User management
This section describes how to manage ALM users in Site Administration.
Add new users
You can add users to the system. After a user is added, you can view and edit its details.
Permission:
To add a user, you should have the following permissions:
-
On-premises: Site admins
-
SaaS: Site admins or customer admins, or have the User Management > Create User permission.
To add a new user:
-
Open the Site Administration > Users > Users Management tab.
-
Click Add User.
-
In the Add New User dialog box, enter the following information for the user.
User Name Enter a username (maximum length: 60 characters).
A username cannot include the following characters:
& ( ) @ \ / [ ] ' : | < > + = ; " , ? * ` %
Identity Provider Name
Identity Key
Available for: Single sign-on (SSO) authentication.
If SSO is enabled, provide your Identity Provider Name and Identity Key.
For details, see Set up SSO authentication.
Send Notification Available for: SaaS only.
Controls whether or not to send the username to the new user after it is created.
Email Required for SaaS only.
Enter the email address for the new user. It enables the user to receive:
-
The username after its account is created.
-
Projects information after the user is added to projects.
-
-
Click Save. The user is added with blank password.
After the user is created, an email notification that contains the username will be sent to the user.
Filter users
You can filter users by user attributes such as username, role, and status.
To filter users:
-
Open the Site Administration > Users > Users Management tab.
-
Click the Filter button.
-
Specify the following user attributes by which users are filtered, and click Filter.
Filter Option Description User Name Filters users whose user names are as specified.
You can filter users by multiple usernames that are separated by semicolons.
Full Name Filters users whose full name is as specified. Email Filters users whose email address is as specified.
Status To filter active users, select Active. To filter inactive users, select Not Active. Locked To filter locked users, select Locked. To filter unlocked users, select Unlock. Deactivation Date Filters users who are deactivated by the specified date. Role Filters users who are assigned the selected role. Password Policy Filters users who are assigned the selected password policy.
Define user authentication settings
You can define user authentication settings to allow users to log in to ALM using their LDAP passwords or external authentication, instead of ALM passwords.
To define user authentication settings:
-
Open the Site Administration > Users > Users Management tab.
-
Select User Settings > Authentication Settings.
-
In the Authentication Settings window, select one of the following authentication types.
Application Lifecycle Management Users log in to ALM using their ALM credentials. LDAP Enables LDAP authentication. Users log in to ALM using their LDAP passwords.
Note:
-
After LDAP authentication is enabled, authentication will be performed against the LDAP server. Make sure that the site administrator is set up as an LDAP user before switching to LDAP authentication, otherwise the site administrator will not be able to log in after the authentication type is switched.
-
After you enable LDAP authentication, disable the password reset option by defining the PASSWORD_RESET_DISABLE parameter. For details, see Set configuration parameters.
-
Working with LDAP over SSL requires that you perform additional steps. For details, see Enabling LDAP over SSL (LDAPS).
External authentication Enables external authentication.
Click Advanced Settings to set the following external authentication parameters.
-
Authentication type
-
Email. ALM extracts the user email from the header value and finds the ALM user with the same email address defined in ALM.
-
Name. ALM extracts the username from the header value and finds the ALM user with the same name in the Description field.
-
Email + Name. ALM extracts the user email and username from the header value. ALM first tries to match the email to an ALM user, and if this is unsuccessful, ALM tries to match the username to an ALM user.
-
-
Pattern. Enter the format for extraction information from the header. Below are the default patterns that ALM users to search for the email and name. You can write your own pattern.
To match by email: *[eE][^=]*=([^,]*@[^,]*).*
To match by the Description field: *?[cC][nN] *= *([^/,]*).*
-
-
Click OK.
Define multi LDAP settings
If you want to import users from an LDAP directory, you add the LDAP directory and define the LDAP import settings first.
Permission:
To add LDAP servers, you should be:
-
On-premises: Site admin
-
SaaS: Site admin or customer admin
To define LDAP settings for importing LDAP users:
-
Open the Site Administration > Users > Users Management tab.
-
Select User Settings > Multi LDAP Settings.
-
Click the add button . In the Server Title field, enter the LDAP server name. In the Directory Provider URL field, enter the LDAP server URL. Click OK.
-
In the LDAP Authentication Type field, select Anonymous or Simple.
Anonymous Enables you to import users from the LDAP server using an anonymous account. Simple Enables you to import users from the LDAP server using an authorized (search-entitled) user account and password.
If you select Simple, the following options are enabled:
-
Authentication Principal. Enter the username of the authorized user.
-
Authentication Credentials. Enter the password of the authorized user.
Important: The user specified here is used not only for importing users from the LDAP server, but also for connecting LDAP and ALM. If you change the user credentials, make sure you also update the authentication information in this option.
-
-
If you are using lightweight single sign-on, select the Use LWSSO checkbox and enter the LDAP attribute name to be used as the lightweight single sign-on login name.
-
Click Test Connection to test the LDAP server URL.
-
In the Data Retrieving Settings section, define the following.
-
In the Field Mapping Settings section, map an LDAP user attribute to each of the ALM user fields: User Name, Full Name, Description, Email, and Phone.
-
To set the default values for the Active Directory, select the Use default values for checkbox and select Active Directory.
To set the default values for LDAP, select the Use default values for checkbox and select LDAP.
-
Click Save.
As each LDAP directory is created, it is added to the LDAP server pane. You can hover a LDAP directory and click the delete button to delete it.
When a user logs in, ALM searches the LDAP directories in the order they are listed in the LDAP server pane until a match is found.
Import users from CSV files
You can import users from a CSV file.
Note: ALM does not support importing LDAP users from a CSV file. For details about importing LDAP users, see Import users from LDAP.
Permission:
To import users from CSV files, you should have the following permissions:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Create User permission.
To import users:
-
Open the Site Administration > Users > User Management tab.
-
(Optional) Download the user import template.
Click More > Import > Download User Import Template.
You can also use your custom CSV file to save the information of the users you want to import.
-
Click More > Import > Import Users from CSV File to open the Add User from CSV window.
-
In the Choose CSV File section, click Browse, select the CSV file you want to upload, click Open, and click Upload.
-
In the Map to Users Fields section, map the user attributes in Site Administration to the user attributes in the CSV file you uploaded.
Only the mapped user attributes are imported.
ALM User Attributes Description User Name Required.
Click the drop-down arrow to select the column to which the User Name attribute is mapped.
Full Name Click the drop-down arrow to select the column to which the Full Name attribute is mapped. Identity Provider Name
Identity Key
Available for: Single sign-on (SSO) authentication. Click the drop-down arrow to select the columns to which the Identity Provider Name and Identity Key are mapped.
For details, see Set up SSO authentication.
Email Required for SaaS only.
Click the drop-down arrow to select the column to which the Email attribute is mapped.
Phone Click the drop-down arrow to select the column to which the Phone attribute is mapped.
Description Click the drop-down arrow to select the column to which the Description attribute is mapped.
Send Notifications Available for: SaaS only.
Whether to send notifications to the imported users when they are added or updated in Site Administration.
Each imported user receives two email messages, one with a notification and a user name, and a second one with a password.
User Update Allowed During the import, ALM checks if any user names to be imported already exist in the system. The User Update Allowed option controls how to deal with these users.
-
If this option is not selected, these users are not imported.
-
If this option is selected, these users' information is updated with the data from the CSV file.
Before 24.1 P1: Available for SaaS only.
Starting from 24.1 P1: Available for both on-premises and SaaS.
-
-
Click Add Users.
The Operation Complete window opens, listing which users are imported, which are not, and why. You can click Export to CSV to export the result.
Import users from LDAP
You can import users from an LDAP directory.
Permission:
To import users from LDAP, you should have the following permissions:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Create User permission.
Before you import users from LDAP
Understand the following before you import users from an LDAP directory.
Add the LDAP directory and define the import settings | See Define multi LDAP settings. |
LDAP over SSL |
If you want to work with LDAP over SSL, perform additional steps. For details, see Enabling LDAP over SSL (LDAPS). |
LDAP_TIMEOUT |
The LDAP_TIMEOUT parameter enables you to define a connection timeout between ALM and an LDAP server. The default value is 10 minutes. For details, see Set configuration parameters. |
To import users from LDAP:
-
Open the Site Administration > Users > Users Management tab.
-
Click More > Import > Import LDAP Users.
-
In the Import LDAP Users window, specify the following, and click Apply.
UI Element Description Server Select the LDAP server where you want to import users. Filter Mode Select Basic Filter or Advanced Filter.
Directory Base The LDAP directory base is filtered according to the filter set in Directory Base. Filter By Keyword Enabled when you select Basic Filter.
Enter a keyword to search users by. ALM searches for the keyword in the following fields: User Name, Full Name, Group, Description, Email, and Phone.
Tip: To broaden your search, enter partial values. For example, enter Mi to search for Michael and Mikhael.
Filter Enabled when you select Advanced Filter.
Enter a string to filter users by ObjectClass or user group.
For example, to filter users by the user ObjectClass, enter
objectClass=user
; to filter users by user group, entermemberof=CN=group,CN+Users,DC=ldap,DC=com
. -
Select the users to import and click Import.
To view the LDAP details of a user, click the user link.
If the users are imported successfully, a summary dialog box opens. If the same usernames exist in the users list, the Handle Conflict dialog box opens. For details, see Handle import conflict.
When importing users from an LDAP directory, you may encounter the following conflicts. To resume the importing process, you can choose to skip the user, rename the user, or update the user information, and click Continue.
Conflict: Same User |
A user with the same LDAP distinguished name already exists in ALM. Select on of the following options to continue.
|
Conflict: Same User Name |
A user with the same username already exists in ALM. Select one of the following options to continue.
|
Update user details
After you add a user, you can update user details. For example, you may need to update a user's full name or contact details. You can also define a user as a site administrator.
Permission:
To update, you should have the following permissions:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Update User Details permission.
To update the details of a user:
-
Open the Site Administration > Users > Users Management tab.
-
Click the user from the users list.
-
In the User Details tab, you can update the following information.
General information Update User Name, Full Name, Email, Phone, and Description. Status - Active. Activates the user.
-
Not Active. Deactivates the user.
You can also deactivate or activate a user by using the Deactivate or Activate button. See Deactivate and activate users.
Deactivation Date Sets a future deactivation date for the user.
You can also use the Set Deactivation Date button. See Deactivate and activate users.
Password Policy Select a password policy for the user.
You can also use the Set Policy button. See Assign policies to users.
Role Select a role for the user.
You can also use the Set Role button. See Assign roles to users.
For SaaS: Only site admins and users with the system-defined role Customer Admin can set roles to users.
Identity Provider Name
Identity Key
Available when SSO authentication is enabled. For details, seeSet up SSO authentication.
If you want to map the user with an IdP user, update the Identity Provider Name and Identity Key fields with the corresponding information of the IdP user.
LDAP Authentication Server
Domain Authentication
Available when the user was imported from an LDAP directory.
LDAP Authentication Server displays the LDAP server and Domain Authentication displays the LDAP authentication properties of the imported user.
-
In the User Projects tab, assign projects to or remove projects from the user.
For details, see Assign multiple projects to a single user.
-
Click Save to save your changes.
Reset passwords for site users
Available for: on-premises only
You can reset the password for a site user.
Prerequisite:
The Reset Password feature is enabled when the ENABLE_RESET_PASSWORD_BY_SA parameter is set to Y. For details, see Set configuration parameters.
Use scenarios:
You may want to reset the password for a site user in the following scenarios:
-
You create the site user with blank password and want to create a password for the user. You can then send the password to the user for update.
-
The site user forgets the password and cannot use the Forgot My Password link in the login page to reset the password, because the user does not have an email address defined in ALM. You can reset the password to override the user's old password, and then send the new password to the user for update.
To reset the password for a user:
-
Open the Site Administration > Users > Users Management tab.
-
From the users list, select the target user.
-
Click Reset Password.
Note: You can only reset passwords for users that are set to log in to ALM using their ALM passwords. If LDAP passwords are in use, or if users log in to ALM using external authentication, the Reset Password button is unavailable.
-
In the New Password field, enter a new password. In the Confirm New Password field, reenter the password.
The new password should follow the password policy assigned to the user.
-
Click OK.
Export users
You can export the username and full name of all site users to a text file.
Permission:
To export users, you should be site admin.
To export users:
-
Open the Site Administration > Users > Users Management tab.
-
Click More > Export.
The users are exported to a .txt file and saved in your download default path.
Assign projects to users
You can control user access to ALM projects by assigning users to and removing users from projects.
When you add a user to a project, the user is automatically assigned to the project with the Viewer group privileges.
Note: You can also assign a project to a user from the Projects tab. For details, see Add users to a project.
Permission:
To add site users to or remove site users from a project, you should have the following permission:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Update User Membership in Projects permission.
Assign a single project to multiple users
You can assign a single project to multiple users.
-
Open the Site Administration > Users > Users Management tab.
-
Select the users you want to assign the same project to, and click Assign Project to Users.
-
In the Assign Project to Users window, in the Project field, select the project you want to assign to the users.
-
In the Grant and Remove Roles table, define the roles for each user.
-
Click the Group drop-down field.
-
Select the roles you want to assign to the project user.
If you remove the last role from a user, that user is no longer associated with the project.
-
-
Click Next to go to the Summary step.
The Summary step lists the users that are assigned to the selected project with specified roles.
The Status column indicates whether you added or removed a role for a user:
-
Add. You added a role to a user.
-
Remove. You removed a role from a user.
-
-
Click Finish.
Assign multiple projects to a single user
You can assign multiple projects to a user and remove projects from a user in the user details page.
To assign projects to a user:
-
From the users list, click the user to whom you want to assign projects to.
-
Click the User Projects tab. It lists the projects that are already assigned to the user.
-
To assign more projects to the user, click Add Projects.
-
In the Add Projects window, from the All Projects list, select the projects you want to assign to the user, and click the right arrow .
-
Click Add.
The assigned projects are listed in the User Projects tab.
To remove projects from the user:
-
Click Delete Project for each project.
-
Click Delete in the Delete Project dialog box.
Deactivate and activate users
You can deactivate or activate an ALM user. A deactivated user cannot log in to any project. The user is not deleted from the Users list, and all user permissions and settings are saved. This can be useful, for example, for contract workers that work intermittently for a set period of time.
Permission:
To activate or deactivate users, you should have the following permission:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Update User Activation Status permission.
To deactivate users:
-
Open the Site Administration > Users > Users Management tab.
-
Choose one of the following.
Deactivate users as of the next attempted login To deactivate users as of the next attempted login:
-
Select one or more users from the users list.
-
Click Deactivate button.
-
Click OK in the confirmation dialog box.
Deactivate users on a set date in the future To deactivate users on a set date in the future:
-
Select one or more users from the users list.
-
Click Set Deactivation Date.
-
In the Select Date field, select a date, and click OK.
-
To activate users:
-
Open Site Administration > User Management tab.
-
Select one or more users from the users list.
-
Click Activate.
-
Click OK in the confirmation dialog box.
Note: You can also deactivate or activate a user by updating the user details. See Update user details.
In any user drop-down list field of the ALM client, an icon is displayed next to each user to indicate whether the user is active or not. Inactive users have a gray indicator.
Note: If you set the HIDE_USER_ACTIVE_INACTIVE_INDICATOR_ICON parameter to Y, the icon is hidden.
Assign policies to users
By default, all users are assigned the default policy. You can assign a different policy to all site users (for on-premises) or all users of a customer (for SaaS).
Permission:
To assign a policy to users, you should have the following permission:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Set User Authentication Policy permission.
To assign an authentication policy to users:
-
Open the Site Administration > Users > Users Management tab.
-
Select the users to whom you want to assign an authentication policy, and click Set Policy.
-
In the Set Policy window, select a policy, and click Next.
-
Click OK in the confirmation dialog box.
Alternatively, you can assign a policy to a user by updating the user details. See Update user details.
Assign roles to users
A user's role decides its permissions.
For SaaS: Only site admins and users with the system-defined role Customer Admin can set roles to users.
Permission:
To assign a policy to users, you should have the following permission:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have the User Management > Update User Details permission.
To assign a role to a user:
-
Open the Site Administration > Users > Users Management tab.
-
Select the user to whom you want to assign a role, and click Set Role.
-
In the Set Role window, select a role, and click OK.
-
Click OK in the confirmation dialog box.
Alternatively, you can assign a role to a user by updating the user details. See Update user details.
Send email to users
You can send a message to selected users or all users of selected projects or domains. This enables you to periodically inform the users of important maintenance activities.
For SaaS: Only site admins and users with the system-defined role Customer Admin can send email to user.
Permission:
To send email to users, you should have the following permission:
-
On-premises: Site admins.
-
SaaS: Site admins or customer admins, or have have one of the permissions listed in Site Administration > Role Management > User Management.
To send a message to selected users:
-
Open the Site Administration > Users > Users Management tab.
-
Select one or more users to whom you want to send a message, and click More > Send Email.
-
In the Send to Users tab, enter the subject and message you want to send.
-
Click Send.
To send a message to all users of selected projects or domains:
-
Open Site Administration > User Management tab.
-
Click More > Send Email.
-
In the Send to Projects/Domains tab, in the To field, select the projects or domains you want to send messages to.
-
Enter the subject and message.
-
Click Send.
Move users between customers
Available for: SaaS only.
You can move users from one customer to another.
Permission:
To move users to another customer, you should be site admin.
To move users:
-
Open the Site Administration > Users > Users Management tab.
-
Select the users you want to move to another customer.
-
Click More > Move Users.
-
In the Move Users Between Customers window, select the target customer you want to move the users to, and click OK.
A warning message opens telling you that all projects where the users have membership will be disassociated.
-
Click OK to confirm.
Lock and unlock users
You can have users locked automatically locked after a specific number of unsuccessful login attempts. You can also have users unlocked automatically after a time interval or manually unlock users.
Automatic locking
By default, a user is never locked regardless of the number of unsuccessful login attempts. You can use the MAX_INVALID_LOGINS_ATTEMPT_TO_LOCKOUT parameter to determine the number of login attempts a user can make before being locked.
For details about this parameter, see ALM Site Parameters.
Note: After you import or restore a project, the project's users become locked
Automatic unlocking
Using the INTERVAL_BETWEEN_INVALID_LOGINS_TO_LOCKOUT parameter, you can set a time interval after which a deactivated user is reactivated automatically. When the user waits longer than the amount of time specified in this parameter, the user is unlocked and can attempt to log in again.
The default value for this parameter is 60 seconds.
For details about this parameter, see ALM Site Parameters.
Note: The INTERVAL_BETWEEN_INVALID_LOGINS_TO_LOCKOUT parameter does not impact users from an imported or restored project. You can only unlock these users manually.
You can also unlock a user manually so that locked users do not have to wait the amount of time specified by the INTERVAL_BETWEEN_INVALID_LOGINS_TO_LOCKOUT parameter.
To manually unlock a user:
From the users list, select the user and click Unlock, and the user can attempt to log in again.
Manage orphan users
Available for: SaaS only.
Users that are created in Site Administration, and do not have customers associated with them, are called orphan users. You can make an orphan user a non-orphan by assigning the user to a customer.
Permission:
To manage orphan users, you should be site admin.
To assign a customer to an orphan user:
-
Open the Site Administration > Users > Users Management tab.
-
Select the user you want to assign to a customer.
-
Click More > Orphan Users.
User interface elements are described below.
UI Element
Description
<customer drop down list> Opens a drop down list of all owner customers and end customers. Select a customer.
Assign Orphans to customer
Assigns the selected orphan user to the customer.
If the orphan user has already been associated with a project that belongs to another customer, an error message is displayed asking you to disassociate the orphan user with the customer. If you select this option, the User projects for user (<orphan user name>) dialog box opens, enabling you to remove the orphan from the project.
You can also assign orphan users that have been assigned to projects to a customer without removing them from the projects. To enable this, contact your SaaS delivery team for help.
Remove Assignment
Removes the customer from the user. User Projects Opens the User Projects dialog box. For details, see Assign multiple projects to a single user. Login Name The login name of the orphan user. Full Name The full name of the orphan user. Email The email of the orphan user. Phone Number The phone number of the orphan user. Domains The domains of projects with which the orphan user is currently associated. Possible Customers The names of the customers who own the projects with which the orphan user is currently associated. Assign to Customer The name of the customer you are assigning the orphan user to. - Click OK.
See also: