User Management in EnergySys
When an organisation subscribes to the EnergySys Cloud Platform it is necessary to identify one or more Group Administrators who will be responsible for user account management. The Group Administrators are able to create, update, reset, suspend and deactivate users who are members of the organisation. If you are a Group Administrator, the sections below give an overview of the account management processes and describe the various concepts and activities you may need to undertake when administering users within your organisation.
Overview
Identity Management
Identity Management is the set of policies and technologies that ensure that the right people in your organisation have appropriate access to your EnergySys resources. Your organisation can use one of two approaches to managing EnergySys users:
- Adopt the EnergySys identity provider; we use an Okta based solution for user management.
- Use your organisation's own identity provider, such as Active Directory, OneLogin, PingIdentity, or indeed your own Okta service.
If your Organisation uses its own identity provider, there are steps that will need to be undertaken by EnergySys Support and your Organisation's IT administrators to allow the identity provider to be used by our applications. Once this is done, user management is done entirely within your organisation's user management tools. The details of this is beyond the scope of this article, other than a brief overview in the section External Identity Provider.
If your Organisation chooses to make use of the EnergySys identity provider (Okta) then the Group Administrators will manage EnergySys users using the capabilities described below under Identity Management with Okta.
Glossary of Terms
| Identity Provider (IdP) | An Identity Provider is the entity that stores, maintains and manages the identity information for users, and provides authentication services to applications or other identity providers. The EnergySys Cloud Platform uses Okta as its Identity Provider. |
| External Identity Provider (external IdP) | An IdP selected and managed by the organisation, such as Active Directory, OneLogin, PingIdentity. |
| User | A user is an individual or account that can access EnergySys. They have a unique username and provide a password in order to authenticate with Okta and gain access to the EnergySys Cloud Platform. |
| Group / Organisation | Users are grouped together in a Group in Okta. An Okta Group is synonymous with an Organisation within EnergySys. |
| Instance | An instance in EnergySys is a secure area reserved for your organisation's business data. An Organisation generally has one or more instances for both Production and Test. |
| Group Administrator | A specific individual can be given Group Administration rights in Okta for one or more Groups. This allows them to create, delete or manage the lifecycle of users who are in the specified Groups. EnergySys support staff have Group Administration rights for all Groups. |
| Federation | Federation is the means by which a user's identity is linked across multiple identity providers. One IdP is configured to 'trust' another IdP, so that users authenticated in one are trusted in another. This allows them to sign on once to gain access to multiple services (Single Sign On - SSO). Generally, a user's identity is 'mastered' in one IdP and then linked to other 'federated' identity providers. |
| Authentication | The process of verifying the identity of a given person. Typically this the process that validates the username and password for a user. |
| Authorisation | The process of permitting a user who is known to the system, access to certain resources, such as services, applications, modules, etc. |
| Multi-factor Authentication (MFA) | Multi-factor Authentication is an authentication method where multiple items (or factors) are presented for identification. It is a method of confirming a user's identity by using a combination of two different factors from something they know, something they have, or something they are. A good example of this is withdrawing money from an ATM. The customer presents a bank card (something they have) and a PIN (something they know). |
Identity Management With Okta
As a Group Administrator in Okta, you will manage the community of users within your Okta "Group". This Group is synonymous with the "Organisation" used within the EnergySys Cloud Platform.
EnergySys uses Okta only to authenticate a user; that is, to prove that they are who they say they are. The subsequent association of that user with specific EnergySys applications, modules and resources is handled within the platform itself using Roles. This means there are two places where you need to provision and manage users: in Okta for authentication to use the EnergySys Cloud Platform, and in EnergySys to govern their access rights within the platform's applications.
User Lifecycle
The lifecycle of a user in Okta can be summarised by the following diagram:
When you first create a user in Okta, they exist in a state called STAGED. As soon as you are ready to do so (see Provisioning Users in EnergySys), you can Activate the user (they then become PROVISIONED). Okta will send them an activation email which allows them to enter a password and a recovery answer. Once these details have been provided they become ACTIVE.
Active users may ask you to reset their password if they have forgotten it, or they may need their account to be unlocked. You might need to temporarily remove access to their account (SUSPEND) or deactivate (DEPROVISIONED) them more permanently.
Stages in the User Lifecycle
| State | Description | Purpose |
|---|---|---|
| Staged | A user who is STAGED has been created in the IdP, but has not yet been sent their activation email. | The user will not be able to access the service, but the administrator can. Once the Group Administrator is happy they can activate the user, which sends them an activation email, and the user will then become PROVISIONED. |
| Provisioned | A user who is PROVISIONED has been sent an activation email but has not yet clicked on the Activation link and entered their password and recovery question answer. | The User cannot access the service until they have clicked on the emailed Activate link and entered their details. When they provide this information they become ACTIVE. |
| Active | An ACTIVE user can be authenticated by the IdP and is allowed access to the EnergySys Cloud Platform. | Normal state of a user with access to services. |
| Password Expired | The password policy allows for a time limit on passwords, after which they expire and must be changed. Our standard policy does not expire passwords, so users should never enter this state. This may be changed in the future, or if needed to meet company policies. | Users with an expired password cannot authenticate with the IdP and cannot access the EnergySys Cloud Platform. |
| Locked Out | If a user provides an incorrect password ten times in a row their account becomes locked and must be unlocked by a Group Administrator. | Users whose accounts are locked cannot authenticate with the IdP and cannot access the EnergySys Cloud Platform and must be unlocked by the Group Administrator. |
| Recovery | If a user forgets their password (and their account is not Locked Out) they can request a password reset and they will be shown as in RECOVERY. | When the user requests help with a forgotten password, they are sent an email containing a Password Reset link, which when clicked asks the user for the answer to their recovery question. If this is correctly provided, the user can enter a new password and become ACTIVE. Users with an account in recovery cannot authenticate with the IdP and cannot access the EnergySys Cloud Platform. |
| Suspended | A Group Administrator can suspend a user at any time. Suspended users cannot authenticate with the IdP and cannot access the EnergySys Cloud Platform. To regain access, a Group Administrator must unsuspend the user. Users who are unsuspended can carry on using the same password and recovery question answer they used before they were suspended. | Suspension is intended to be used to temporarily remove access for a user who will return to their role at some point in the future, for example where an extended leave of absence is expected. |
| Deprovisioned / Deactivated | A Group Administrator can deprovision / deactivate a user at any time. Deactivated users cannot authenticate with the IdP and cannot access the EnergySys Cloud Platform. To regain access, a Group Administrator must activate the user which puts the user in a PROVISIONED state. Users who are re-activated must enter a new password and recovery answer before they can get access to the system. | Deactivation is intended to be used to permanently remove access for a user who will not be returning to their role. Deactivated users can be permanently deleted from the IdP. |
Provisioning Users in EnergySys
Provisioning is the process by which the EnergySys Cloud Platform learns, from the IdP, which users are allowed to access the service, together with which instances they are allowed use. In EnergySys, users are associated with Roles in order to allow them access to applications, modules and resources. When a user is created in the IdP, EnergySys does not immediately know about the new user, and so before they can be associated with Roles, they must be provisioned into EnergySys from the IdP.
A provisioning process runs, typically, every minute and checks for created, updated or deleted users in Okta, and when it finds them it creates, updates or deletes them in EnergySys.
The process for gaining access to EnergySys for a user is typically:
- The user is created by a group administrator in the EnergySys IdP (Okta). We recommend that users are initially created as STAGED.
- After a short delay the provisioning process notices the new user in Okta, creates the user in EnergySys and associates them with their Organisation.
- The administrator logs into EnergySys and gives the user roles in the relevant instances.
- The administrator activates the user in Okta, which sends them the activation email.
- The user activates their account by specifying a password and password recovery question and answer. They may also need to configure MFA factors.
- The user logs in and accesses the EnergySys application.
Multi-factor Authentication
Multi-Factor Authentication is a method of confirming a user's identity that requires the user to present two or more pieces of evidence (factors) from something they know, something they have, or something they are.
An example is to supplement a user-controlled password with a with a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.
We strongly recommend that MFA is used for all access to EnergySys. If your organisation has MFA enabled, users will then be required to setup their MFA factors on their next login and provide these factors on subsequent logins. These additional MFA factors are usually provided by applications on a mobile device which means, in order to authenticate, the user is providing something they know (their password) and something they have (their mobile device).
Currently, we support two different factor types:
| Name | Description |
|---|---|
| Okta Verify | The Okta Verify app can be downloaded for iOS devices from the Apple App Store and for Android devices from Google Play. Once installed, the user will be prompted to enter the generated six digit number to gain access. Okta Verify also supports 'Push Notifications' which enable users to verify their identity with a single tap on their mobile device, without the need to type a code. |
| Google Authenticator | This is also an app for mobile devices, available through the app stores. Once the Google Authenticator App has been installed, the user will be prompted to enter the generated six digit number to gain access. |
Note that if MFA has been configured for an organisation, access to the OData feed will be denied unless the user is using Okta Verify and Push Notifications. If you would like to get MFA enabled for your organisation, please raise a support request at support.energysys.com or email support@energysys.com.
External Identity Provider
As noted above, an Organisation may choose to use its own IdP for Authentication with EnergySys. There are multiple IdPs on the market (Active Directory, OneLogin, PingIdentity, etc), and where an organisation already uses their own IdP to authenticate their employees with their internal network and applications, it often makes sense to use this to also control access to the EnergySys Cloud Platform.
To support this, the Okta instance can be configured to trust another organisation's IdP so that users mastered in that (external) IdP can access EnergySys. This allows the authentication of users and their lifecycle to be managed by the administrators for the external organisation.
The process for gaining access to EnergySys for a user in an external IdP is as follows:
- The user is given access to the EnergySys application in the external IdP.
- The user attempts to login to EnergySys. This creates the user record in the EnergySys IdP (Okta). The user will receive an error message stating that they have no instances specified.
- After a short delay the provisioning process notices the new user in Okta, creates the user in EnergySys and associates them with their Organisation.
- An administrator logs into EnergySys and gives the user roles to the relevant instances.
- The user logs in again and accesses the EnergySys application.
Note that to access the OData feed, a user must either be mastered in the EnergySys IdP, or in an Okta External IdP.