Users
TrendMiner users can either exist locally or via an external Identity Provider. An overview of all users can be found under the "Security" section in ConfigHub.
The user overview displays the username, full name, email address, and identity provider for each user. To find specific users, you can use the search bar. There is also a User Role dropdown filter for narrowing down the list based on roles. It is important to note that you cannot use the search bar and the dropdown filter at the same time.
Creating users
Only local users can be created via ConfigHub. In the case of an external Identity Provider (IdP), the users are synced instead and should be managed via the IdP.
To create users you will need to go to the user-menu under the "security" section. From there users can be added via the "+add user"-button.
You can review a list of user roles to each specific user using the “User role” column in the table.
Note
Usernames need to be unique and cannot be changed afterwards.
User details
From the user overview a user can be clicked to open the user details. In the user details view more options can be performed such as:
Editing user details (local users only)
Change password (local users only)
Change roles (e.g. give users admin rights)
Unlock the user after the user consecutively failed to enter his password correctly.
Delete the user account (local users only).
Password policy
When creating or editing local users, the password needs to adhere to the following rules:
Have a minimum length of 8 characters
Contain at least one uppercase character [A-Z]
Contain at least one lowercase character [a-z]
Contain at least one digit [0-9]
Contain at least one special character [?!@#%$…]
Not have been recently used in the previous three passwords
Not a common password
For users account managed by an external LDAP or SAML identity provider the passwords cannot be changed in TrendMiner.
User roles
3 roles are available:
Application Administrator: can perform application administrator tasks such as deleting tag indexes or configure asset permissions in ContextHub.
System Administrator: has all permissions an application admin has + can access ConfigHub
Shared space user:
User with an extended login timeout of 1 year to ensure their usability in shared spaces for displaying dashboards and other content for prolonged periods of time.
Users with this role have the following fields as optional: “First name”, “Last name” and “Email address”.
For security reasons - assigning “Shared space user” role to a specific user would prevent you of assigning any administration role in combination with it.
A forceful logout of such users can be initiated by clicking on the “Revoke token” in the “User edit” screen (to which you can navigate by clicking on an already created user in the table):
Once that's done a confirmation dialogue would appear, from where you can also select for the user to have to update his password on next login:
The user can remain logged in for a maximum of 5 minutes after the process has been initiated, after which he will be forcefully logged out.
Unlock user account
A user account is automatically locked after 10 login attempts using the wrong password. The user itself will not be able to see the difference between entering a wrong password or the access being denied because of a locked account. In both cases a generic error message is shown on the login page: "Invalid username, password or locked account". This is by design for security reasons.
Only users with the system administrator role can access ConfigHub and look up the user account to check if the account is indeed locked. A locked account can be recognised as follows:
A little lock icon in front and the word "Locked" behind the username
An "Unlock" button in the top right
No option to edit the user details or change the password as long as the account is locked
To unlock a user account simply click the "Unlock" button on the top right.
Delete a user account
In the user details screen there is the option to delete a user account. This option is only available for local users. User accounts managed by an external identity provider cannot be deleted in TrendMiner. Instead these accounts need to be revoked TrendMiner permission on the IDP side, or they can be deleted on the IDP side. Note that revoking access or deleting a user in the external IDP will not delete the TrendMiner user account.
The saved work of a deleted user will not be deleted and will remain available for other colleagues with whom the work was shared before the account deletion. Monitors owned by the user will be disabled.
The deletion of a user account cannot be undone and the username cannot be reused afterwards for the creation of a new user.
Warning
The “admin” username is the principle main admin user of the TrendMiner Platform. This user can't be deleted, and cannot be linked to any IDP provider. This user is kept local, in case recovery to ConfigHub is needed.