Configure Users, Groups, and Security Roles

To enable users to access the features of a Lasernet system, you must appropriately create and configure users, groups, and roles in Lasernet Config Server.

By default, the Users list in Lasernet Config Server contains an admin user that is granted all possible permissions. However, you might want to grant some Lasernet users fewer permissions.

For example, you might want a particular set of users to be able to deploy Lasernet configurations to environments through the Lasernet Config web app and create Lasernet configurations in Lasernet Developer, but be unable to modify the Lasernet Config Server’s licensing and security role configuration through the Lasernet Config web app.

You can achieve these restrictions for these users by creating an appropriate group and role in Lasernet Config Server and adding those users to that group.

In general, follow the access control configuration process described on this page to achieve this. Depending on your goal, you might need to follow parts of this process, rather than all of it.

Authentication for External Applications

External applications that connect to web services hosted by Lasernet Web Server input modules are authenticated via an app-registration-based “client credentials” authentication flow that is managed by Lasernet Config Server.

Like the user authentication and access control described above, configuring this access for external applications involves groups and security roles. For more information, see Set Up App-Registration-Based Access for External Applications.

Introduction to Lasernet Authentication and Access Control

In a basic Lasernet system, user authentication and access control is based on the following principles:

• To use Lasernet and its associated applications (such as the Lasernet Web Client), a user must select a Lasernet Config Server and then log in to it. For example, when they start Lasernet Developer, they must select a Lasernet Config Server and then enter a username and password to log in.

• That person must log in as a “user” that is defined in the Config Server’s Users list.

• That “user” must be a “member” of a “group” that is defined in the Config Server’s Groups list.

• Each group is assigned one or more “security roles”. A security role specifies which Lasernet capabilities are given to the groups that are assigned that role.

So, in summary, when a user logs in to a Lasernet Config Server (in order to access the Lasernet Config web app or a Lasernet application such as Lasernet Developer), they are granted access to the applications, capabilities, and features permitted by the security roles that their groups are assigned to.

Note

Instead of definining “local” users and groups in Lasernet Config Server (as described above), access can controlled by users and app roles externally defined in a supported identity provider (IdP) such as Microsoft Entra ID. In Lasernet systems that use this capability, users log in to Lasernet Config Server using the credentials that they use to to authenticate with that IdP. For more information, see Guide to Configuring Microsoft Entra ID Authentication for Lasernet.

The admin User

Lasernet Config Server has a built-in admin user, Administrators group, and multiple All rights security roles. The admin user has full permission to use all Lasernet features and applications because it is a member of the Administrators group, which is a member of every All rights security role.

However, you might want to grant some Lasernet users fewer permissions. Or, you might want users of Lasernet to log in through user-specific accounts that identify them (for traceability of their actions in Lasernet). If so, create new users, groups, and security roles (if necessary), rather than use the admin user.

The Access Control Configuration Process

To enable users to access and use the Lasernet system with appropriate capabilities and restrictions, follow this process:

1. Create users.

2. Create groups.

3. Create security roles.

4. Configure the security role permissions.

5. Add users to groups.

6. Assign security roles to groups.

As well as providing steps for these tasks, this page describes concepts such as security roles. It also describes how to complete other user, group, and security configuration tasks (such as resetting a user’s password and deleting a group).

Note

Other security administration tasks (such as resetting a user’s password) are described in the Lasernet 11 Administration Guide.

Users

The following sections describe how to add a user, subsequently modify its configuration, and remove a user.

Add a User

To add a user, follow these steps:

1. In the Tools menu, click Users and Groups (see 1, in the image below).

2. In the main area of the window, click Users (2).

3. In the toolbar, click Add (3).

   

4. In the Add User window, configure the new user:

   • Name: The name of the user.

   • Display Name: If supplied, Lasernet displays this name in various user interface areas instead of Name. If Display Name is blank, Lasernet displays the user’s Name.

   • Description: A description of the user. This property is optional.

   • Password: Enter a password for the user. If you leave Password blank, the user will have no password.

   • Disabled: To enable the new user to log in, clear this checkbox.

   • Change Password: When you create a new user, this checkbox is selected and cannot be cleared. As a result, the user must change their password when they next log in (to the Lasernet Config web app or Lasernet Developer).

5. Click OK.

Edit a User

To edit the properties of an existing user, follow these steps:

1. On the Users and Groups page of the Lasernet Config web app, click the user.

2. In the toolbar, click Edit (see 1, in the image below). Alternatively, double-click the user.

3. In the User Properties window (2), change the user’s properties. The properties are described above.

   Note

   Unlike the Add User window, Change Password can be selected and cleared. If you select Change Password, the user must change their password when they next log in (to the Lasernet Config web app or Lasernet Developer).

   Note

   Unlike the Add User window, there is no Password property. So, you cannot manually change the user’s password. However, you can reset their password (see following step).

   

4. To reset the user’s password:

   1. Click Reset Password (3). Lasernet Config Server will change the user’s current password to a random combination of letters and numbers.

   2. The Lasernet Config web app will display the user’s new password (obscured for security) in a Reset Password window. To copy the new password to the clipboard, click the copy icon (4).

      Note

      The user will be asked to change their password when they next log in.

   3. Click Close.

5. Click OK to save your changes to the user’s properties.

Note

To protect the admin user, some user modifications are blocked. You cannot:

• Change their Name.

• Change their Description.

• Select the Disabled checkbox to prevent them logging in to Lasernet.

However, you can:

• Change their Display Name.

• Select Change Password (to force them to change their password when they next log in).

• Click Reset password.

Delete a User

To delete a user, follow these steps:

1. On the Users and Groups page of the Lasernet Config web app, click the user.

2. In the toolbar, click Remove.

3. In the confirmation window, click OK.

Note

You cannot delete the admin user.

Groups

The following sections describe how to add a group, subsequently modify its name and description, manage its user membership, and remove a group.

Add a Group

To add a group, follow these steps:

1. In the Tools menu, click Users and Groups (see 1, in the image below).

2. In the main area of the window, click Groups (2).

3. In the toolbar, click Add (3).

   

4. In the Add Group window, configure the new group:

   • Name: The name of the group.

   • Description: A description of the group. This property is optional.

5. Click OK to create the group.

   

To add users to the group, see Edit a Group and Manage Its Membership.

Edit a Group and Manage Its Membership

To change a group’s name or description, or modify its membership, edit the group:

1. In the Tools menu, click Users and Groups.

2. Click the group that you want to work with, then in the toolbar, click Edit (see 1, in the image below). The Group Properties window opens.

3. On the General tab (2) of the Group Properties window, you can change the group’s Name and Description.

4. On the Members tab (3), you can add and remove users from the group:

   • Add a user to the group:

     1. On the Members tab, click Add (4).

     2. In the Add Group Member window, use the list to select the user that you want to add to the group (5).

     3. Click OK. The user is added to the user list on the Members tab.

        

   • Remove a user from the group: Click the user on the Members tab, then click Remove.

     Warning

     Do not remove the admin user from the Administrators group.

5. Click OK to close the Group Properties window and save your group changes.

Note

The App Registration tab in the Group Properties window relates to app-registration-based authentication and access control for external applications. This capability is described in Set Up App Registration Based Access for External Applications.

Delete a Group

To delete a group, follow these steps:

1. On the Users and Groups page of the Lasernet Config web app, click the group.

2. In the toolbar, click Remove.

3. In the confirmation window, click OK.

Note

You cannot delete the Administrators group.

Security Roles

A security role defines the Lasernet capabilities that are available to the members of the groups that are assigned that role.

You manage security roles on the Security Roles page of the Lasernet Config web app.

Security Role Categories

The security roles defined on the Security Roles page are organized into five categories. Each of these categories relates to a particular Lasernet application or service (or group of applications), and contains one or more security roles. These roles control permissions to access capabilities of that application (or access the application or service itself).

For more information about each category, see its explanatory section on this page:

• Config Server and Developer

• Monitor

• Client

• Printer Service

• Web Server

Each category contains an All Rights security role, in addition to any custom security roles that have been defined.

The All Rights Security Roles

Each category contains an All Rights security role. These roles grant full access to the users who have the role. The configuration of these roles has every permission option enabled, and you cannot clear checkboxes to remove permissions from these roles.

They provide the admin user with full system access. As a result, by default, the Administrators group is a member of every All Rights security role.

Warning

Do not remove the Administrators group from the Members list of any All Rights role.

You can add other groups to the Members list for the All Rights roles.

However, to provide users with a smaller set of capabilities that more closely match their requirements, you must create custom security roles and add appropriate groups to those roles.

Custom Security Roles

You can create custom security roles that provide a specific set of permissions that are more restrictive than the All Rights security roles, and consequently are more appropriate for the requirements of particular non-administrative users.

For example, you might want a particular set of users to be able to deploy Lasernet configurations to Test and Development environments through the Lasernet Config web app and create Lasernet configurations in Lasernet Developer, but be unable to modify the Config Server’s licensing and security role configuration through the Lasernet Config web app. You might also want them to be unable to deploy Lasernet configurations to the Production environment.

You could grant users the permission set described in the example above by creating appropriately configured custom security roles, and then adding the group (that the users are members of) to those new security roles.

A custom security role has multiple permission options that you can configure appropriately. For a description of each permission option provided by a custom security role, refer to the role category-specific information in the Security Role Permissions Reference part of this page:

• Config Server and Developer

• Monitor

• Client

• Printer Service

• Web Server

Add a Security Role

To add a security role, follow these steps:

1. In the Tools menu, click Security Roles (see 1 in the image below).

   

2. In the main area of the window, click the category that you want to add a security role to. For example, Config Server and Developer.

3. In the toolbar, click Add (2).

4. Enter a Name and Description for the security role.

5. Click OK to create the security role.

By default, the new security role provides full permissions (like the All Rights groups), and it has no members. So, to appropriately modify the new security role’s permission options and add groups to the role, you must edit the security role.

Edit a Security Role

When you edit a security role, it is usually for one of the following three reasons. Follow the steps for your task:

• Change the role’s Name or Description.

• Change the role’s permissions configuration.

• Change the role’s member list.

Change a Security Role’s Name or Description

To change a security role’s Name or Description, follow these steps:

1. In the Tools menu, click Security Roles.

2. In the main area of the window, click the security role that you want to modify.

3. In the toolbar, click Edit.

4. On the General tab of the properties window, change Name or Description.

5. Click OK.

Change a Security Role’s Permission Configuration

To change a security role’s permission configuration, follow these steps:

1. In the Tools menu, click Security Roles.

2. In the main area of the window, click the security role that you want to modify.

3. In the toolbar, click Edit.

4. Depending on the security role’s category, the tabs that you use to configure permissions differ. On the appropriate tabs (Security, Deployment, or Environments), select or clear checkboxes to appropriately configure the role’s permissions. For some categories, there are no permissions tabs and a group’s membership of the role confers permissions. For a description of each category and the tabs and permissions that appear in the role properties window (if applicable), refer to the permissions reference section that corresponds to the security role’s category:

   • Config Server and Developer

   • Monitor

   • Client

   • Printer Service

   • Web Server

5. Click OK.

Add or Remove Groups from a Security Role

To add or remove groups from a security role, follow these steps:

1. In the Tools menu, click Security Roles.

2. In the main area of the window, click the security role that you want to modify.

3. In the toolbar, click Edit.

4. On the Members tab, add and remove groups from the role:

   • Add a group to the role:

     1. Click Add (4).

     2. In the Add Role Member window, use the list to select the group that you want to add to the role (5).

     3. Click OK. The group is added to the member list.

   • Remove a user from the group: Click the group on the Members tab and then click Remove.

5. Click OK.

Security Role Permissions Reference

Config Server and Developer

The security roles in the Config Server and Developer category:

• Control access to areas of the Lasernet Config web app. For example, access to the Users and Groups page of the web app, and access to the Grab tab in the Edit Environment window.

• Control access to areas of the Lasernet Developer application. For example, access to the Scripts and Modifiers areas of Lasernet Developer.

• Control which environments the user can deploy configurations to. For example, if there are three environments (Development, Test, and Production), a security role can be configured to allow users to deploy configurations to the Development and Test environments but not the Production environment.

Permissions on the Security Tab

The checkboxes in the Administrative rights and Lasernet Developer areas of the Security tab control permissions to access various administrative tools in the Lasernet Config web app and access configuration tools in Lasernet Developer.

Note

If none of the checkboxes above are selected for a security role, users that are assigned that role cannot log in to the Lasernet Config web app.

Note

If a user is not granted access to the Lasernet Developer areas that enable them to add, edit, and remove particular type of object, they have no ability to do those actions in Lasernet Developer. This restriction applies also to importing and exporting objects.

However, users that have restricted rights to add, edit, or delete particular types of object can still access (and add, if applicable) all object types to the configuration from the following dialogs in the editors:

• Modifier events

• Overlays

• Grab file dialog

• Connections

• Destinations

• Scripts

Permissions on the Deployment Tab

The checkboxes in the Access Rights column specify which environments the user can deploy Lasernet configurations to.

In the following example, users who have this role can deploy configurations to the Test and Development environments, but not the Production or Default environments.

Example of a Config Server and Developer Security Role

In this example of a Config Server and Developer security role:

• Environments and Print Servers are selected in Security > Lasernet Config Server.

• Environments, Forms, and Scripts are selected in Security > Lasernet Developer.

• Allow is selected for only the Test and Development environments on the Deployment tab.

As a result, in the Lasernet Config web app, the user can access only the Environments (and Licenses) pages and the Print Servers page.

If they click Deploy in the toolbar, they can deploy a Lasernet configuration only to the Test and Development environments.

In Lasernet Developer, they have access to only the Environments, Forms (and Subforms and Phrases), and Scripts areas in the Tools area, and the corresponding items in the View menu. Other areas such as the Resources area, and the profile administration tools, are not displayed.

Monitor

Security roles in the Monitor category determine which environments a user has access to through the Lasernet Monitor application.

On the Environments tab, the checkboxes in the Access Rights column specify which environments the user has access to.

Client

Security roles in the Client category determine a user’s capabilities in Lasernet Web Client.

On the Environments tab, the checkboxes in the Access Rights column specify which environments the user can control through the Web Client.

On the Security tab, select the Administrator checkbox to grant a user full administrative control in the Web Client.

These permissions grant the user:

• Visibility of all jobs in the Web Client. Non-administrative users see only particular jobs there.

• The ability to delete jobs through the Web Client.

• The ability the change the JobInfos for jobs in the Web Client.

Note

If the Administrator checkbox is selected for a user’s role, the user is granted the full set of Web Client permissions described above. As a result, the Write and Delete checkboxes on the Members tab (described below) have no effect on that user.

On the Members tab, the Access Rights column contains Write and Delete checkboxes, which specify the control that non-administrative users have over jobs in the Web Client:

• Write: The user can change the JobInfos for jobs in the Web Client.

• Delete: The user can delete jobs through the Web Client.

However, a non-administrative user will not see any jobs in the Web Client unless the Client security role that they are a member of is added to the Security tab of a module (in the configuration that the Lasernet environment is running). This configuration change is done in Lasernet Developer. After that Lasernet configuration is deployed to the Lasernet environment, jobs appear in the Web Client for users who have that role. For example, they will see jobs that are paused at the module that their role was added to.

Printer Service

Security roles in the Printer Service category determine which printer services the user can work with in the Lasernet Printer Service application.

On the Deployment tab, select the Allow checkbox to grant users access to the corresponding printer service instance.

Web Server

This category controls the ability for external applications to connect to web services hosted by Lasernet Web Server input modules.

Configuring Lasernet Config Server to apply this security role to authenticated external applications is part of a larger process for setting up app-registration-based access for external applications. For instructions, see Set Up App-Registration-Based Access for External Applications.

Delete a Security Role

To delete a security role, follow these steps:

1. On the Users and Groups page of the Lasernet Config web app, click the security role.

2. In the toolbar, click Remove.

3. In the confirmation window, click OK.

Note

You cannot delete any All Rights security roles.

Next Steps

The next step of the Lasernet 11 installation and setup process is to do any necessary additional Lasernet environment configuration (grab mode, logging, and Insights).