Configure user permissions

By default all users that have login access to the computer that is running Connexion have access to all of Connexion's features. If you would like to limit specific user's within the system to specific Channel Groups, or tabs, or to perform a limited subset of functionality, then you will need to configure Connexion's Authorization feature.

This step-by-step guide will demonstrate how to configure different permission sets for different classes of users within your Connexion installation.

Step-by-step guide - General Setup of Connexion's Authorization feature

1. Run the InstallWizard from the desktop, or via the Windows Start Button
   
   
   
   

2. Click the "Next" button until you come to the page that contains the "Authorized Users/Groups..." settings.
   
   All Windows NT users and groups (local to the machine, or Windows NT Domain) specified here will have Administrator access to Connexion. This means they have unrestricted access to all features of Connexion, including adding/deleting other users. 
   
   

   It is recommended that only a single user, or very small group of users are given permission at this level to minimize the number of users that have "super-user" access. In the example above, we have chosen to give administrator access to only the user Jonathan, who exists as a user on the local machine only.

3. Next, launch the Connexion.Client application. (Please note: only users, or groups of users, that were configured in step 1, will be able to log into the system. In the example above, only the user Jonathan will be able to login.)

4. Select the System Configuration button  and then the "Authorization" tab on the left.
   
     
   
   If this is a new installation, there will be a single Role displayed called "Administrators". Other roles can be added to the system, however; there is only a single "Administrators" Role for the system. Members of this Role have "super-user" access. In the screenshot above, only the user Jonathan currently has the Administrators Role. This was configured in the InstallWizard back in step 2.
    

5. You can add Additional Administrative users, or groups of users, by editing the contents of the "Maps to (additional):" text box. For example to add the user Nick, and the FFI users group both from the domain Conevity, you would add the following: Conevity\Nick; Conevity\FFI.
   
    

   Note: The Connexion Server machine MUST be part of the domain to use users and groups from the domain. In the example above, the Connexion server machine would need to be part of the Conevity domain.

Step-by-step guide - Configure a new Role

In this step-by-step we will configure read-only access for a single user: "Bob" who will have access to only a single tab called: "RIS to FFI". The Role will be called "Customer Access".

1. First we will need to create a Windows NT user account for the user Bob on the Connexion Server machine. If the user already has an account on the local, or if the Connexion Server is part of a domain that already has an account for Bob, this step can be skipped. 
   
   To configure a new user on Connexion Server, bring up the Windows Computer Management dialog, right-click on the "Users" folder and click "Add".
   
   
   
   
2. Create the user, and set a password for him to access the system.
   
   
   
   
3. Next, start the Connexion.Client application as a user that is a member of the "Connexion Administrators Role" (see above for instructions on how to configure an Administrative user).
4. Select the System Configuration button  and then the "Authorization" tab on the left.
   
   
   
   
5. Click on the "Add Role" button (). This will create a new Role with the name "New Role" with no permissions.
   
   
   
   
6. Change the name of the role by changing the contents of the "Name:" textbox. Change this to be "Customer Access".
7. For the Role to function properly it needs to be mapped to one, or more, Windows users, or groups. This is done by editing the contents of the "Maps to:" textbox. In this example we have mapped the "Customer Access" Role to a the user: Bob on the local machine.
   
   
   
   
8. Next, we will set the permissions that Role will allow users to perform. We will do this by selecting "ReadOnly" from the "Default Role:" drop-down. This will pre-select functions that might be suitable for a user with read-only access. The list of permissions can then be modified to allow/deny the user different functions within the Conexion application. In this example, we have chosen to allow the user to: 1) Stop/Start/Pause channels, 2) Query for messages in the Queue, 3) View messages within the Queue.
   
   
   
   
9. The next step is to configure which Groups, or Tabs the Role has access to. By default, the Role will have the same permissions across all Groups and Tabs. If you would like to limit the access of the Role to particular Groups and Tabs, then deselect the "This role has access to all groups and tabs" radio button and make the appropriate selections. In this example we wish the Role: "Customer Access" to only have access to the "RIS to FFI" tab in the "Default  Group". 
   
   
   
   
10. Click the save button to save the new "Customer Access" role.
     
11. Verify the user's has the appropriate access to the system. You must know the user's password, or if the user is there and can type their password in for you. See the RunAs block below.
     

Related articles

• Page:
  Batch Processing
• Page:
  Logging a Bug
• Page:
  Resolve install Error 5460 [InstallTasksVM] Task exception: Create Connexion X509 Certificates
• Page:
  Use the HL7 Inbound Device's "MessageReceived" Event Hook
• Page:
  Deploy Nuget Server