4.4. Users

4.4.1. User List

After a tap on the Users button in the main menu this panel is shown. See Section 4.2, “Menu”.

Admin Web App: User - List

Figure 4.13. Admin Web App: User - List


  • All non-deleted users are listed alphabetically by default. A different selection and sorting can be entered: see Figure 4.14, “Admin Web App: User - Select and Sort”.

  • Press the New button to create and edit a new Internal User.

  • The list can be traversed by tapping one of the buttons at the pager at the top or bottom of the page.

  • An entry is displayed for each user, with identifying data and some usage statistics. From top to bottom:

    • The user's role or status (at the top right corner).

    • An inline pagometer Pie-Chart followed by the user id. The blue color in the chart represents the number of pages printed to SavaPage. The green color represents the number of pages exported to PDF. The red color depicts the pages printed to Proxy Printers.

    • The user id of an Internal User is shown with an orange color.

    • The full name and email address.

    • The period in which user activity was accumulated on the pagometer.

    • The account balance and the pagometer including the number of jobs and bytes printed to any SavaPage printer.

    • The size of the user's SafePages home.

  • Tap the Edit button to change or delete the user. See Section 4.4.4, “Edit User”.

    Note

    Deleted Users cannot be edited.

  • The Documents button brings you to the list of documents the user processed. See Figure 4.109, “Admin Web App: Documents - List”

  • The Transactions button brings you to the list of financial transactions on the user's account. For a detailed description of this list see Section 3.8.2, “Transactions” in the User Web App chapter.

  • The rightmost GDPR button opens a pop-up where personal user data can be downloaded. See Section 4.4.2, “Download Personal Data”.

Note

Due to Admin Privileges certain buttons might not be visible.

Tip

The pagometers of all users can be reset at OptionsAdvancedReset Pagometers

Admin Web App: User - Select and Sort

Figure 4.14. Admin Web App: User - Select and Sort


  • Users can be selected by Group and by entering a part (fragment) of their ID or Email. So entering "son" as ID will select both "jason" and "sonja".

  • Select the Type, Role and (Deleted) Status. The - button will select both.

  • The list can be sorted Ascending or Descending on ID or Email.

  • Tap the Apply button to (re)display the list.

  • A tap on the Default button resets the selection and sort fields to their default values.

  • The PDF and CSV buttons downloads the User List in their respective formats, using the selection item values.

  • The minus icon collapses the Select and Sort section.

4.4.2. Download Personal Data

This pop-up opens when the rightmost GDPR button is pressed in an entry from the User List.

Admin Web App: User Data Portability

Figure 4.15. Admin Web App: User Data Portability


See Section 14.2.1, “Data Portability”.

4.4.3. Erased Users

Erased Users have their personal data cleared. Since their ID is empty, an anonymous placeholder with date/time of erasure is used for display.

Admin Web App: Erased User

Figure 4.16. Admin Web App: Erased User


See Section 14.2.2, “Data Erasure”.

4.4.4. Edit User

This chapter describes the editable sections of the User entity.

Caution

Some data you edit, like the Name, Primary email, Card Number and ID Number might be overwritten by values from the user source during synchronization. See Section 4.10.1.2, “LDAP” and Section 4.10.2, “User Creation”.

Note

Users can also be edited and deleted with the Server Command Tool. See Section C.1.19, “setUserProperties” and Section C.1.5, “deleteUser”.

4.4.4.1. Identity

Admin Web App: Edit External User - Identity

Figure 4.17. Admin Web App: Edit External User - Identity


  • The user's full Name can be edited. Remember this name can be overwritten for an external User as a result of user synchronisation. See Section 4.10.2, “User Creation”.

  • Assign the Administrator role by ticking the checkbox.

  • Users are regarded as Person by default. Un-tick the Person checkbox if this user represents a generic functional account. This will make the user Abstract.

  • Tick the Disabled checkbox to deny the user access to the SavaPage application.

Warning

When a User becomes Abstract its SafePages are removed.

4.4.4.2. User Roles

Admin Web App: Edit User - Roles

Figure 4.18. Admin Web App: Edit User - Roles


User Roles are needed to access certain application objects, as shown in the table below.

RoleAccess

Job Ticket Creator

Job Ticket Printer

Job Ticket Operator

Job Tickets Web App

Web Cashier

Point-of-Sale Web App

Print Job Creator

A Proxy Printer that is not a Job Ticket Printer.

Print Job Delegate

Delegated Print and Users and Groups with role Print Job Delegator for Delegated Print.

Print Job Delegator

This is a passive role. Delegators can be accessed by users with role Print Job Delegate.

Table 4.1. User Roles


Each role is set with a checkbox that has three states:

  • Checked : The role is enabled.

  • Unchecked : The role is disabled.

  • Unchecked and grayed out: The role is indeterminate.

If a User Role is needed to access an application function, SavaPage will check if this role is enabled for the authenticated user.

When the role is indeterminate at the user level, Group Roles are checked of the groups the user belongs to. Added Groups are checked first, then the Built-in Groups, with the All Users group as last.

  • Access is granted if there is at least one group where the role is enabled.

  • Access is denied when the role is indeterminate or disabled in all groups.

  • Print Job Creator role is special: an indeterminate state at All User top level is interpreted as granted.

Caution

The 3-tier group hierarchy (User Groups > Internal/External Users > All Users) is traversed bottom up, to resolve the role of individual Users only. Group hierarchy is not used to resolve roles for User Groups: roles defined at group level are fixed, and are not interpreted in the context of other groups, or individual members.

4.4.4.3. Email

Admin Web App: Edit User - Email

Figure 4.19. Admin Web App: Edit User - Email


  • The Primary email and Other emails addresses are editable and must each be unique: they can be associated to just one User. Multiple emails must be separated by any of the characters space, comma, semicolon, or by carriage return or line feed.

4.4.4.4. Card and ID

Admin Web App: Edit User - Card

Figure 4.20. Admin Web App: Edit User - Card


  • The Card Number and ID Number are editable and must each be unique: they can be associated to just one User.

  • The ID Number is used as authentication token for Internet Print.

  • The Card Number must be entered in HEX/LSB format. See Section B.1, “Card Number Format”.

  • The PIN must be digits only.

  • The minimum length of ID Number is contained in configuration key user.id-number-length-min. The minimum and maximum length of a PIN are contained in the configuration keys user.pin-length-min and user.pin-length-max. A maximum value 0 (zero) indicates the maximum is unspecified. See Section 4.10.14.10, “Config Editor” on how to change these values.

  • The YubiKey Public ID is used for YubiKey Authentication.

  • Press the OK button to commit the changes and return to the User List.

  • The Cancel button brings you back to the User List without changing anything.

4.4.4.5. UUID

Admin Web App: Edit User - UUID

Figure 4.21. Admin Web App: Edit User - UUID


The UUID[14] is used as authentication token for Internet Print. It is automatically created when a user successfully logs in for the first time. A new UUID can be created by pushing the Generate button.

4.4.4.6. Financial

This section shows the personal User Account. Initialization of this account is based on Group Membership as explained in the Edit Group section.

Admin Web App: Edit User - Financial

Figure 4.22. Admin Web App: Edit User - Financial


  • A new value for the user's account Balance results in a financial transaction that corrects the previous account balance. See Section 3.8.2, “Transactions”. The user is notified by a pop-up message in his active User Web App when his balance is adapted.

  • Set the Credit limit with one of these buttons:

4.4.4.7. Password

Admin Web App: Internal User - Password Actions

Figure 4.23. Admin Web App: Internal User - Password Actions


For an Internal User Password actions are shown.

The Erase button is shown when a password is set. When pressed, it erases the password and makes itself disappear again. Without an initial password, users cannot reset their password in the User Web App. This gives administrators a means to disable login by user name/password, in favor of other authentication methods.

A tap on the Reset button shows the Password Reset Dialog. Use this dialog to initially set or change a password.

Admin Web App: Internal User - Password Reset

Figure 4.24. Admin Web App: Internal User - Password Reset


4.4.4.8. User Delete

Admin Web App: Edit User - Delete

Figure 4.25. Admin Web App: Edit User - Delete


  • Press the Delete button to delete the user and return to the User List. The next section describes the effect of this action.

  • The Cancel button bring you back to the User List without changing anything.

4.4.5. Create Internal User

A tap on the New ... button at the top of the User List gives this dialog to create a new Internal User. Apart from the regular User data, the attributes ID and Password can be entered.

  • The prefix of ID is contained in the configuration key internal-users.username-prefix.

  • The minimum length of the Password is contained in the configuration key internal-users.password-length-min.

  • See Section 4.10.14.10, “Config Editor” on how to change these configuration values.

  • The Financial data are initialized with the New User Settings of the Built-in Internal Users Group. If these new user settings are disabled the Balance is set to zero with an Individual Credit limit of zero.

Tip

Internal Users can also be added with the Server Command Tool. See Section C.1.2, “addInternalUser”.

4.4.6. Deleted Users

Deleting a User makes sense if he is not part of the user source anymore and was not deleted as part of a bulk delete during a manual synchronization. As long as job history or account transactions for a User are present [15], SavaPage applies a logical delete. Any logical deleted User will be physically deleted from the database when no related job history and account transactions are present anymore. This situation will automatically occur when you enabled automatic backup in combination with the delete of old document and transaction logs.

Important

If SavaPage synchronizes a new User from the user source, a new user instance will be created in the database, despite the fact that a logical deleted User exists with the same identifying name, i.e. the logical delete status of the "identical" user will remain as it is.

4.4.7. Administrator Role

SavaPage sets up a dedicated account called admin. This is the master administrator account, with access to all application functions, whose password is assigned during configuration. In large organizations it is likely that the administrator role needs to be granted to more than one person. One solution is to give all those persons the master password; however a better approach is to assign the administrator role to the network user accounts of these individual's. The advantages of this approach are:

  • Administrators can access the Admin Web App with their own username and password.

  • Since most administrative activity is logged in an audit trace, changes can easily be tracked back to an individual.

Note

Access to certain parts of the Admin Web App can be set on User Group level with Admin Privileges.

Tip

Administrative users should login via https://savapage:8632/admin rather than https://savapage:8632/ or https://savapage:8632/user so that they are directed to the correct interface.



[14] A universally unique identifier (UUID) is an identifier standard used in software construction. See https://en.wikipedia.org/wiki/Universally_unique_identifier

[15] When a users does not print on his own, but is printed for via Delegated Print, no job history is present for that user, but (pending) transactions are.