User management

The Users > User Management tab in Site Administration enables you to manage ALM users.

Back to top

Add new users

You can add users to the system. After a user is added, you can view and edit its details.

Permission:

To add a user, you should have the following permissions:

  • On-premises: Site admins

  • SaaS: Site admins or customer admins, or have the User Management > Create User permission.

To add a new user:

  1. Open the Site Administration > Users > Users Management tab.

  2. Click Add User.

  3. In the Add New User dialog box, enter the following information for the user.

    User Name

    Enter a username (maximum length: 60 characters).

    A username cannot include the following characters:

    & ( ) @ \ / [ ] ' : | < > + = ; " , ? * ` %

    Identity Provider Name

    Identity Key

    Available for: Single sign-on (SSO) authentication.

    If SSO is enabled, provide your Identity Provider Name and Identity Key.

    For details, see Set up SSO authentication.

    Send Notification

    Available for: SaaS only.

    Controls whether or not to send the username to the new user after it is created.

    Email

    Required for SaaS only.

    Enter the email address for the new user. It enables the user to receive:

    • The username after its account is created.

    • Projects information after the user is added to projects.

  4. Click Save. The user is added with blank password.

    After the user is created, an email notification that contains the username will be sent to the user.

Back to top

Filter users

You can filter users by user attributes such as username, role, and status.

To filter users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Click Filter .

  3. Specify the following user attributes by which users are filtered, and click Filter.

    • User Name. Filters users whose user names are as specified.

      You can filter users by multiple usernames that are separated by semicolons.

    • Full Name. Filters users whose full name is as specified.

    • Email. Filters users whose email address is as specified.

    • Status. To filter active users, select Active. To filter inactive users, select Not Active.

    • Locked. To filter locked users, select Locked. To filter unlocked users, select Unlock.

    • Deactivation Date. Filters users who are deactivated by the specified date.

    • Role. Filters users who are assigned the selected role.

    • Password Policy. Filters users who are assigned the selected password policy.

Back to top

Define user authentication settings

You can define user authentication settings to allow users to log in to ALM using their LDAP passwords or external authentication, instead of ALM passwords.

To define user authentication settings:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select User Settings > Authentication Settings.

  3. In the Authentication Settings window, select one of the following authentication types.

    Application Lifecycle Management Users log in to ALM using their ALM credentials.
    LDAP

    Enables LDAP authentication. Users log in to ALM using their LDAP passwords.

    Note:

    • After LDAP authentication is enabled, authentication will be performed against the LDAP server. Make sure that the site administrator is set up as an LDAP user before switching to LDAP authentication, otherwise the site administrator will not be able to log in after the authentication type is switched.

    • After you enable LDAP authentication, disable the password reset option by defining the PASSWORD_RESET_DISABLE parameter. For details, see Set configuration parameters.

    • Working with LDAP over SSL requires that you perform additional steps. For details, see Enabling LDAP over SSL (LDAPS).

    External authentication

    Enables external authentication.

    Click Advanced Settings to set the following external authentication parameters.

    • Authentication type

      • Email. ALM extracts the user email from the header value and finds the ALM user with the same email address defined in ALM.

      • Name. ALM extracts the username from the header value and finds the ALM user with the same name in the Description field.

      • Email + Name. ALM extracts the user email and username from the header value. ALM first tries to match the email to an ALM user, and if this is unsuccessful, ALM tries to match the username to an ALM user.

    • Pattern. Enter the format for extraction information from the header. Below are the default patterns that ALM users to search for the email and name. You can write your own pattern.

      To match by email: *[eE][^=]*=([^,]*@[^,]*).*

      To match by the Description field: *?[cC][nN] *= *([^/,]*).*

  4. Click OK.

Back to top

Define multi LDAP settings

If you want to import users from an LDAP directory, you add the LDAP directory and define the LDAP import settings first.

Permission:

To add LDAP servers, you should be:

  • On-premises: Site admin

  • SaaS: Site admin or customer admin

To define LDAP settings for importing LDAP users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select User Settings > Multi LDAP Settings.

  3. Click the add button . In the Server Title field, enter the LDAP server name. In the Directory Provider URL field, enter the LDAP server URL. Click OK.

  4. In the LDAP Authentication Type field, select Anonymous or Simple.

    Anonymous Enables you to import users from the LDAP server using an anonymous account.
    Simple

    Enables you to import users from the LDAP server using an authorized (search-entitled) user account and password.

    If you select Simple, the following options are enabled:

    • Authentication Principal. Enter the username of the authorized user.

    • Authentication Credentials. Enter the password of the authorized user.

    Important: The user specified here is used not only for importing users from the LDAP server, but also for connecting LDAP and ALM. If you change the user credentials, make sure you also update the authentication information in this option.

  5. If you are using lightweight single sign-on, select the Use LWSSO checkbox and enter the LDAP attribute name to be used as the lightweight single sign-on login name.

  6. Click Test Connection to test the LDAP server URL.

  7. In the Data Retrieving Settings section, define the following.

    Directory Base

    Enter the distinguished name of a node in the LDAP hierarchy that is used as a root for all data retrieving operations.

    If this field is left empty, it increases time to search for a user in the LDAP tree.

    Base Filter Enter the string that specifies some common criteria for records retrieved from the LDAP server.
    Result Record Limit

    Specify the maximum number of records displayed in the Import LDAP Users dialog box. The default value is 100.

    Note: A value less than the recommended minimum value of 100 can slow LDAP imports and searches. A value greater than the recommended maximum value of 10000 can cause the server to run out of memory.

    Timeout Specify the maximum time in seconds to wait for the response from the LDAP server.
  8. In the Field Mapping Settings section, define the corresponding LDAP field names.

  9. To set the default values for the Active Directory, select the Use default values for checkbox and select Active Directory.

    To set the default values for LDAP, select the Use default values for checkbox and select LDAP.

  10. Click Save.

    As each LDAP directory is created, it is added to the LDAP server panel. You can hover a LDAP directory and click the delete button to delete it.

    When a user logs in, ALM searches the LDAP directories in the order they are listed in the LDAP server panel until a match is found.

Back to top

Import users from CSV files

You can import users from a CSV file.

Note:  

  • ALM does not support importing LDAP users from a CSV file. For details about importing LDAP users, see Import users from LDAP.

  • For on-premises: It is not allowed to update users imported from CSV files.

  • For SaaS: You can update imported users only when the User Update Allowed option is enabled during importing users. See User Update Allowed.

Permission:

To import users from CSV files, you should have the following permissions:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Create User permission.

To import users:

  1. Open the Site Administration > Users > Users Management tab.

  2. (Optional) Download the user import template.

    Click More > Import > Download User Import Template.

    You can also use your custom CSV file to save the information of the users you want to import.

  3. Click More > Import > Import Users from CSV File to open the Add User from CSV window.

  4. In the Choose CSV File section, click Browse, select the CSV file you want to upload, click Open, and click Upload.

  5. In the Map to Users Fields section, map the user attributes in Site Administration to the user attributes in the CSV file you uploaded.

    Only the mapped user fields are imported.

    ALM User Attributes Description
    User Name

    Required.

    Click the drop-down arrow to select the column to which the User Name attribute is mapped.

    Full Name Click the drop-down arrow to select the column to which the Full Name attribute is mapped.

    Identity Provider Name

    Identity Key

    Available for: Single sign-on (SSO) authentication.

    Click the drop-down arrow to select the columns to which the Identity Provider Name and Identity Key are mapped.

    For details, see Set up SSO authentication.

    Email

    Required for SaaS only.

    Click the drop-down arrow to select the column to which the Email attribute is mapped.

    Phone

    Click the drop-down arrow to select the column to which the Phone attribute is mapped.

    Description

    Click the drop-down arrow to select the column to which the Description attribute is mapped.

    Request ID  
    Send Notifications

    Available for: SaaS only.

    Whether to send notifications to the imported users when they are added or updated in Site Administration.

    Each imported user receives two email messages, one with a notification and a user name, and a second one with a password.

    User Update Allowed

    Available for: SaaS only.

    Whether it is allowed to update imported users in Site Administration.

  6. Click Add Users.

    The Operation Complete window opens, listing which users are imported, which are not, and why. You can click Export to CSV to export the result.

Back to top

Import users from LDAP

You can import users from an LDAP directory.

Permission:

To import users from LDAP, you should have the following permissions:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Create User permission.

Before you import users from LDAP

Understand the following before you import users from an LDAP directory.

Add the LDAP directory and define the import settings See Define multi LDAP settings.
LDAP over SSL

If you want to work with LDAP over SSL, perform additional steps.

For details, see Enabling LDAP over SSL (LDAPS).

LDAP_TIMEOUT

The LDAP_TIMEOUT parameter enables you to define a connection timeout between ALM and an LDAP server. The default value is 10 minutes.

For details, see Set configuration parameters.

To import users from LDAP:

  1. Open the Site Administration > Users > Users Management tab.

  2. Click More > Import > Import LDAP Users.

  3. In the Import LDAP Users window, specify the following, and click Apply.

    Server Select the LDAP server where you want to import users.
    Filter Mode

    Select Basic Filter or Advanced Filter.

     

    Directory Base The LDAP directory base is filtered according to the filter set in Directory Base.
    Filter By Keyword

    Enabled when you select Basic Filter.

    Enter a keyword to search users by. ALM searches for the keyword in the following fields: User Name, Full Name, Group, Description, Email, and Phone.

    Tip: To broaden your search, enter partial values. For example, enter Mi to search for Michael and Mikhael.

    Filter

    Enabled when you select Advanced Filter.

    Enter a string to filter users by ObjectClass or user group.

    For example, to filter users by the user ObjectClass, enter objectClass=user; to filter users by user group, enter memberof=CN=group,CN+Users,DC=ldap,DC=com.

  4. Select the users to import and click Import.

    To view the LDAP details of a user, click the user link.

    If the users are imported successfully, a summary dialog box opens. If the same usernames exist in the users list, the Handle Conflict dialog box opens. For details, see Handle import conflict.

Handle import conflict

When importing users from an LDAP directory, you may encounter the following conflicts. To resume the importing process, you can choose to skip the user, rename the user, or update the user information, and click Continue.

Conflict: Same User

A user with the same LDAP distinguished name already exists in ALM.

Select on of the following options to continue.

  • Update. Updates the existing user information.

  • Skip. Does not import the selected user (default option).

Conflict: Same User Name

A user with the same username already exists in ALM.

Select one of the following options to continue.

  • Rename. Assigns a new name to the selected user.

  • Auto Rename. Assigns a new name to the selected user by adding a suffix. Provide a custom name if you want to use the auto-assigned name.

  • Update. Updates the existing user information.

  • Skip. Does not import the selected user (default option).

Back to top

Update user details

After you add a user, you can update user details. For example, you may need to update a user's full name or contact details. You can also define a user as a site administrator.

Permission:

To update, you should have the following permissions:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Update User Details permission.

To update the details of a user:

  1. Open the Site Administration > Users > Users Management tab.

  2. Click the user from the users list.

  3. In the User Details tab, you can update the following information.

    General information Update User Name, Full Name, Email, Phone, and Description.
    Status
    • Active. Activates the user.
    • Not Active. Ddeactivates the user.

    You can also deactivate or activate a user by using the Deactivate or Activate button. See Deactivate and activate users.

    Deactivation Date

    Sets a future deactivation date for the user.

    You can also use the Set Deactivation Date button. See Deactivate and activate users.

    Password Policy

    Select a password policy for the user.

    You can also use the Set Policy button. See Assign policies to users.

    Role

    Select a role for the user.

    You can also use the Set Role button. See Assign roles to users.

    For SaaS: Only site admins and users with the system-defined role Customer Admin can set roles to users.

    Identity Provider Name

    Identity Key

    Available when SSO authentication is enabled. For details, seeSet up SSO authentication.

    If you want to map the user with an IdP user, update the Identity Provider Name and Identity Key fields with the corresponding information of the IdP user.

    LDAP Authentication Server

    Domain Authentication

    Available when the user was imported from an LDAP directory.

    LDAP Authentication Server displays the LDAP server and Domain Authentication displays the LDAP authentication properties of the imported user.

  4. In the User Projects tab, assign projects to or remove projects from the user.

    For details, see Assign multiple projects to a single user.

  5. Click Save to save your changes.

Back to top

Reset passwords for site users

Available for: on-premises only

You can reset the password for a site user.

Prerequisite:

The Reset Password feature is enabled when the ENABLE_RESET_PASSWORD_BY_SA parameter is set to Y. For details, see Set configuration parameters.

Use scenarios:

You may want to reset the password for a site user in the following scenarios:

  • You create the site user with blank password and want to create a password for the user. You can then send the password to the user for update.

  • The site user forgets the password and cannot use the Forgot My Password link in the login page to reset the password, because the user does not have an email address defined in ALM. You can reset the password to override the user's old password, and then send the new password to the user for update.

To reset the password for a user:

  1. Open the Site Administration > Users > Users Management tab.

  2. From the users list, select the target user.

  3. Click Reset Password.

    Note: You can only reset passwords for users that are set to log in to ALM using their ALM passwords. If LDAP passwords are in use, or if users log in to ALM using external authentication, the Reset Password button is unavailable.

  4. In the New Password field, enter a new password. In the Confirm New Password field, reenter the password.

    The new password should follow the password policy assigned to the user.

  5. Click OK.

Back to top

Export users

You can export the username and full name of all site users to a text file.

Permission:

To export users, you should be site admin.

To export users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Click More > Export.

    The users are exported to a .txt file and saved in your download default path.

Back to top

Assign projects to users

You can control user access to ALM projects by assigning users to and removing users from projects.

When you add a user to a project, the user is automatically assigned to the project with the Viewer group privileges.

Note: You can also assign a project to a user from the Projects tab. For details, see Add users to a project.

Permission:

To add site users to or remove site users from a project, you should have the following permission:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Update User Membership in Projects permission.

Assign a single project to multiple users

You can assign a single project to multiple users.

  1. Open the Site Administration > Users > Users Management tab.

  2. Select the users you want to assign the same project to, and click Assign Project to Users.

  3. In the Assign Project to Users window, in the Project field, select the project you want to assign to the users.

  4. In the Grant and Remove Roles table, define the roles for each user.

    1. Click the Group drop-down field.

    2. Select the roles you want to assign to the project user.

      If you remove the last role from a user, that user is no longer associated with the project.

  5. Click Next to go to the Summary step.

    The Summary step lists the users that are assigned to the selected project with specified roles.

    The Status column indicates whether you added or removed a role for a user:

    • Add. You added a role to a user.

    • Remove. You removed a role from a user.

  6. Click Finish.

Assign multiple projects to a single user

You can assign multiple projects to a user and remove projects from a user in the user details page.

To assign projects to a user:

  1. From the users list, click the user to whom you want to assign projects to.

  2. Click the User Projects tab. It lists the projects that are already assigned to the user.

  3. To assign more projects to the user, click Add Projects.

  4. In the Add Projects window, from the All Projects list, select the projects you want to assign to the user, and click the right arrow .

  5. Click Add.

    The assigned projects are listed in the User Projects tab.

To remove projects from the user:

  1. Click Delete Project for each project.

  2. Click Delete in the Delete Project dialog box.

Back to top

Deactivate and activate users

You can deactivate or activate an ALM user. A deactivated user cannot log in to any project. The user is not deleted from the Users list, and all user permissions and settings are saved. This can be useful, for example, for contract workers that work intermittently for a set period of time.

Permission:

To activate or deactivate users, you should have the following permission:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Update User Activation Status permission.

To deactivate users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Choose one of the following.

    Deactivate users as of the next attempted login

    To deactivate users as of the next attempted login:

    1. Select one or more users from the users list.

    2. Click Deactivate button.

    3. Click OK in the confirmation dialog box.

    Deactivate users on a set date in the future

    To deactivate users on a set date in the future:

    1. Select one or more users from the users list.

    2. Click Set Deactivation Date.

    3. In the Select Date field, select a date, and click OK.

To activate users:

  1. Open Site Administration > User Management tab.

  2. Select one or more users from the users list.

  3. Click Activate.

  4. Click OK in the confirmation dialog box.

Note: You can also deactivate or activate a user by updating the user details. See Update user details.

User status indicator

In any user drop-down list field of the ALM client, an icon is available in the front of each user to indicate whether the user is active or not. Inactive users have a gray indicator.

Note: If you set the HIDE_USER_ACTIVE_INACTIVE_INDICATOR_ICON parameter to Y, the icon is hidden.

Back to top

Assign policies to users

By default, all users are assigned the default policy. You can assign a different policy to all site users (for on-premises) or all users of a customer (for SaaS).

Permission:

To assign a policy to users, you should have the following permission:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Set User Authentication Policy permission.

To assign an authentication policy to users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select the users to whom you want to assign an authentication policy, and click Set Policy.

  3. In the Set Policy window, select a policy, and click Next.

  4. Click OK in the confirmation dialog box.

Alternatively, you can assign a policy to a user by updating the user details. See Update user details.

Back to top

Assign roles to users

A user's role decides its permissions.

For SaaS: Only site admins and users with the system-defined role Customer Admin can set roles to users.

Permission:

To assign a policy to users, you should have the following permission:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have the User Management > Update User Details permission.

To assign a role to a user:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select the user to whom you want to assign a role, and click Set Role.

  3. In the Set Role window, select a role, and click OK.

  4. Click OK in the confirmation dialog box.

Alternatively, you can assign a role to a user by updating the user details. See Update user details.

Back to top

Send email to users

You can send a message to selected users or all users of selected projects or domains. This enables you to periodically inform the users of important maintenance activities.

For SaaS: Only site admins and users with the system-defined role Customer Admin can send email to user.

Permission:

To send email to users, you should have the following permission:

  • On-premises: Site admins.

  • SaaS: Site admins or customer admins, or have have one of the permissions listed in Site Administration > Role Management > User Management.

To send a message to selected users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select one or more users to whom you want to send a message, and click More > Send Email.

  3. In the Send to Users tab, enter the subject and message you want to send.

  4. Click Send.

To send a message to all users of selected projects or domains:

  1. Open Site Administration > User Management tab.

  2. Click More > Send Email.

  3. In the Send to Projects/Domains tab, in the To field, select the projects or domains you want to send messages to.

  4. Enter the subject and message.

  5. Click Send.

Back to top

Move users between customers (for SaaS only)

You can move users from one customer to another.

Permission:

To move users to another customer, you should be site admin.

To move users:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select the users you want to move to another customer.

  3. Click More > Move Users.

  4. In the Move Users Between Customers window, select the target customer you want to move the users to, and click OK.

    A warning message opens telling you that all projects where the users have membership will be disassociated.

  5. Click OK to confirm.

Back to top

Lock out users

As the site administrator, you can determine the number of login attempts a user can make before being deactivated. By default, no limit is set. In addition, you can set a parameter that resets the count of failed logins if a specified amount of time passes after an attempted login.

You can set a time interval after which a deactivated user is reactivated automatically, or you can reactivate locked out users.

To lock out users:

  1. Set the MAX_INVALID_LOGINS_ATTEMPT_TO_LOCKOUT parameter.

    If the user unsuccessfully tries to log in more times than the number you assign, the user is locked out.

  2. You can also set the INTERVAL_BETWEEN_INVALID_LOGINS_TO_LOCKOUT parameter.

    The default value for this Site Configuration parameter is 60 seconds. If the user waits longer than this amount of time between login attempts, the count of invalid login attempts resets to zero.

To unlock a user:

From the users list, select the user and click Unlock , and the user can attempt to log in again.

To automatically allow users to attempt to log in again, set the INTERVAL_TO_AUTO_RELEASE_LOCKOUT parameter. Once the user waits the amount of time specified in this parameter, the user is activated and can attempt to log in again.

For details about setting parameters, see Set configuration parameters.

Back to top

Manage orphan users (for SaaS only)

Users that are created in Site Administration, and do not have customers associated with them, are called orphan users. You can make an orphan user a non-orphan by assigning the user to a customer.

Permission:

To manage orphan users, you should be site admin.

To assign a customer to an orphan user:

  1. Open the Site Administration > Users > Users Management tab.

  2. Select the user you want to assign to a customer.

  3. Click More > Orphan Users.

    User interface elements are described below.

    UI Element

    Description

    <customer drop down list>

    Opens a drop down list of all owner customers and end customers. Select a customer.

    Assign Orphans to customer

    Assigns the selected orphan user to the customer.

    If the orphan user has already been associated with a project that belongs to another customer, an error message is displayed asking you to disassociate the orphan user with the customer. If you select this option, the User projects for user (<orphan user name>) dialog box opens, enabling you to remove the orphan from the project.

    You can also assign orphan users that have been assigned to projects to a customer without removing them from the projects. To enable this, contact your SaaS delivery team for help.

    Remove Assignment

    Removes the customer from the user.
    User Projects Opens the User Projects dialog box. For details, see Assign multiple projects to a single user.
    Login Name The login name of the orphan user.
    Full Name The full name of the orphan user.
    Email The email of the orphan user.
    Phone Number The phone number of the orphan user.
    Domains The domains of projects with which the orphan user is currently associated.
    Possible Customers The names of the customers who own the projects with which the orphan user is currently associated.
    Assign to Customer The name of the customer you are assigning the orphan user to.
  4. Click OK.

Back to top

See also: