Users identify individuals that are known to CentraSite. You assign roles and permissions to users to specify which operations they can perform and which registry objects they can access.
When you initially install an instance of CentraSite, it has only two user accounts: an account for the bootstrap user and an account for the default user.
The bootstrap user refers to the user who installs CentraSite. This user belongs to the Default Organization and becomes the initial Organization Administrator for the organization as well as its primary contact. This user is also given the CentraSite Administrator role, which gives him or her “super admin” privileges. After CentraSite is installed, you can assign other users to the Organization Administrator role and/or the primary contact position for the Default Organization.
The default user represents an internal user that owns the pre-define objects installed with CentraSite. The default user exists for CentraSite’s internal use. You cannot edit or delete this account. You cannot use the default user account to log on to CentraSite.
Typically, the bootstrap user creates the initial set of organizations on the CentraSite registry/repository. Then, the organization administrators create user accounts for the users that belong to their organizations.
This document covers the following topics:
Although CentraSite maintains its own database of user accounts, the users associated with those accounts are authenticated by an external authentication system at log on time.
CentraSite is delivered with one predefined authentication configuration, namely the configuration to use an internal text file, and this configuration is the default configuration. However, after installation, you can configure it to also use the following types of authentication systems:
The operating system's user repository.
Active Directory Server (ADS).
Note:
If the CentraSite registry/repository is installed on a UNIX or
Linux machine, you can only use the Active Directory Server as the user
repository if it is configured via the LDAP interface.
Lightweight Directory Access Protocol (LDAP).
See the section Overview of User Repositories in the document Authentication Topics and LDAP for more details.
If you are working in a distributed environment, where one or more Application Server Tiers and a separate registry/repository are involved, you must configure CentraSite to use an external authentication system. If you are working in a mixed Windows and UNIX environment, CentraSite can use Active Directory or LDAP as the user repository for both.
Note:
Although CentraSite allows you to define multiple user repositories
for authentication, only one is the default at any given time. Users who log on
to the system by just providing the user name will be authenticated against the
default authentication system. If you wish to log on to CentraSite with a
user name that does not reside in the default authentication system, you need
to prefix the user name by the Domain ID that was defined for the respective
authentication system.
Users defined in the external directory are not automatically entitled to log on to CentraSite. You must explicitly create users accounts for valid users on CentraSite as described in the topic Adding a User in the section About Users in the document Users, Groups, Roles and Permissions.
For information about how to configure the authentication for CentraSite, see the document Authentication Topics and LDAP.
Note:
Any change of the external user management is not synchronized with
CentraSite. If a user is removed from the external user management (for
instance on operating system level) the corresponding CentraSite user is not
automatically deactivated. The CentraSite user associated with a deleted
external user must be deactivated manually in CentraSite.
The users that you define in CentraSite can be active or inactive. An active user has an associated user account on the external authentication system and is permitted to log on to CentraSite. Inactive users exist in the registry, but they are not permitted to log on to CentraSite. Additionally, permissions cannot be granted to inactive users nor can ownership of assets be given to them (inactive users retain ownership of objects that already belong to them).
Administrators generally deactivate users that leave the company or otherwise cease to be valid users of the registry. Inactive users are also useful for representing individuals who figure prominently in your SOA environment, but are not direct users of CentraSite. For example, you might create users to represent individual members of a key steering committee. Although these individuals might never use CentraSite, by including them in the registry as users, you enable assets and other objects to be associated with those individuals. Furthermore, if the user definitions for these individuals include email addresses, an administrator can develop policies that send email alerts to these individuals when significant events occur in the registry. Points-of-contact for external entities such as suppliers and distributors are other individuals that you might want to model as inactive users.
CentraSite supports the concept of a guest user. Guests are users that can access the registry without a user account (i.e., they can log on to CentraSite as anonymous users). Generally, guest users are given read-only access to a controlled set of assets.
In CentraSite, the capabilities given to guests are determined by the set of permissions specified in the Guest role. By default, CentraSite allows a guest to use the Asset Catalog screens in CentraSite Control. When they use the Asset Catalog screens, guest can see any asset on which the system-defined group called "Everyone" has View permission. (In other words, when you want to give guest users the ability to see an asset, you grant View permission to the group Everyone.)
You can include additional permissions in the Guest role as is required by your site. You must do this with great care, of course. Any additional permissions you assign to this role will significantly increase the capabilities of an anonymous user.
For additional information about the Guest role, see System Roles and Their Permissions.
To create and manage (i.e., view, edit and delete) users for an organization, you must belong to a role that has the "Manage Users" permission. Users in the Organization Administrator role have this permission, although an administrator can assign this permission to other roles.
Note:
Users that belong to a role that includes the "Manage
Organizations" permission have the "Manage
User" permission by implication. Such users can create and mange
users in the organizations to which their "Manage
Organizations" permission applies.
You can add users toCentraSite in any of the following ways:
Using the Adding an Individual User to CentraSite. This procedure enables you to define a single user and associate that user with an account in the external authentication system.
button on the Users page as described inUsing the Adding a User Using the Bulk Load Option. This procedure enables you to load multiple users from the external authentication system into CentraSite in a single step.
button on the Users page as described inUsing the Adding Users from the Organization's Users Tab. This procedure enables you to load one or more users from the external authentication system into CentraSite in a single step.
profile on the Edit Organization page as described inImportant:
Do not begin adding users to CentraSite until after you
configure CentraSite for the external authentication system that you intend
it to use.
When you add a new user to CentraSite, keep the following points in mind:
When you add a user from Active Directory or LDAP, CentraSite automatically populates many of the user's attributes in CentraSite with user information from the external authentication system. The exact set of attributes that CentraSite populates depends on how the user attributes in CentraSite have been mapped to the user properties in the external authentication system. For more information about mapping attributes, see the document Authentication Topics and LDAP.
A user can belong to only one organization.
Every user that you add to CentraSite automatically becomes a member of the Everyone group. This group represents the set of all users defined on CentraSite, including the guest user.
If the user that you add has an associated user account on the external authentication system, CentraSite also does the following:
It adds the user to the following system-defined groups
Group | Description |
---|---|
Users | All users that belong to the user's organization. |
Members | All users belonging to the user's organization or any of its descendants (i.e., children, children's children and so forth). |
It assigns the Asset Consumer and Asset Provider roles to the user. (An administrator can modify these automatic role assignments, so the default role assignments for your organization might be different.)
It activates the user, i.e., it allows the user to log on to CentraSite components such as CentraSite Control, using the user ID and password stored in the external authentication system.
Use the following procedure to add an individual user to an organization and optionally associate that user with an account in the external authentication system.
To add an individual user to CentraSite
In CentraSite Control, go to
.Click
.In the Organization field, specify the organization to which you want to add the user. (The drop-down list only displays organizations for which you have "Manage Users" permission.)
Click
to select the user that you want to add from the external authentication system. (Skip this step if the user you are adding to CentraSite represents an individual that will not log on to CentraSite).If CentraSite is configured to authenticate users using the local OS user database and you need procedures for this step, see Selecting Users from the Local OS User Database.
If CentraSite is configured to authenticate users using Active Directory or LDAP and you need procedures for this step, see Selecting Users from an Active Directory or LDAP Server.
Note that you can only search for users that are stored in the same repository as the user who is logged into CentraSite Control and is performing the current operation. For example, if your system has both internal users and LDAP users, an internal user cannot search for users that are stored in the LDAP repository.
Complete the following fields as necessary. (If you selected the user from an Active Directory or LDAP system, many of these fields will already be populated.)
In this field... | Do the following... |
---|---|
First Name | Specify the first name of the user. |
Middle Name |
Optional. Specify the middle name of the user. |
Last Name |
Specify the last name of the user. |
E-mail Address |
Optional. Specify the user's e-mail address. Note: |
On the Address Information tab, specify the following:
In this panel... | Do the following... |
---|---|
Address |
Optional. Specify the user's address information. |
Contact |
Optional. Specify the phone and fax numbers for the user. You can specify multiple phone and fax numbers. |
If you have any custom properties (key-value pairs) that you want to specify for the user, select the Object-Specific Properties profile and specify the key-value pairs as follows:
Click the
button.In the Add Object-Specific Properties dialog box, enter the name of the property and value for the property. You can add multiple values for a single property.
The name of the property can consist of letters, numbers and the underscore character (_). It cannot contain a space or other special characters.
You can optionally supply a namespace for the property.
Click
.If an administrator has added custom attributes to the User type definition, select the Attributes profile and specify the attributes as necessary. Attributes that are marked with an asterisk (*) are required. You must at least specify all required attributes.
Note:
You will see the Attributes profile only if
an administrator has added custom attributes to the User type
definition.
Click
to save the new user.Update the Groups profile as necessary to add the user to additional groups. For procedures, see Adding a User to a Group.
Update the Roles profile as necessary to assign additional roles to the user. For procedures, see Assigning Roles to a User.
The following procedure describes how to use CentraSite's standard dialogs to search for users or groups in the local operating system's user database.
Keep the following points in mind when performing a search:
This dialog opens to an empty list. You must type a search string to retrieve a list of users or groups. To retrieve all the users or groups, leave the Search field empty and click
Search strings are not case-sensitive .The search string “bar”, for example, will find “BAR” and “Bar”.
Search strings are not accent-sensitive.
When you are searching the user list, CentraSite searches the user ID attribute, not the user name attribute. Thus, if a user has the user ID "MyDomain\AdminUser01" and the name "John Smith", a search for "Admin" will find the user, whereas a search for "John" will not.
CentraSite does a “starts with” search on the user ID or group name. The domain portion of the name is not included in the search. Thus, if a user has the user ID "MyDomain\AdminUser01", a search for "Ad" will find the user, whereas a search for "User01" or "My" will not.
You can type the wildcard characters % or * alone in the Search field to retrieve the list of all users or groups. However, you cannot combine these wildcard characters with other character sequences. The sequences “xx%” and “%xx”, for example, are not valid search strings.
CentraSite automatically filters out users that have already been added to CentraSite. For example, if the local machine has users CH001 and CH002, and user CH001 has already been added to CentraSite, a search for users starting with CH, will return user CH002, but not user CH001.
To search the local OS user database
In the Search field, type a search string that specifies the characters with which the user ID begins. The following are examples.
If you type... | CentraSite will return... |
---|---|
b | User IDs that begin with b. |
bar |
User IDs that begin with bar. |
% | All user IDs. |
* | All user IDs. |
emptyString |
All user IDs. |
Click
Repeat steps 1 and 2 until you obtain a list that contains the users that you want to add to CentraSite.
Select the users or groups that you want to add to CentraSite.
If the user that you want to add to CentraSite is not known to the local system, but is known to a domain server to which the local operating system is connected, type the user’s domain-qualified name into the Type Domain Name field. (This field is not available in all versions of this dialog.)
Note:
If you type a user ID in the Type Domain
Name field, CentraSite ignores any selections you have made in the
user list.
Click
.The following procedure describes how to use the standard dialogs to search for users or groups in an Active Directory or an LDAP server.
Keep the following points in mind when performing a search:
CentraSite treats the text you enter as a partial string. For example, if you enter "al", then "Alex", "Allen" and "Salie" all fit the search criteria.
You can use the asterisk (*) as a wildcard in the search text. CentraSite replaces the wildcard symbol with as many characters as necessary.
Searches are not case sensitive.
Searches are not accent-sensitive.
The ADS or LDAP authentication system performs a user search based on the attribute mapping specified in the authentication configuration, and displays the users that fit the search criteria. See the section Creating Authentication Configurations in the document Authentication Topics and LDAP for more information about authentication configurations.
To search an Active Directory or LDAP server
In the Search Criteria panel, create the search criteria by selecting the attribute and the condition from the respective list boxes and typing the search string in the text box.
Select a search operator: "Equals" and "NotEquals". The "Equals" tests for attributes that are equal to a certain value. The "NotEquals" finds for attributes that do not have the same or equal value.
For advanced search using multiple attribute conditions, click the plus button and add a new condition for the search.
Specify the way in which the criteria are to be combined:
To specify that a user or group must meet all criteria to be considered a match, select
.To specify that a user or group must meet at least one of the criteria to be considered a match, select
.Click
.Select the users or groups you would like to add to the organization.
Click
.You use the following procedure to add multiple users from the external authentication system to CentraSite in a single step. You can specify which organization you want to add the users to.
To bulkload users into CentraSite
In CentraSite Control, go to
.Click
.In the Bulk Load Users from External Source dialog box, select the users that you want to add to CentraSite.
If CentraSite is configured to authenticate users using the local OS user database and you need procedures for this step, see Selecting Users or Groups from the Local OS User Database.
If CentraSite is configured to authenticate users using Active Directory or LDAP and you need procedures for this step, see Selecting Users or Groups from an Active Directory or LDAP Server.
In the field Import to Organization, specify the organization into which the users will be added.
Scroll through the user list to confirm that the selected users were added successfully.
Examine each new user that you added to the specified organization and update the user's attributes as necessary. (If you selected users from an Active Directory or LDAP system, many of the new users' attributes will already be populated.)
You use the following procedure to add one or more users to CentraSite from your external authentication system.
To use this procedure, you must have "Manage Organizations" permission on the organization to which you want to add users.
To add users from an organization's Users tab
Open the Edit Organization page. If you need procedures for this step, see the section Viewing or Editing the Attributes of an Organization in the document Managing Organizations.
Select the Users profile and click .
In the Add Users dialog box, select the users that you want to add to CentraSite.
If CentraSite is configured to authenticate users using the local OS user database and you need procedures for this step, see Selecting Users or Groups from the Local OS User Database.
If CentraSite is configured to authenticate users using Active Directory or LDAP and you need procedures for this step, see Selecting Users or Groups from an Active Directory or LDAP Server.
Scroll through the user list to confirm that the selected users were added successfully.
Click
to save the updated organization.Examine each new user that you added to the organization and update the user's attributes as necessary. (If you selected users from an Active Directory or LDAP system, many of the new users' attributes will be populated already.)
If you have associated a CentraSite user with an external user, you may wish to change the association to a different external user.
This can be required, for example, if the responsibility for certain CentraSite assets moves from one person to another person in the same authentication domain. By reassociating the user, you can keep the name of the CentraSite user unchanged while changing to a new external owner.
Another possible use would be to handle user IDs when the default domain name changes, e.g. when switching from operating system authentication to LDAP authentication.
CentraSite provides a command line tool ReassociateUsers that allows you to reassociate one or more CentraSite users with new external user IDs. The script implemented as an executable jar and can only be run by a user who has the CentraSite Administrator role.
This command line tool reassociates CentraSite users with new external user IDs. Any permissions that were granted for the old external user ID will be modified to grant those permissions for the new external user ID.
Before you run the command line tool, create a database backup.
The tool consists of an executable jar file in the bin folder of the CentraSite installation. It requires a Java 6 runtime and needs to be called in the following way:
java -jar ReassociateUsers.jar <CentraSite DB URL> <administrator user id> <password> <old user id> <new user id>
or
java -jar ReassociateUsers.jar <CentraSite DB URL> <administrator user id> <password> <mapping file name>
For example:
java -jar ReassociateUsers.jar "http://localhost:53307/CentraSite/CentraSite" DOMAIN\admin pAsSw0rD OLDDOMAIN\oldUser NEWDOMAIN\newUser
The first form (5 arguments) is for reassociating a single user, whereas the second form (4 arguments) is for reassociating multiple users in one execution of the tool.
When using the second form, the fourth argument specifies a text file that contains the user IDs. Each line of the mapping file contains one comma-separated pair of old and new user ID. A user ID must not occur more than once in these mappings.
The tool first checks for the following preconditions, which must all be met, otherwise the tool stops and no users will be reassociated:
there is a unique registry object for the old user ID
the old user ID can be uniquely identified in the security configuration
there is no registry object for the new user ID
there is no security configuration for the new user ID
the reassociated user is a login user
the reassociated user is not the CentraSite administrator user who is running the utility
the domain of the new user ID must exist in the security configuration
a GUI configuration does not exist for the new user ID
If all preconditions are met, the tool performs the reassociation. This process may take some time. The tool progress is reported to standard output.
You use the Users page to view the list of users defined on CentraSite.
To view the users list
In CentraSite Control, go to
to view the list of all users that are defined in CentraSite.Or:
Go to the Edit Organization page and choose the
Users profile to view the list of users in that particular
organization. If you need procedures for this step, see the section
Viewing or Editing the Attributes of an Organization in the
document Managing Organizations.
If you want to filter the list, type a partial string in the Search field. CentraSite applies the filter to the Name column.
If you type... | CentraSite Displays |
---|---|
b |
Names that contain "b" |
bar |
Names that contain "bar" |
% |
All names |
The users list provides the following information about each user:
Column | Description | |
---|---|---|
Name | The name of the user. | |
User ID |
The log in ID of the user. |
|
Organization |
The name of the organization to which the user belongs. |
|
Can Log On |
The status of the user. |
|
Icon
|
Description
|
|
The user is active (can log on to CentraSite). | ||
The user is inactive (cannot log on to CentraSite). |
You use the Edit User page to examine or modify information about a user.
Note:
Changing the value of the Organization field
moves the user to the specified organization (without moving the user's
assets). You can only change this field if you belong to the CentraSite
Administrator role. For information about how CentraSite processes the
movement of a user to another organization, see Moving a User to a Different
Organization.
To view or edit a user information
In CentraSite Control, go to
.On the Users page, locate the user whose details you want to view or edit.
From the user's context menu, select the Details command.
View or edit the attributes on the Edit User page as necessary. For additional information about the attributes on this page, see the relevant steps in Adding an Individual User to CentraSite.
If you have made any changes to the users, click
.You can view details for multiple users as follows:
To view details for multiple users
In CentraSite Control, go to
.Mark the checkboxes of the users whose details you want to view.
In the
menu, click .The Details view of each of the selected users is now displayed.
Use the following procedure to add a user to or remove a user from a locally managed group (i.e., a group whose membership is defined within CentraSite, not on the external authentication system).
To add a user to a group
Open the Edit User page for the user whose group assignments you want to edit. If you need procedures for this step, see Viewing or Editing Information about a User.
On the Edit User page, choose the Groups profile and do the following:
To add a user to a group, click
and select the groups to which you want to add the user.To remove a user from a group, select the groups from which you want to remove the user and click
.Note:
You cannot remove the user from any of the system-defined
groups.
Click
.Use the following procedure to assign a role to or remove a role from a user.
To assign roles to a user
Open the Edit User page for the user whose role assignments you want to edit. If you need procedures for this step, see Viewing or Editing Information about a User.
In the Edit User page, choose the Roles profile and do the following:
To assign roles to the user, click
and select the roles that you want to give to the user.To remove roles assigned to a user, select the roles that you want to remove and click
.Click
.Use the following procedure to display the list of assets that a particular CentraSite user owns.
To view a user's assets from the Edit User page
Open the Edit User page for the user whose role assignments you want to edit. If you need procedures for this step, see Viewing or Editing Information about a User.
In the Edit User page, choose the Assets profile, which displays the list of assets that the user currently owns.
CentraSite Control offers the ability to activate or deactivate a user.
Activating a user account changes its status to Activated and allows the user to log on to CentraSite Control. Deactivating a user account changes its status to Deactivated and denies the user the privilege to log on to CentraSite.
A deactivated user cannot be assigned permissions, execute policies or become owner of the new assets. Also, the deactivated user cannot be a part of the approval group. Furthermore, if a user who was part of an approval group or a user who is the only member of the approval group is deactivated, the policy with that particular approval group is itself marked as fail.
You usually deactivate a user to prevent that user from logging on to CentraSite (temporarily or permanently). You must also deactivate a user account in order to delete it.
When you activate or deactivate a user, keep the following points in mind:
You cannot deactivate the only remaining user in the CentraSite Administrator role in the CentraSite registry/repository or the only remaining user in the Organization Administrator role within an organization.
You cannot deactivate the user who is an authorized approver for an approval flow that is in the Pending state.
You can activate or deactivate users in any of the following ways:
From the Users page.
From the Edit User page.
From the Edit Organization page.
To activate or deactivate a user via the Users page
In CentraSite Control, go to
.On the Users page, enable the checkbox next to the name of the user that you want to activate or deactivate. (You can select multiple users.)
From the Actions menu, choose Activate or Deactivate as needed.
Verify that the user's state has changed by checking the icon in the Can log on column.
Icon | Description | |
---|---|---|
The user is active (can log on to CentraSite Control). | ||
The user is inactive (cannot log on to CentraSite Control). |
To activate or deactivate a user via the Edit User page
Open the Edit User page for the user whom you want to activate or deactivate. If you need procedures for this step, see Viewing or Editing Information about a User.
In the Edit User page, click the Activate User or Deactivate User button as needed.
To activate or deactivate a user via the Edit Organization page
Open the Edit Organization page for the organization to which the user belongs. If you need procedures for this step, see the section Viewing or Editing the Attributes of an Organization in the document Managing Organizations.
On the Users tab, enable the checkbox next to the name of the user that you want to activate or deactivate. (You can select multiple users.)
From the Actions menu, choose Activate or Deactivate as needed.
Deleting a user permanently removes a user from the CentraSite registry/repository. When deleting a user, keep the following points in mind:
You cannot delete an active user. You must deactivate the user before you delete it. For procedures, see Activating or Deactivating a User.
You cannot delete a user if any of the following conditions exist:
The user functions as the primary contact of an organization.
The user owns one or more assets in CentraSite.
Deleting a user from CentraSite does not delete the user from the external authentication system.
Make sure that at least one active user with the CentraSite Administrator role always resides in the Default Organization. Even if you plan to switch CentraSite's user authentication from one domain to another (such as, from the OS to an Active Directory or LDAP domain), to prevent a system lockout, make sure you have at least one user in the CentraSite Administrator role defined on CentraSite.
To delete a user
In the CentraSite Control, go to Administration > Users > Users to display the users list.
Ensure that the user is inactive (see Activating or Deactivating a User).
Enable the checkbox next to the name of the user that you want to delete.
Click
.When you are prompted to confirm the delete operation, click
.User is permanently removed from the CentraSite registry/repository. If the user had an associated user account in the external authentication system, that account is not affected.
You can delete multiple users in a single step. The rules described above for deleting a single user apply also when deleting multiple users.
Important:
If you have selected several users where one or more of them are
predefined users (such as bootstrap user, for example), you can use the
button to delete the users. However, as you are
not allowed to delete predefined users, only users you have permission for will
be deleted. The same applies to any other users for which you do not have the
required permission.
To delete multiple users in a single operation
In CentraSite Control, go to Administration > Users > Users to display the policy list.
Ensure that the users are inactive (see Activating or Deactivating a User).
Mark the checkboxes of the users that you want to delete.
From the Actions menu, choose Delete.
When you are prompted to confirm the delete operation, click
.Each selected user is permanently removed from the CentraSite registry/repository. If the user had an associated user account in the external authentication system, that account is not affected.
In some circumstances, a user object cannot be deleted using the method described in the section Deleting a User above, because internal objects that reference the user object cannot be deleted. It can happen, for example, that there are internal references to a user object even though the user is no longer the owner of any assets. There can also be references to the user object in the audit log. In such circumstances, a user object can only be deleted by using a Java command line tool DeleteUser provided specifically for this purpose.
Important:
This tool is for use by administrators only, and should only be
used if the method described in Deleting a
User is not successful. In particular, the tool does not activate
any policies that you might have defined.
This command line tool deletes a user, after transferring ownership of all of the user's objects to another user (the "target" user). It also redirects to the target user all associations that referred to the user to be deleted. Any ACLs granting rights for the user to be deleted will be modified to grant those rights to the target user. If the user to be deleted was the primary contact of an organization, the target user will be assigned that role.
To make the ownership transfer visible in the audit logs, an "OWNERSHIPTRANSFERRED" event is created for every registry object that references the user object. The description of the auditable event includes the original owner and states that a delete user operation has been executed.
The tool's combined operation performs the following steps:
Transfer ownership of objects to the target user
Redirect internal references to the target user
Transfer access rights to the target user
Transfer group memberships to the target user
Remove the GUI configuration
Remove the user object
The tool consists of an executable jar file in the bin folder of the CentraSite installation. It requires a Java 6 runtime and needs to be called in the following way:
java DeleteUser <CentraSite DB URL> <administrator user id> <password> <id or key of user to be deleted> <id of target user>
Examples:
java DeleteUser "http://localhost:53307/CentraSite/CentraSite" DOMAIN\admin pAsSw0rD DOMAIN\oldUser DOMAIN\newUser
java DeleteUser "http://localhost:53307/CentraSite/CentraSite" DOMAIN\admin pAsSw0rD uddi:1e5aff10-f3e3-11df-86fc-a6e2fa0ea483 DOMAIN\newUser
Please note that the target user must be active before using this tool. The user to be deleted must be deactivated.
The operation to delete a user requires several steps that cannot run within a single transaction. This means every parallel running transaction will be able to see intermediate results. Therefore please ensure that no other activity is in progress while you run the tool. Moreover if there is a failure of any of the steps during the execution, the registry will have an intermediate state. The original state cannot be recovered by rolling back the complete operation.
The organization to which a user belongs determines, among other things, the organization to which the user's assets are published (by default) and the organization whose asset catalog the user can view (by default).
If a user transfers to a department or work group in another organization within your enterprise, you use the Move command to mirror that change in CentraSite. When you move a user to another organization, you can also move the user's assets to the target organization or you can leave them with their current organization.
To move a user to another organization, you must belong to the CentraSite Administrator role.
When you move a user to another organization, CentraSite does the following:
Records the user's organization change in the audit log.
Removes the user from the system groups in the user's former organization and adds the user to the system groups in the target organization.
Triggers pre- and post-update policies on the User object as appropriate (see below).
Transfers the assets that the user owns to the target organization (if specified).
Sends a notification to the inbox of the moved user when the move is complete.
The following sections describe the effect that an organization change has on various aspects of a user. Before transferring a user to another organization, review this information so you understand how the user will be affected.
When you move a user to another organization, the user is removed from the following system groups in his or her former organization and added to these groups in the target organization:
Users
Members
The user retains all other group memberships.
Members of the Users group for an organization have implicit View permission on the organization's assets. Because CentraSite transfers users from one Users group to another during a move, the moved users lose implicit access to the assets in their former organization (except for the assets that they own) and receive implicit access to the assets in the target organization. If users require continued access to the assets in their former organization, consider granting the Asset Consumer role (in the former organization) to them after the move.
Important:
If there are any explicit instance-level or role-based
permissions assigned to the Users and/or Members groups in their former
organization, be aware that users will also lose those permissions when they
leave the organization.
Moving users to another organization does not affect any instance-level permissions or role-based permissions that are granted directly to their user accounts or to any non-system groups (i.e., groups besides Users and Members) to which they belong. Therefore, other than losing access to certain assets as a result of leaving the Users and/or Members groups in their former organization, users continue to have access to the same set of assets as they had before the move.
When you move users to another organization, they lose the roles that were assigned to the Users and/or Members groups in their former organization and gain the roles that are assigned to the Users and/or Members groups in the target organization. Other than this change, users retain all of their other role assignments.
You can transfer active or inactive users.
You cannot move the default user or any other internal user that is installed by CentraSite.
When you move a user to another organization, you can optionally move all of the user's assets to the target organization at the same time. If you choose to do this, CentraSite will process the transfer of those assets as described in the section Changing the Ownership of an Asset in the document Using the Asset Catalog.
Note:
Transferring a user and the user's assets is an "all or nothing"
operation. If the transfer of any one asset fails, neither the user nor the
user's assets are moved.
CentraSite treats the move operation as an update to the User object. Thus, moving a user to a different organization triggers the execution of pre-update and/or post-update policies that apply to User objects. If a pre-update policy fails, the user is not moved into the target organization.
Note:
It is the policies of the target organization that
CentraSite applies to the move.
This section provides procedures for moving a user to another organization. (Note that the following contains procedures for transferring an individual user and for transferring multiple users.)
Use the following procedure to move an individual user to a specified organization.
To move an individual user
In CentraSite Control, go to Administration > Users > Users.
Locate the user that you want to move, and from its context menu, select Move.
In the Move User(s) dialog box, select the organization to which you want to move the user.
If you want to filter the organization list, type a partial string in the search field.
Note:
If you want CentraSite to also transfer the assets owned by
the selected user, enable the Move Assets owned by the selected
user(s) to the new organization option.
If you do not enable this option, the user's existing assets will remain in the organization to which they are currently assigned (the transferred user will continue to serve as their owner).
Click
.Note:
You can also move a user from the Users tab
on the Edit Organization page and from the Organization
field on the Edit User page. (Be aware that if you move a user using the
Organization field on the Edit User page, you cannot move
the user's assets at the same time.)
Use the following procedure to move multiple users to a specified organization.
Important:
If you have selected several users where one or more of them
are predefined users (such as bootstrap user, for example), you can use the
button to transfer the ownership of all of the
selected users. However, as you are not allowed to transfer ownership of
predefined users, only users you have permission for will be
transferred.
To move multiple users
In CentraSite Control, go to Administration > Users > Users.
Select the users that you want to move to a particular organization.
Click the Actions link and select Move.
In the Move User(s) dialog box, select the organization to which you want to move the selected users.
If you want to filter the organization list, type a partial string in the search field.
If you want CentraSite to also transfer the assets owned by the selected users, enable the Move Assets owned by the selected user(s) to the new organization option.
If you do not enable this option, the assets will remain in the organizations to which they are currently assigned (the transferred users will continue to function as owners of the assets even though the assets are not transferred to the target organization).
Click
.Note:
You can also move multiple users using the
Actions link on the Users tab on the
Edit Organization page.