Getting Started with Users and Permissions

When managing Loftware Enterprise™ SP, you need to create Loftware Enterprise SP user accounts for Designers who are responsible for creating and updating label templates, forms, processes, and applications for Data Providers (interactive or automated) responsible for providing data to be printed on labels, and for administrators responsible for managing Loftware Enterprise SP. You also need to configure areas in Loftware Enterprise SP where users with limited responsibilities can work.

To provide a user with permissions, you must assign a role to a group in which that user has membership or assign a role directly to the user. For ease of maintenance, it is recommended that you create users, give users membership in groups, and assign roles to the groups.

Important: Access in Loftware Enterprise SP requires both role-based permissions Permissions that are assigned to a role and inherited by users who are members of a group to which that role is assigned or by users to whom the role is directly assigned. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. and object access permissions Permissions in Loftware associated with a specific object or with a folder that control what actions can be performed on that object or on objects within that folder. Each object has default permissions that can be overridden by exceptions for a specific group or user. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object.. For a user to be able to perform an action on an object, the user must directly or indirectly be assigned a role that grants permission to perform that action on that type of object. Additionally, that particular object must either be in a folder that directly or indirectly grants the user access permission to perform that action on that type of object or else that particular object must directly or indirectly grant permission to the user to perform that action. There are several permissions that are only role-based or only object-based and do not require a corresponding permission. Examples include List permission for Folders and all permissions for Model Status (Auto Refresh), Tag Categories, and Devices.

Create Folders to Manage Users and Groups

If you have not already created a folder or folders in which to store user accounts and groups, you should do so. This approach allows you to assign basic access permissions to all users or all groups by assigning permissions to the folders.

Tip: You can move an object from one folder to another by right-clicking an object, selecting Move to, and selecting a folder to which to move it.

Create a Folder for Users

To create a folder in which to store user accounts, use the following procedure.

1. In Access Control , click an existing folder, and then in the ribbon click Home > Folder.
2. In the Create Folder dialog box, enter a folder Name, such as User Accounts, and a Description.

   Note: The following characters are permitted in the name: letters, numbers, parentheses, square brackets, ampersands, plus signs, commas, semi-colons, and tildes. Additionally, the following characters are permitted but cannot begin or end the name: spaces, double quotation marks, single quotation marks, hyphens, underscores, periods, and grave accents. Names are limited to 255 characters. If you will be installing the Loftware Enterprise SP application on a computer running Windows Server, and transferring data between Loftware Enterprise SP instances, see the "Transferring Data in a Compressed File" section of the Loftware Enterprise SP Data Transfer Guide.

3. Click Save.

   Note: You can leave Version Control set to Off since a user cannot be version-controlled.

4. For any user account created in this folder, the Users row in the Default Permissions panel allows you to manage who can view the user name in reports and dialog boxes in Loftware Enterprise SP and who can make changes to the user account. In the Default Permissions panel, select Read permission for Users.
5. Click File > Save or Save in the ribbon.

Create a Folder for Groups

To create a folder in which to store groups, use the following procedure.

1. In Access Control , click an existing folder, and then in the ribbon click Home > Folder.
2. In the Create Folder dialog box, enter a folder Name, such as Groups, and a Description.

   Note: The following characters are permitted in the name: letters, numbers, parentheses, square brackets, ampersands, plus signs, commas, semi-colons, and tildes. Additionally, the following characters are permitted but cannot begin or end the name: spaces, double quotation marks, single quotation marks, hyphens, underscores, periods, and grave accents. Names are limited to 255 characters. If you will be installing the Loftware Enterprise SP application on a computer running Windows Server, and transferring data between Loftware Enterprise SP instances, see the "Transferring Data in a Compressed File" section of the Loftware Enterprise SP Data Transfer Guide.

3. Click Save.

   Note: You can leave Version Control set to Off since a group cannot be version-controlled.

4. For any group created in this folder, the Groups row allows you to manage who can view the group name and who can make changes to the group. In the Default Permissions panel, select Read permission for Groups.
5. Click File > Save or Save in the ribbon.

Create a Group and Assign a Role to Grant Permissions

If you have not already created the group to which you want to assign a user, you should do so. In a particular group, you might include each Designer Person who creates and designs label templates, forms, and applications for use by Data Providers. who works on a particular product so that you can limit access to labels by product, or each Data Provider Person or process that enters data into a form or other data entry view for a label that was configured by a Designer. A user acting as a Data Provider requires the DOCUMENT_PRINTER role or equivalent permissions. associated with a particular office so that you can configure an appropriate default device.

To create a group and assign a role that grants role-based permissions Permissions that are assigned to a role and inherited by users who are members of a group to which that role is assigned or by users to whom the role is directly assigned. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. to users who are members of that group to perform actions on some types of objects, use the following procedure.

1. In Access Control , click the folder that you created for storing groups, and then in the ribbon click Home > Group.
2. In the Create Group dialog box, enter a group Name and optionally a Description,

Note: The following characters are permitted in the name: letters, numbers, parentheses, square brackets, ampersands, plus signs, commas, semi-colons, and tildes. Additionally, the following characters are permitted but cannot begin or end the name: spaces, double quotation marks, single quotation marks, hyphens, underscores, periods, and grave accents. Names are limited to 255 characters. If you will be installing the Loftware Enterprise SP application on a computer running Windows Server, and transferring data between Loftware Enterprise SP instances, see the "Transferring Data in a Compressed File" section of the Loftware Enterprise SP Data Transfer Guide.

3. For Default Profile, select a profile to be applied to any user who is a member of the group and whose profile is set to Default.
4. Click Save.
5. In the Default Permissions panel, select the Read check box to grant Read access for Groups. This allows the name of the group to be displayed to all users.
6. In the ribbon click Home > Role.
7. In the Roles dialog box, click Add next to Role Membership and select a role to assign a role to all members of the group. As a best practice, it is recommended that you minimize the number of roles that you assign to a group or to a user to ensure that you do not assign conflicting permissions.
   • To create a group for users responsible for designing and editing label templates and layouts, assign the DOCUMENT_DESIGNER role. By default, the following pages are displayed to users with this role:
     Label Design , Application Design , Print , Applications , Status, and Preferences .
   • To create a group for users responsible for providing data to be printed on labels, either interactively through forms or by using an automated source, assign the DOCUMENT_PRINTER role. Users with this role are referred to as Data Providers. By default, the following pages are displayed to users with this role:
     Print , Applications , Status, and Preferences .

   Note: To use Print Preview, a user should have a role with Print permission for Documents, have Print permission for Documents for folders containing label templates and images to be previewed, and have Allow Print Preview selected in Preferences .

   • To create a group for users responsible for administering Loftware Enterprise SP, assign the LOCAL_ADMIN role. This role includes most administrator permissions as well as all of the permissions for a DOCUMENT_DESIGNER and a DOCUMENT_PRINTER. By default, all pages are displayed to users with this role.
   • Loftware Enterprise SP is installed with a user account called Integration User that can act as the Run As user for integrations. This user account cannot sign in to Loftware Enterprise SP interactively. Create Run As users by assigning the INTEGRATOR role.
8. Click Close.

Note: You can assign existing users to a group using the Users dialog box The user(s) assigned to the group or role. To display, in the ribbon click Home > User. for the group or by using the Groups dialog box The group(s) assigned to the user or role. To display, in the ribbon click Home > Group. for the user, whichever is convenient. Both will show that the user is a member of the group.

Grant Access to a Work Area and Objects

If you have not already created a folder to serve as a work area for users in this group, you should do so. Merely granting a user role-based permissions for some types of objects does not allow that user to access folders and other objects unless those folders and objects also grant the user access.

Note: Although you can grant access to objects individually, it is typically more efficient to grant access to the folder containing the objects so that objects currently in the folder and objects created in the folder in the future can inherit permissions for that type of object from the folder.

To provide a group of users with access to a work area, use the following procedure to create a folder in Loftware Enterprise SP and grant object access permissions Permissions in Loftware associated with a specific object or with a folder that control what actions can be performed on that object or on objects within that folder. Each object has default permissions that can be overridden by exceptions for a specific group or user. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. at the folder level.

1. In Access Control , click an existing folder, and then in the ribbon click Home > Folder to create a folder to serve as a work area.
2. In the Create Folder dialog box, enter a folder Name and optionally a Description.
3. If any version-controlled objects will be stored in this folder, consider turning on Version Control.

   Important! You cannot change the Version Control setting after you save the folder.

4. Click Save.
5. In the Default Permissions panel, for any type of object that you want to allow in this folder, grant appropriate access to that type of object for any groups of users whom you want to act on the objects.

   Note: If there are permissions to use objects in this folder that you want to make available to all users who access this folder, configure those permissions in the Default Permissions panel. However, the user can only perform the action if the user also has the corresponding role-based permission.

   Note: To use Print Preview, a user should have a role with Print permission for Documents, have Print permission for Documents for folders containing label templates and images to be previewed, and have Allow Print Preview selected in Preferences .

   Example: Access for Document Designers

   If you want to allow Document Designers to create and edit label templates and layouts in this folder, add a group that you created for Document Designers to the Group Permissions panel. Click the group name in the panel to expand the permissions table for that group, and grant at least the following permissions. You do not have to explicitly grant a permission if it is inherited from the folder's parent folder.

   Type	Read	Write	Create	Delete	Admin	List	Print	Design Print	Publish	Reprint	Queue
   Folders
   Users
   Groups
   Roles
   Documents
   Device Groups
   Servers
   Jobs
   Processes
   Integrations
   Data Services
   User Profiles
   Remote Sites
   Facilities

   Example: Access for Data Providers

   If you want to allow Data Providers to enter data for and print labels in this folder, add a group that you created for Data Providers to the Group Permissions panel. Click the group name in the panel to expand the permissions table for that group, and grant at least the following permissions. You do not have to explicitly grant a permission if it is inherited from the folder's parent folder.

   Type	Read	Write	Create	Delete	Admin	List	Print	Design Print	Publish	Reprint	Queue
   Folders
   Users
   Groups
   Roles
   Documents
   Device Groups
   Servers
   Jobs
   Processes
   Integrations
   Data Services
   User Profiles
   Remote Sites
   Facilities

   Example: Access for Run As Users for Integrations

   If you want to allow Run As users for integrations to run integrations, processes, and business rules that are saved in this folder, add a group that you created for these users to the Group Permissions panel. Click the group name in the panel to expand the permissions table for that group, and grant at least the following permissions. You do not have to explicitly grant a permission if it is inherited from the folder's parent folder

   Note: If the process or business rule associated with an integration performs actions that require additional permissions, you must ensure that those permissions are granted to the Run As user.

   Type	Read	Write	Create	Delete	Admin	List	Print	Design Print	Publish	Reprint	Queue
   Folders
   Users
   Groups
   Roles
   Documents
   Device Groups
   Servers
   Jobs
   Processes
   Integrations
   Data Services
   User Profiles
   Remote Sites
   Facilities

   Note: For a job target folder, the Run As user requires different permissions. For more information, see Configure a Job Target Folder.

6. Click File > Save or Save in the ribbon.

Create a User Account and Assign Group Membership

After you have created groups and assigned roles to those groups, you can assign group memberships to users. To create a user account and assign a group membership to that user, use the following procedure.

1. In Access Control , click the folder that you created for storing user accounts, and then in the ribbon click Home > User.
2. In the Create User dialog box, enter a user Name and other user-specific information, and then click Save.

   Note: A user Name can include letters and numbers. Additionally, the following characters are permitted but cannot begin or end the name: hyphens, underscores, and periods. The maximum length is 50 characters.

   Note: Because the user account inherits the Read permission for Users that you configured at the folder level, it is not necessary to configure permissions in the Default Permissions panel.

3. With the new user selected, click Home > Group.
4. In the Groups dialog box, click Add next to Group Membership and select the group you created to give the user membership in that group.

   Note: You can assign existing users to a group in the Users dialog box for the group or in the Group dialog box for the user, whichever is convenient. Both will show that the user is a member of the group.

5. Click Close.

Note: For ease of management, it is recommended that you assign roles to groups rather than directly to each user. If a role is assigned to a group, users who are members of that group inherit the permissions provided by that role. However, the role is displayed only in the Roles dialog box for the group, not in the Roles dialog box for the user.