The most common use of the CMC is to manage user accounts. Although this chapter provides a review of managing user accounts, this should always be combined with an effective user-management strategy appropriate for your organization. For example, managing users is best accomplished through an effective group inheritance model, where object restrictions are never assigned to individual users, but rather to groups. When users are placed as members within those groups, they inherit the restrictions of the group. Often a single system of record, such as an LDAP or Active directory system, establishes one set of uses and groups that the entire organization and all software can use, greatly speeding user administration.
Rights are not assigned to users or groups, but to the objects within Crystal Enterprise themselves (Reports and Folders). This is explained later in the chapter.
This section reviews all the various components that factor into account management, which includes users and groups.
To access Crystal Enterprise resources, a physical end user must possess a username. Upon initial installation, by default, Crystal Enterprise creates the Administrator user and the Guest user only.
The Guest account is a generic account meant for use in a scenario where certain global reports contain public information that could be accessed by anyone using Crystal Enterprise. Without an assigned username, a user can log on only as an administrator (if they know the password) or a guest (provided the Guest account remains enabled).
The Administrator and Guest accounts are required for proper system functionality. The Guest account can be disabled by the system administrator; however, it should not be deleted.
All Crystal Enterprise permissions ultimately originate from, or apply to, individual user accounts/usernames. In light of this, one of the most important aspects of system administration is the creation of new user accounts or mapping accounts from the system of record. Whether adding one user or several hundred, the Crystal Management Console makes this process fast and intuitive. To begin adding new users, click the New User icon displayed on the main CMC screen (see Figure 27.3).
In the Account Name field, enter a unique name that the user enters to log on to Crystal Enterprise. Generally, usernames are entered as a single word in lowercase (for example, Ed for Ed Conyers). If the Crystal Enterprise administrator prefers, the username can contain mixed-case letters as well as spaces. Crystal Enterprise is not case sensitive to usernames.
Next, enter the users proper name in the Full Name field. The full name can contain mixed-case letters and spaces. A freeform text description can be included.
The Crystal Enterprise administrator can also specify a password in the Password Settings dialog; however, its not necessary because users can be forced to change their passwords the first time they log on. Checking Password Never Expires exempts the username from the Crystal Enterprise global password expiration rules (discussed later in this chapter). Selecting User Cannot Change Password prevents end users from changing their passwords in the future.
The Connection Type radio buttons enable the Crystal Enterprise administrator to indicate whether the username will capture a concurrent user license or a named user license when logged in to Crystal Enterprise. A concurrent user license is not absorbed unless the user is logged in to Crystal Enterprise.
After the users session ends, a default of 20 minutes, the concurrent license is released. This means that another user within Crystal Enterprise can log in to Crystal Enterprise and use the concurrent license. A named license is relinquished only when the username is deleted or changed to use a concurrent license. An in-depth discussion of license keys is covered later in this chapter in the Authorization section of the CMC.
After the required information for creating a new user is provided, click the OK button at the bottom of the screen. The new user is created. Refresh the User Properties screen. Note that the User Properties screen reload is the only confirmation that the new user was successfully added to the system.
After the User Properties screen has been reloaded, two new options appear at the bottom of the page. The Authentication setting enables you to specify whether the users password validation will be processed by Crystal Enterprise, LDAP, Windows NT, Active Directory, or even perhaps a system such as SAP via the Crystal Enterprise Solution Kit for SAP. By default, Crystal Enterprise handles authentication internally. The Account Is Disabled option disables an account without deleting it. Although the account can always be enabled again in the future, this is useful for employees who might take a leave of absence from the company.
Before leaving this screen, a new feature to version 10 should be covered. The Rights tab at the top of the User screen can confuse a new administrator into thinking that he can grant the user whose profile he is looking at certain system rights. Actually the opposite is true! The Rights tab, which appears on almost every object in Crystal Enterprise, supports a new feature called Delegated Administration, which enables different users to administer different portions of one Crystal Enterprise system. Use the tab to specify which users or groups have access to this object; in this case to the particular user you are looking at. So if you only enable access to this users profile for the Administrators group, another user logging onto the CMC will not see the user at all. In this way you can have administrators in different departments or functional areas do their own system maintenance without seeing the information of other groups or departments.
A list of all the users in the system, including the Crystal Enterprise administrator, can be accessed by selecting Users from the CMC drop-down menu (see Figure 27.4).
From the Users screen, you can search for specific usernames, edit an existing username, add a new user, or delete an existing user. To delete a username, place a check mark in the corresponding box on the right side of the screen. You can select more than one username. After a minimum of one username has been selected in this manner, click the Delete button at the top of the screen. The Crystal Management Console then prompts to confirm deletion of the user account. Again we see a Rights icon as wellagain this is to specify which user/group has the rights to see this portion of the administrative console.
A user group is a collection of Crystal Enterprise users with one or more logical characteristics in common. For example, the users in the Marketing department should be grouped together based on the fact that they all belong to the same business division. Because these users work together, they are more likely to share the same reports. Creating groups such as marketing enables the system administrator to globally assign permissions to a broader audience.
Groups are useful for classifying users according to their job function and report needs. In most cases, its advisable to create a series of logical user groups to reduce the complexity of managing permissions in Crystal Enterprise.
Globally managing permissions for user groups is significantly less complex than trying to manage permissions for each individual user. However, there might be situations in which its desirable to make an exception to a groups security policy for a minimum number of users within that group. Crystal Enterprise has the flexibility to make object restriction exceptions on a user-by-user basis.
Crystal Enterprise contains three default user groups:
The Administrators group is for system administrators only. Users who belong to this group have full, unrestricted access to Crystal Enterprise, including the capability to manage servers using the CMC. Administrators can run any report and access any report folder. Use discretion when adding users to this group.
The Everyone group contains all users by default. When new users are created, they are automatically enrolled in the Everyone group. The Everyone group is useful for globally setting permissions for all Crystal Enterprise users.
New Sign-Up Accounts is a special group that contains users who have created their own new accounts through the Register option in the Web Desktop. Note that this capability can be disabled.
To create a new user group, click the New Group icon on the home CMC page (see Figure 27.5).
In the Group Name field, enter the group name exactly as it should appear in Crystal Enterprise. The group name field accepts upper- and lowercase, spaces, and punctuation. A freeform text description is optional. After the required information has been provided, click OK to create the group.
After clicking OK, the group creation screen should momentarily reload. This indicates that the group was created successfully. The Crystal Enterprise administrator now has access to three new tabs at the top of the screen: Users, Subgroups, and Member Of, shown in Figure 27.6.
Creating a group name is the first step in configuring a new group. By default, the new group does not contain any users. You must click the Users tab to add users to the group (see Figure 27.7).
The Users tab does not contain any users initially. To add users to the new group, click the Add Users button at the top of the screen. A list of all Crystal Enterprise users appears on the left side of the screen, as shown in Figure 27.8. Highlight the users to add to the group. You can select several, noncontiguous names by holding down the Ctrl key when clicking. After the desired usernames are highlighted, click the Add button to verify the selection. Highlighted users are moved from the Available list to the Users list. When satisfied with the selections, click OK to commit, as shown in Figure 27.9.
To select a range of users, click the topmost username in the desired range. Then, while holding down the Shift key, click the bottom username in the range. All users between the top and bottom names are selected.
The CMC returns to the Users tab after the changes have been committed. The Users tab immediately reflects the membership of the group, as shown in Figure 27.10. Keep in mind that Crystal Enterprise enables a single user to be a member of multiple groups, so its possible for users to belong to other groups, such as the Everyone group.
Now that the group has users, you can create subgroups. As the name implies, a subgroup is a child of the parent group. Subgroups can be used to further define user roles and permissions at a more detailed level. A top-level group can contain several subgroups, and those subgroups can also contain subgroups, as Figure 27.11 shows. The benefit is that permissions need not be applied at a user level, even though they can be. Even if an individual users needs might seem unique, there is always the distinct possibility that someone else could come along with similar requirements. Creating subgroups minimizes individual user permission/restriction management.
Click the Subgroups tab to add new subgroups.
Click the Add/Remove Subgroups button to designate a new subgroup. The Add/Remove Subgroups page works just like the Add or Remove Users screen. All available groups are listed in the list box on the left.
To be clear, a subgroup is not a special kind of group, but rather an ordinary group that has a hierarchical relationship established with another group. Like parent or top-level groups, subgroups are created by using the New Group option on the main CMC screen.
If a subgroup needs to be created (that is, it doesn exist yet), you need to create the new subgroup in the same manner as other groups would be created, from the New Groups screen. Figure 27.12 shows a list of groups where the intended subgroup has already been defined.
Any group can also be a subgroup. This can get a bit messy with respect to restrictions because overlapping inherited security can be confusing. Try to keep things streamlined by using naming conventions and inherited permissions. This lowers administrative cost and Total Cost of Ownership.
Add the subgroups to the parent group and click OK to commit the change to the system database (see Figure 27.13). The CMC returns to the subgroup listing screen, which now reflects the new subgroups.
This particular subgroup tree is only one level deep. Its possible to create subgroups of subgroups for more granular management of users. For example, a few regional subgroups (East, Central, and West) could be added to the North America Sales subgroup. To do this, you only need to click the name of the subgroup, and then repeat the preceding steps to add another subgroup.