Welcome to Kofax RPA > Management Console > Management Console Configuration and User Interface > Admin > Manage Users and Groups

Manage Users and Groups

Use this tab to manage users and groups that can be granted access to the Management Console and projects. The security model is role-based; that is after you create a user, you must add him or her to one or more groups, which are associated with specific roles in one or more projects. It is a good idea to create groups first, because a user will not be able to login, until he or she is added to a group that is granted a view role inside at least one project.

Note User and group names in Kofax RPA must follow the Rules for Logon Names for Microsoft Windows. Such as the names must not contain the following characters:

" / \ [ ] : ; | = , + * ? < >

For details, see Creating User and Group Accounts on technet.microsoft.com.

Management Console provides some built-in roles that users can have. Roles are mapped to a user of a security group. User permissions are calculated based on the roles that are mapped to security groups the user is a member of. You can modify built-in roles or add additional roles.

The following is a list of built-in roles.

  • RPA Administrators: A user in the RPA Administrators group has all rights (excluding special admin rights) including creation of new administrators and users in any project.
    Important When restoring backup created in version prior to 10.7, users with Administrator role become members of the RPA Administrators group.
  • Project Administrator: Users with Project Administrator role have a right to assign a role to a group for their own projects. They have a view right to view RoboServer and Cluster settings without changing them. Project Administrator is not a member of the RPA Administrators group.
  • Developer: Developers have a right to upload, download, and view all resource types in the repository. A user with this role can create, edit, and delete schedules, run robots, view run logs and clusters.
  • Viewer: Viewers have similar view rights as developers without access to Kapplets and the rights to change or run anything.
  • API (This user logs in only as a service authenticating via the API): A user with this role can use the repository API to read from and write to the repository.
  • DAS client user (This user logs in only as a service authenticating via the API): This is a user that is created for remote Desktop Automation Service (DAS) clients, and can only access the DAS API. The DAS client user has a right to announce a DAS to the Management Console, and retrieve DAS configuration.

  • Password store user: A user with this add-on role can access the password store. The role is provided on top of other roles, such as the Developer role. This role only provides access to the password store tab.

  • VCS Service user (This user logs in only as a service authenticating via the API): The version control service user is granted a special set of rights for the Synchronizer. This role has a right to add, modify, and delete resources. This is the only role that can deploy on behalf of another user to use the "deployer" feature in the version control service.

  • RoboServer (This user logs in only as a service authenticating via the API): A restricted user that can only read from the repository. This role is used by RoboServers when accessing a cluster, retrieving repository items, and requesting passwords from the password store.
  • Kapplet Administrator: A user who can create, view, run, and edit Kapplets.
  • Kapplet User: A user who can view and run Kapplets. A user with this role cannot access the Management Console if this user has no other rights.

  • Process Discovery Client (This user logs in only as a service authenticating via the API): This role allows Process Discovery components interact with the Management Console.

admin user

admin is not a member of the RPA Administrators group, but it is a user that always has access to everything.

In an LDAP integration setup, the admin group is defined as part of the LDAP configuration. admin can then log in and define which LDAP groups should be mapped to the Developer, Administrator, RoboServer, and other roles.

In an internal user setup, the admin user is created at first start and can then login and create Administrators, Developers, and other users.

admin special rights

Beside being the initial user, admin also has special rights, such as:

  • On the RoboServers tab, admin can click a RoboServer node and request a stack trace from the corresponding RoboServer.

  • Only admin can create and import backups.

  • In the password store, admin can move passwords to another project.

The Users tab helps you create new users and edit, remove, and reset passwords for selected users. To manage groups, click Groups. To go back to the Users tab, click Users.


Managing groups

The Groups tab helps you create, remove, and edit groups.


Groups toolbar

The following information can help you understand some Kofax RPA user management principles.

There are two ways to run the Management Console: embedded in a RoboServer with any license and on a standalone Tomcat server (requires enterprise license). For information about Management Console on Tomcat, see "Tomcat Management Console" in Kofax RPA Administrator's Guide.

When the Management Console runs in embedded mode, there are two types of user management, single user or multi user. This is configured using the RoboServer Settings (RoboServerSettings.exe) application located in the /bin subfolder of the Kofax RPA installation folder.

To enable multi user mode, do the following:

  1. Start the RoboServer Settings application either by clicking RoboServer Settings on the Windows Start menu or by double-clicking RoboServerSettings.exe in the /bin subfolder of the Kofax RPA installation folder.
  2. On the Management Console tab, select Enable User Management.

    You can also specify an administrator name and password.

  3. On the General tab, select Register to a Management Console and specify the URL, name, password and cluster name for the Management Console where you want to enable multi user mode.
  4. Restart the Management Console for the changes to take effect.

    Depending on your license and the way you run the Management Console, you can manage user access as follows:

    • Single user - only available in Embedded mode

    • Internal user management - available in both Embedded and Standalone mode

    • External user management (LDAP, SAML, or CA Single Sign-On) - only available in Standalone mode with enterprise license

    Note When using internal user management, the Administrator group is not visible and contains only the administrator defined in RoboServer settings.

    When you run the Enterprise version on a Tomcat server, Management Console is always in the multi-user mode and you can choose to manage your users either in the Management Console (like in the embedded mode) or get the user credentials from your corporate LDAP server.

    Check for login attempts

    By default, the check for number of login attempts made by a user and wait time before the next attempt is disabled. To enable this functionality, edit the following section in the authentication.xml file located in: <Tomcat installation folder>\WebApps\Management Console\WEB-INF\spring 

    
   <bean id="loginAttemptService"
         class="com.kapowtech.scheduler.server.spring.security.LoginAttemptService" lazy-init="true">
       <constructor-arg type="boolean" value="false"/>
       <constructor-arg type="int" value="3"/>
       <constructor-arg type="int" value="10"/>
   </bean>

    Set the first value to true. The second and third values are for the number of login attempts (3 in this example) and the wait time in minutes before the next attempt (10 in this example), respectively.