Users & groups

This section is available for users with the following roles: Administrator and Project Administrator.

Administrators manage users and groups that are given access to the Management Console and projects. The security model is role-based; after you add a user, add the user to one or more groups associated with roles on one or more projects.

The section contains two tabs:

Users tab to create, edit, and remove users. Also, reset passwords for users.
Groups tab to create, remove, and edit groups.

User and group names in Kofax RPA must follow the rules for logon names for Microsoft Windows. Names must not contain the following characters:

" / \ [ ] : ; | = , + * ? < >

Customize your view

Customize the way the information for each tab is presented.

Filter the lists in the table by applying filters in the Filter text field. See Filtering.
Select the table columns to be displayed using the menu icon.
Refresh the displayed information by clicking the refresh icon.
Reset the custom column settings by clicking the reset icon.
Select the number of items to display per page and navigate among pages by using the navigation menu.

Users

By default, the following table columns are displayed for each user.

Column	Description
User name	Name of the user.
User origin	Origin of the user, depending on the creation method. unknown: The user is created after restoring a backup. If you do not use any of the external identity providers, such as SAML, LDAP, or SiteMinder, you can change unknown origin to internal by clicking Set internal origin for the selected user. internal: The user is created manually on the Users & groups page. saml: The user is created after logging in via SAML. site minder: The user is created after logging in via SiteMinder. ldap#{ldapDirectoryIdentifier}: The user is created after logging in via LDAP. For more information about external identity providers and user authentication, see Tomcat Management Console > Advanced Configuration in the Kofax RPA Administrator's Guide. If you use external identity providers such as SAML, LDAP, or SiteMinder, you cannot change some fields for a selected user.
Full name	Full name of the user.
Email	Email address of the user.
Login count	Number of sessions by this user.
Last login	Date and time when the user last logged in.
Last IP address	Last IP address that the user logged in from.
Groups	Groups that the user belongs to.

Create a new user

Create groups before adding users to the group. A user cannot log in until the user is added to a group that is granted a Viewer role inside at least one project.

On the Users tab, click the plus sign.

The "Create new user" dialog box appears.
Specify a user name, password, full name, and email for the user.
Select a group or multiple groups that the user belongs to.
Click OK.
The user appears in the table.

Edit a user from the context menu.

Reset a user password

On the Users tab, select the user and click .

The "Reset password for" dialog box appears.
Type the new password, type it again to confirm, then click OK.

You may select to send an email so the user receives a notification about the password change. The "From address" needs to be pre-configured to send notifications.

Groups

By default, the following information is displayed for each group.

Column	Description
Group name	Name of the group.
Description	Description of the group.
Number of users	Number of users contained in the group.
Used in projects	Projects using this group.

Create a new group

On the Groups tab, click the plus sign.
The "Create new group" dialog box appears.
Specify a group name and description.
Select the users to be included in this group.
Click OK.

The group appears in the table.

Edit a group from the context menu.

Built-in roles

Management Console provides built-in roles that users can have. Roles are mapped to a user or a service. User permissions are calculated based on the roles that are mapped to security groups that a user is a member of. You can modify built-in roles or add additional roles.

A user cannot assign roles with permissions that the user does not have. For example, a Project Administrator cannot assign Kapplet Administrator, Kapplet User, and Process Discovery Client roles.

Service roles are meant only for use in API applications and should not be used for interactive login to the Management Console in the browser.

Project Administrator: Administrates one or multiple projects and has a right to assign a role to a group for these projects. This user has rights to view RoboServer and cluster settings without changing them. Project Administrator is not a member of the RPA Administrators group (for more information, see later in this section.)
Developer: Has a right to upload, download, and view all resource types in the repository. This role gives rights to create, edit, and delete schedules, run robots, and view run logs and clusters.
Viewer: Can view Schedules, Repository, Data view, Log view, and some Settings. This role gives restricted access under the Admin section and does not give rights to change or run robots.
API (A service role): Gives rights to use the repository API to read from and write to the repository. This role does not permit to run robots using REST but is allows running robots using RQL.
Service Authentication API (A service role): Uses the repository API to read from and write to the repository. A user logs in using an OAuth authentication method.
RoboServer (A service role): Can only read from the repository. This role is used by RoboServers when accessing a cluster, retrieving repository items, and requesting passwords from the password store.
Kapplet Administrator: Grants a read/write access to projects in Management Console from Kapplets. In Kapplets, a user with this role can manage Kapplets and Kapplet templates. In Kapplets, users with this role can manage Kapplets and create and manage Kapplet templates for the projects that contain the robots required for these templates.

A user with this role cannot access Management Console if this user has no other rights.

For more information, see Kapplets user management and Users and User Groups.
Kapplet User: Grants a read-only access to projects in Management Console from Kapplets. In Kapplets, users with this role can only view and run Kapplets for robots belonging to the projects for which they have access.

A user with this role cannot access Management Console if this user has no other rights.

For more information, see Kapplets user management and Users and User Groups.
Kapplets Service User (A service role): Can only read from the repository. This role is used only to retrieve information about available robots, types, snippets, and resources for the given project and thus is used only for communication purposes between Kapplets and Management Console. This role is automatically applied to all Management Console projects.
Password Store Client (A service role): This add-on role gives permission to access the password store in Management Console. The role is provided on top of other roles, just like the Developer role.
DAS Client User (A service role): A user with this role is created for remote Desktop Automation Service (DAS) clients, and can only access the DAS API. The DAS client user has a right to announce a DAS to Management Console and retrieve DAS configurations.
VCS Service User (A service role): Gives a special set of rights for the Synchronizer. This role grants a right to add, modify, and delete resources. This is the only role that can deploy on behalf of another user to use the "deployer" feature in the VCS.
Process Discovery Client (A service role): This role allows Process Discovery components to interact with Management Console.
KTA Client (A service role): This role allows KTA components to interact with Management Console.

Built-in admin user

The admin is a superuser who has access to everything. The admin is not a member of the RPA Administrators group and cannot be a member of any group. The default admin user password is available to this user. This user can change the admin user name and password.

In an LDAP integration setup, the admin group is defined as part of the LDAP configuration. The admin can log in and define which LDAP groups should be mapped to the Developer, Project Administrator, RoboServer, and other roles.

In an internal user setup, the admin user is created at first start and can log in and create Administrators, Developers, and other users.

In addition to being the initial user, the admin has special rights:

In the RoboServers section, the admin can click a RoboServer node and request a stack trace from the corresponding RoboServer.
Only the admin can create and import backups.
In the password store, the admin can move passwords to another project.

Reset the admin password

The default admin name and password are as follows:

User name: admin
Password: admin

To change the admin name and password, do the following.

On the Users tab, select the user and click .

The "Reset password for " dialog box appears.
Type the new password, type it again to confirm, then click OK.

You can select to send an email so that the user receives notification about the password change. The "From address" needs to be pre-configured to send notifications.

Built-in group

Users belonging to the RPA Administrators group have all rights for all projects, excluding special admin user rights. RPA Administrator users create new administrators and users for any project. To make a user an administrator, add the user to this group.

The RPA Administrators group is visible when the internal user management is enabled, and it is empty by default.
When restoring a backup created in Kofax RPA versions prior to 10.7, users with Administrator role become members of the RPA Administrators group.

User management principles

Management Console runs embedded in a RoboServer with any license and on a standalone Tomcat server (requires enterprise license). For information about Management Console on Tomcat, see "Tomcat Management Console" in Kofax RPA Administrator's Guide.

When Management Console runs in embedded mode, user management is turned on by default, providing security to prevent unauthorized access to a Management Console from other computers.

Depending on your license and the way you run Management Console, manage user access as follows:

Internal user management: Available in both Embedded and Standalone mode.
External user management (LDAP, SAML, or CA Single Sign-On): Available only in Standalone mode with enterprise license.

When you run the enterprise version on a Tomcat server, Management Console is always in the multi-user mode. You can choose to manage users either in Management Console (such as embedded mode) or get user credentials from your corporate LDAP server. The authentication method is displayed in the "User origin" column.

Check for login attempts

By default, the check for number of login attempts made by a user and the wait time before the next attempt are disabled.

To enable this functionality, edit the code in the authentication.xml file.

This file is located in: <Tomcat installation folder>\WebApps\Management Console\WEB-INF\spring. The following is a code sample.


   <bean id="loginAttemptService"
         class="com.kapowtech.scheduler.server.spring.security.LoginAttemptService" lazy-init="true">
       <constructor-arg type="boolean" value="false"/>
       <constructor-arg type="int" value="3"/>
       <constructor-arg type="int" value="10"/>
   </bean>

Specify the first value as true.
Specify the second and third values to your preferences.

The second and third values are for the number of login attempts (3 in the example) and the wait time in minutes before the next attempt (10 in the example), respectively.