User management

There are several ways to maintain and manage system user records, but we can divide them into two segments: "Internal user management" and "Integration with a directory service". Here's a brief explanation of each of the management modes:

Internal user management: The records maintained in this way have their credentials managed by the system, including the access password. The security level of this password can be configured within the system by customizing properties such as minimum password length, validity, mandatory character types, locking rules, and so on. There are four forms of internal user management:

▪Internal record: Users can be manually created within the system, where a login and password will be assigned for authentication.

▪Integration via webservice: Authenticated SOAP web services are available where other services can add or change users.

▪Import via database: It is possible to add data directly to the system database in the ADINTERFACE table, where a routine will extract the data to import the users into the system.

▪Import via XLS file: Similar to importing via database, it is possible to provide a spreadsheet containing user data for the system to read the information and transfer to the users' records. This import can be done manually or through a scheduled routine.

Refer to the Integration guide document for more details on integration via webservice, import via database, and import via XLS file.

Integration with a directory service via LDAP protocol: The system also supports synchronization of users with an Active Directory directory service from Microsoft or OpenLDAP. In this template, an external authentication server maintains the credentials of the users, being at the discretion of the service administrator the definition of the password and all the attributes of the users, being left to the system only to communicate with this service and make the synchronization of the data. The system can retrieve user data, communicating with the directory service in two ways:

▪Direct communication: If the system server is running in the same directory service domain, or the service is available for external access, communication for user synchronization can be done directly via the LDAP protocol. Otherwise, the SE Identity alternative should be used.

▪SE Identity application: This is a feature made available for situations where the system server does not have direct access to the directory service, very common in clients hosted on a cloud server. In this way, the application acts as an intermediary between the parties, running directly within the directory service network and transferring user data into the system.

The following flowchart can be used to help you understand and choose how best to manage users' records:

ATTENTION!

▪It is allowed to have users synchronized with a combined directory service to unsynchronized users, but users can only use the internal authentication mode to log in to the system.

▪Synchronization modes via direct communication with the directory service and via SE Identity application cannot be used together and it is necessary to use only one of the two methods. In the next section, some considerations on the choice of authentication modes will be addressed.