“Settings/User settings/Authorization Management" should be used to create users and define authorizations and groups. On this page

In the Groups tab you manage Groups and the authorizations that Groups have.
In the Users tab, you define users, send messages and match them with groups.

Groups

System administrator: Can create users and groups. Can add and remove users to and from groups. GEODI authorizations are assigned to groups. At a minimum, we recommend creating the following groups.
- GEODI Users
- GEODI Managers
- GEODI System Administrators
The number of group members is specified. A user can be a member of more than one group.

LDAP/AD Integration

GEODI also has LDAP/Active Directory support.
- The machine where GEODI is installed must be in the same domain.
- LDAP groups are not supported, authorization groups must be defined in GEODI.
- Management for users coming with LDAP takes place on the Active Directory side.
  - When passwords kept in LDAP change, it also affects GEODI.
  - When users are deleted from LDAP, they cannot enter GEODI.
- You add LDAP users when you map them to Groups. When you type the user name, if there is a user with a similar name in LDAP, it is presented as an option. This makes it easier to manage a network with many LDAP users.
- LDAP users appear as domain\username. The management of these users is entirely on the AD side, so no additional option is provided..
- GEODI Notification services use the emails of LDAP users defined on the AD side.
- Folder and file based authorizations given on the AD side are used by GEODI. GEODI cannot exceed AD side restrictions but can set new restrictions.
  - SupportLDAPPermissions must be set to true in the project detail settings ContentReadereEnumerators settings to use the folder authorizations given on the AD side.

geodi-en > User/Authorization Management > LDAP.png

Manage Authorizations

You specify which authorizations are used for each group.

The authorization categories may vary depending on the installed modules. For example, with the MOBIDI Connector application module, the necessary categories related to MOBIDI Office are also added.

Authorizations are given to groups. The authorizations of users added/removed to groups are automatically updated.

If no selection is made for any group, it is interpreted as no authorization and in this case the authorization button is unlocked.

geodi-en > User/Authorization Management > Manage1.png

geodi-en > User/Authorization Management > image-20230131-111041.png

Users

Users can come from the LDAP/AD side or be GEODI users.

The management of LDAP side users is on the AD side. Changes on the AD side (such as e-mail, password) may take 10-30 minutes to be reflected. During this time the old information will be valid.
You can send an invitation email to the newly added user (if user email is defined).
Users who forgot their password can request a new password from the login page.

geodi-en > User/Authorization Management > Users.png

Guest Users

If your license allows, you can create open GEODI projects with guest user definition. Guest users are a practical solution for informational projects such as the Ankara digital city archive or the Nigerian Ministry of Treasury projects.

You need to activate guest users in Settings. You also need to include them in a group and set the appropriate authorizations for your project. They will appear as "guest" in the user list.

Integration with Google and other authentication sources

GEODI can integrate with authentication sources such as Google, Facebook. Users can log in to the system with these authentication sources. There are ready definitions for Google, Dropbox, Linkedin, Facebook, Microsoft. You can find the required definition for each of them in GEODI/Settings/LoginProvider directory. To activate them, you need to change the extensions to jSettings.

The resources you activate will appear on the login page. You need to authorize users from these sources separately. You do this by including them in a group.

Select the group you want to authorize. If you type "*" in users and select Google, you will authorize all users coming from the google resource. If you replace "*" with a user's email address, you will only authorize that user.

geodi-en > User/Authorization Management > image-20230131-111432.png

Integration with Other Systems and SSO

GEODI infrastructure is also suitable for external user authentication services other than LDAP.

Can be integrated with other platforms used by organizations. It is sufficient to provide the services specified in Developers.decesoftware.com.

It can also be integrated with the user authentication features of services such as Facebook and Google.

Project-Based Permission

Permissions specific to the project are defined. If no permission is granted to any group, all users will have access to all permissions.

Can View Project: Specifies which groups can view the project.
Can Edit Project: Grants permission to make changes in the project.
Can Index Project: Authority to scan the project from scratch or for changes.
Can Delete Project: Permission to delete the project. If this permission is not granted, the delete button will not be visible.
Can Generate Reports: Allows export reports for the project.
Data Operator: Authority to label and group recognized results recognized by modules like FacePro, TextPro.

Resource-Based Permission

Resource-based authorizations can be set up within the project. If no permission is granted to any group, all users will have access to all permissions.

Can Search: Specifies who can see the relevant resource.

Can Share: Allows sharing from the Twitter account defined in GEODI.

Can View/Download: Grants permission to download and view files in the relevant resource to authorized users.

Can Add Notes: Permission to add notes to files and folders in the relevant resource.

Can Edit Others' Notes: Allows intervention in other users' notes.

Can Add/Feed: Allows uploading files to the relevant resource via the browser.

To view the permissions of a logged-in user and clear the permission cache in GEODI, the following steps can be applied.

Api → User Manager Api section.

UserInfoFull GetCurrentUserInfoWithPermissions() [RUN] → Click Run to view the permissions of the currently logged-in user.
Boolean ClearCurrentUserPermissionCache() [RUN] → Clears the permission cache. It can be used to reflect changes in permissions immediately.

Limit/Override SystemAdmin superuser permissions

bydefault System Admins are privilaged and has permission to see all content.

There is a way to override this behaviour. This settings will be affective throught for all workspaces.

Set IgnoreSystemAdminContentAccessPrivileges value to TRUE(default is FALSE) in SystemSettings file. Details are in https://support.decesoftware.com/space/DEV/1390184262/System+Configuration+-+Security+Settings

Then you must set the necessary permissions for each data source. The following example assumes a DPO grup and the members will be able to open, report and inspect all findings, but SystemAdmins can not. The source name is SG-43 here. This must be repeated for other sources as well.

Please note that, when all checkboxes are off, that means are all on(a situation at the very begining). But once you check a box, then everything behaves as expected and you should give permissions one by one. a