Table of Contents
- Organization of users and rights
- Setting up user templates
- Set up users
- Authentication with the xentral OTP Stick (optionally available)
- Workflow: Create user + address and assign rights
- Rights history
The fine-grained rights system of xentral makes it possible to restrict access to data for each employee according to their tasks in the company. This makes xentral suitable for use by all hierarchical levels and departments, without allowing sensitive information to be viewed by unauthorized persons.
This module is relevant for everyone.
Organization of users and rights
The assignment of rights is done via user templates (corresponding user groups) and users. A separate user (account) should be created for each employee who uses xentral.
Depending on the organizational structure, it may make sense to assign rights not directly to users, but via user templates. For example, a user template with correspondingly set rights could be created for each department. The users (accounts) of the department members can then be assigned to this user template. This saves the tedious and error-prone setting or changing of rights for each individual user.
When assigning user templates, it should be noted that additional rights can still be assigned individually for the user - rights that the user receives through the user template cannot, however, be withdrawn individually! The assignment of a user template is described below in the section 'Setting up users'.
Setting up user templates
User templates can be set up under Administration → Settings → User Template.
Before the rights of the user template can be set under the 'Rights' tab, the newly created template must be saved. The rights assigned here will be inherited by the respective user when the user template is assigned.
Note: Rights highlighted in gray are not granted, rights highlighted in blue are granted.
Templates can be duplicated under the 'Copy templates' tab. This function reduces the effort if a template is to be created that is very similar to an existing one in terms of rights. If changes are subsequently made to a user template, click on the 'Match rights' tab in the template list after saving to apply the change to those users who are linked to a user template.
Set up users
Users can be created under Administration → Settings → Users. Note that the employee for whom a new user (account) is to be created must be created under Master data → Addresses.
A new user can be created using the "+NEW" button:
- User is active → Selection that the user is actively used.
- User name → Unique user name, e.g. employee's last name + first two letters of first name
- Address from master data → Reference to the corresponding data record in 'Master data → Addresses'.
- Password/password wdh. → Password for login in xentral
- Account type → User ('Administrator' only for system administrator)
- Internal department → Department of the user
- Calendar color → selection of the color with which the user's appointments are to be displayed in the calendar
- Allow remote access → only if required (e.g. for field staff) or if xentral has been installed on an external server
- Start page → selection of the start page for the user
- Failed logins → number of failed logins that lead to the user being locked out
- User template → Optional: user template to be used, the user inherits all rights of the template
- Identifier → Entry of the identifier from the RFID mobile device so that it can be identified via RFID chip when logging in.
- Selection → Selection of login method
- HW Key → required when logging in via USB stick or hardware
- HW Counter → is required when logging in via USB stick or via hardware
- HW Datablock → is required when logging in via USB stick or via hardware
- Prefer project → Specify a project to be used preferentially for this user. When creating documents, the project field is pre-filled with this project. This makes sense, for example, if the employee works as a packer in the logistics process, who should only work on a special project.
- Language → Select the language
- Prefer own e-mail → Specify that the own e-mail is always preferred over the company address.
- Default printer → Selection of the default printer
- Default label printer → Selection of the default label printer.
- Printer level shipping → If the employee has e.g. his own printer in the for the packing table in the logistics process.
- Printer Level Parcel Label → If the employee has his own printer for the parcel labels, for example.
- Standard fax → Selection of the standard fax machine
- GPS time clock → Selection that a GPS time clock should be used for this user.
- Hide in calendar/chat → Selection that the user should be hidden in the calendar or chat.
- ICS Calendar → Select that the calendar is in ICS format.
- ICS calendar password → specify the password for the ICS calendar
- Docscan/WebDAV upload → the user can be unlocked for the Docscan app by checking this box and entering the password from Docscan.
- Docscan/WebDAV password → enter the password for the Docscan app.
- Role → Select the role of the user e.g. Sales, Accounting, etc.
Copy rights from user
- Copy rights from user → If the new user to be created is to have the same rights as another user created previously, this can be selected here. The user that is created will then have exactly the same rights as the other user.
Upload rights file
- Select file → Upload a file containing the rights of the user
Before individual permissions can be assigned under the 'Permissions' tab, the newly created user must be saved.
In the Rights tab, the rights for the new user can be configured.
After successful setup of the user, he can log in to xentral. Menu items and functions for which he has no rights are not visible to him in the user interface.
Authentication with the xentral OTP Stick (optionally available)
More details here.
The xentral OTP stick serves as additional security when logging in to xentral. An OTP stick can only be used by one user, and generates a unique key sequence each time it is used. Therefore, the login is only successful if each of the following requirements is met:
- username and password are valid
- the user has the correct xentral OTP stick.
To configure this kind of login for a user, the following settings have to be made in the section "EXTERNAL LOGIN" (see also screenshot):
- HW Token: Setting the "xentral LoginKey + Username + Password" on.
- HW Key: Enter here the hardware key that was assigned by xentral when you purchased the OTP stick
- HW Counter: The counter has to be set to 0
- HW Datablock: Here you have to enter the datablock which was assigned by xentral when you bought the OTP stick.
Login with the xentral OTP Stick
When logging into xentral with the OTP stick, proceed as follows:
- Enter user name
- Enter password
- Place cursor in the text field "optional OTP" (mark in screenshot)
- Insert the Xentral OTP stick into a USB port on the computer
- Wait until the OTP stick has issued its key sequence completely, it is not necessary to confirm with ENTER.
- Remove the OTP stick from the computer
It should be noted that in case of a failed login, due to the use of the wrong OTP stick, the standard error message "Username or password incorrect." is displayed.
Authentication with mOTP (iOS/Android)
Note: Since there were more and more problems with mOTP, xentral decided to switch to TOTP.
Below is still the old entry for MOTP:
To use mOTP as 2-factor authentication, different apps are required depending on the mobile device (iOS/Android). iOS: Use the mOTP - mobile OneTimePasswords app.
Generate mOTP Secret - Open the app and generate a mOTP Secret.
The generated secret is now to be deposited with the respective user (you can also have the secret sent to you by e-mail).
The self-selected pin is to be entered and a one-time password is to be generated.
The user data and the generated password can now be used to log in securely.
Android: Using the DroidOTP app
Create profile in the app
Select as OTP type : 4-digit PIN
Generate mOTP Secret, there are 3 different options available here.
Secret and store the desired PIN in the user.
Enter 4-digit pin and store the generated password in the login screen at xentral.
Workflow: Create user + address and assign rights
The entire workflow for a user (create address+create and link user) is located here
The History tab provides an overview of the rights given to and taken from users. Log entries are made both when rights are distributed directly and when a template file is used or rights are copied.