www.quartz-scheduler.org.