Skip to Content

Users and Groups

Vinyl's security model includes the familiar concepts of users and groups. Users provide the basis for authentication; security groups, authorization. Users are site-level: they do not belong to a specific application. Groups can be configured at the global environment level and also at the individual application level using Application Groups. Application Groups ship automatically along with an application as part of an LP, and are therefore carried to upstream environments whereas Groups are per Vinyl environment and do not ship along with applications.

Though Vinyl ships with several default users and groups, they are generally defined by the site administrator. Therefore, upgrades will leave users and groups intact.

Users

There are fundamentally two ways in which a user can authenticate:

  1. Internal. The user supplies a user name and password. Vinyl validates the credentials against a local credential store.
  2. External. Vinyl delegates authentication to a third-party such as a single sign-on provider.

In Vinyl, privileges are not directly assigned to users. Instead, group membership determines the user's privileges. See Groups for more information.

Users have the following attributes:

  • User Name - Login user name. Users names must be unique within the system.
  • Full Name - User's full name.
  • Display Name - User's preferred name.
  • Email Address - User's email address. This may be used for sending workflow.
  • Allow Local Authentication - Indicates whether the user may log in using a password associated with the user account. This option is typically disabled for accounts associated with an external authentication provider.
  • Culture - Determines the culture used for formatting dates and numbers.
  • Last Login - The date and time that the user last logged in. Read-only.

In addition, it's possible to set the user's password. Note that this is only necessary if using the local credential store.

Default Users

As noted above, Vinyl ships with several default users, including:

User Name Description
admin System Administrator The system administrator has access to all applications shipped with Vinyl. In addition, the administrator user will be granted privileges to any newly created data sources or applications by virtue of its membership in the Administrators security group. See below for more information.
anonymous Anonymous Users The anonymous user account is principal assigned to any unauthenticated request. The anonymous user is not a member of any security groups by default and therefore does not have access to any applications shipped with Vinyl. See Anonymous Access for more information.
service Local Service User The service account is default user account used to execute scheduled events.

Note

The built-in user accounts cannot be deleted or modified. Any changes to the built-in users will be reverted during a Vinyl upgrade.

Passwords

As noted above, Vinyl supports forms-based authentication using a local credential store. In forms-based authentication, the web site visitor providers a set of credentials consisting of a user name and password. Upon successful verification of the supplied credentials, Vinyl signs the user into the system.

Password storage

Vinyl stores passwords securely. Specifically, Vinyl uses PBKDF2 with the following parameters:

  • Hash Algorithm: SHA-256
  • Salt Length: 128 bits
  • Iterations: 10,000
  • Key Length: 128 bits

Manually resetting passwords

If access to the system has been lost, it is possible to manually modify the Se_User table, entering a password in plain text. Plain-text passwords are automatically hashed when the user first logs in.

Groups

Security groups organize users. Users can be a member of more than one security group. Administrators grant groups privileges to applications and data sources. If a data source uses roles-based authorization, groups must be granted membership in one or more roles within the data source. See Privileges & Permissions for more information regarding roles.

Vinyl has Groups as well as Application Groups that can be configured. Groups are defined at the global environment level, whereas Application Groups are defined at the individual application level.

Groups have the following attributes:

  • Name - Group display name.
  • Description - Informational description displayed beneath the group name in selection lists.
  • Grant On Data Source Create - Indicates whether the group should be granted privileges to new data sources as they are created.
  • Grant On Application Create - Indicates whether the group should be granted privileges to new applications as they are created.
  • Grant On User Create - Indicates whether new users should be added to the group as they are created.

Application Groups have the following attributes:

  • Name - Group display name.
  • Description - Informational description displayed beneath the group name in selection lists.
  • Application - The named application the security group belongs to.

Default Groups

As noted above, Vinyl ships with several default groups, including:

Group Description
Administrators Users assigned to the administrators group can access any applications or data sources shipped with Vinyl. In addition, members will be granted access to new applications and data sources as they are created.
Users Members of the Users security group are granted the minimum set of privileges required to run a Vinyl application. However, they don't have access to any specific Vinyl applications on a default install. New users are added to the Users group as they are created.
Service Accounts Users assigned to the Service Accounts group can execute Vinyl's scheduled events. This security group can be granted privileges and permissions to execute scheduled events in other data sources as well.

Note

The built-in security groups cannot be deleted or modified. Any changes to the built-in security groups will be reverted during a Vinyl upgrade.

To Modify a Group

There may be instances where you need to configure or make changes to information that Groups have access to. Some features may require you to make changes to Groups. For example, Password Expiration requires you to manually make modifications to the Users group. Specifically you need to manually grant acess to the Password Expiration and Password Reset Role for the Users group.

  1. Navigate to the IDE
  2. Click User Management
  3. Click the Groups tab
  4. Locate the Group you're looking to modify from the Groups panel. For example: Users
  5. Click on the corresponding Manage Priviledges button
  6. Locate any additional Roles you need to add or remove and click the Grant or Revoke button as needed. For example: Password Expiration and Password Reset

Application Groups

Application Groups are created and maintained by the application developer and are tied to singular applications. The creation and maintenance of Application Groups is primarily done through the App Workbench, with the exception of managing users belonging to the group, which is done through the IDE.

Application Groups ship automatically along with an application as part of an LP, and are therefore carried to upstream environments.

Application Groups can be viewed from IDE > User Management > Groups to provide information to an administrator or System Admin user.

To Create an Application Group

  1. Navigate to the App Workbench
  2. Click the Roles tile
  3. Click the Application Groups button
  4. Click the Create button
  5. Assign a Name for the group. Our recommendation is to include the application name followed by the group role type. For example: Global Imports Admin
  6. Provide a Description. For example: Administrative users
  7. Click the checkmark icon to save
  8. Review the Roles panel and determine which role(s) belong in the Group. Click the Grant button for any role to add to the group. For example: Administrator
  9. Click the Open record icon for the Application Group
  10. Click the More button and select View Permissions. From this Group Permissions screen you can see all the datasource tables and objects that members of the group have access to.

To Assign Users to an Application Group

  1. Navigate to the IDE
  2. Click User Management
  3. Select the Groups navigation button
  4. Click the + Membership button
  5. Select a User to assign to the Application Group
  6. Click the checkmark icon to save