Use this tab to manage users and groups that can be granted access to the Management Console and projects. The security model is role-based; that is after you create a user, you must add him or her to one or more groups, which are associated with specific roles in one or more projects. It is a good idea to create groups first, because a user will not be able to login, until he or she is added to a group that is granted a view role inside at least one project.

Management Console provides some built-in roles that users can have. Roles are mapped to a user of a security group. User permissions are calculated based on the roles that are mapped to security groups the user is a member of. You can modify built-in roles or add additional roles.

The following is a list of built-in roles.

• Administrator: An administrator is a global role in all projects and has all rights (excluding special admin rights) including creation of new administrators and users in any project.
• Project Administrator: Users with Project Administrator role have a right to create new users in their own projects but cannot promote users to Administrators. They have a view right to view RoboServer and Cluster settings without changing them. Project Administrator is not a member of the Administrator group.
• Developer: Developers have a right to upload, download, and view all resource types in the repository. A user with this role can create, edit, and delete schedules, run robots, view and delete run logs, and view clusters.
• Viewer: Viewers have the same view rights as developers without the rights to change or run anything.
• DAS client user: This is a user that is created for remote Desktop Automation Service (DAS) clients, and can only access the DAS API. This user cannot log in interactively, but as a service authenticating via the API. The DAS client user has a right to announce a DAS to the Management Console, and retrieve DAS configuration.

• Password store user: A user with this add-on role can access the password store. The role is provided on top of other roles, such as the Developer role. This role only provides access to the password store tab.

• VCS Service user: The Version control service user is granted a special set of rights for the Synchronizer. This role has a right to add, modify, and delete resources. This is the only role that can deploy on behalf of another user to use the "deployer" feature in the VCS.

• RoboServer: A restricted user that can only read from the repository. This user cannot log in interactively, but as a service authenticating via the API. This role is used by RoboServers when accessing a cluster, retrieving repository items, and requesting passwords from the password store.
• Kapplet Administrator: A user who can create, view, run, and edit Kapplets.
• Kapplet User: A user who can view and run Kapplets. A user with this role cannot access the Management Console if this user has no other rights.

admin user

admin is not a member of the Administrator group, but it is a user that always has access to everything.

In an LDAP integration setup, the admin group is defined as part of the LDAP configuration. admin can then log in and define which LDAP groups should be mapped to the Developer, Administrator, RoboServer, and other roles.

In an internal user setup, the admin user is created at first start and can then login and create Administrators, Developers, and other users.

admin special rights

Beside being the initial user, admin also has special rights, such as:

• On the RoboServers tab, admin can click a RoboServer node and request a stack trace from the corresponding RoboServer.

• Only admin can create and import backups.

• In the password store, admin can move passwords to another project.

The Users tab helps you create new users and edit, remove, and reset passwords for selected users. To manage groups, click Groups. To go back to the Users tab, click Users.

The Groups tab helps you create, remove, and edit groups.

The following information can help you understand some Kofax RPA user management principles.

There are two ways to run the Management Console: embedded in a RoboServer with any license and on a standalone Tomcat server (requires enterprise license). For information about Management Console on Tomcat, see "Tomcat Management Console" in Kofax RPA Administrator's Guide.

When the Management Console runs in embedded mode, there are two types of user management, single user or multi user. This is configured using the RoboServer Settings (RoboServerSettings.exe) application located in the /bin subfolder of the Kofax RPA installation folder.

To enable multi user mode, do the following: