Showing User Overview
To show the user overview in DRACOON, first click Users & Groups in the Toolbox and then Users.
The user overview is only available if you are in the role of the user manager (see “issued roles” below).
To create a new user, click “Add user” in the user overview:
If the Add user button is no longer visible you have run out of user licenses to distribute. In this case you have the possibility of obtaining additional user licenses by clicking Send an inquiry.
Adding new users occurs in a three-step process which is portrayed in three corresponding tabs:
- Entering user information and distributing administrative roles, if necessary.
- Determining group memberships, if necessary (provided that you are group manager)
- Granting the user access to specific data rooms (provided that you are Data Room Admin)
Personal and login data
Enter the user’s email address.
Salutation & title
Choose the user’s salutation as well as their title, if applicable.
Name & surname
Enter the user’s name and surname.
After the expiry date, the user and all Share Links and Upload Accounts created by them will automatically and permanently be deleted from the system and cannot be restored. However, the files which the user saved in DRACOON are not affected and are preserved in the system.
Activating simple login
This option must be activated in case the user is to be able to log in using their user name and password in addition to logging in via Active Directory and RADIUS authentication. You can find further information on Active Directory and RADIUS authentication below.
This option is only available if Login Procedure Active Directory or RADIUS is selected in the system preferences and if the option Simple Login via Email has been activated.
There are 5 roles in DRACOON that aid Data Space management. Every user can be allotted one or more of these administrative roles.
Data Space Admin
A user that is Data Space Admin receives all of the following five administrative roles:
Config Manager role
The user can view and change the Data Space’s system preferences.
User Manager role
The user can add new users and can edit and remove existing users.
Group Manager role
The user can create, edit, and remove user groups as well as add users to and remove them from groups.
Data Room Manager role
The user can manage all first-level Data Rooms, meaning that they can create new Data Rooms, rename and delete existing ones as well as determine storage limits (quotas). However, the Data Room Manager does not necessarily have access to the content of these Data Rooms – this is determined solely by the respective Data Room Admin.
Log Auditor role
The user can view the system log which records all user activity within a Data Space. A user that is Log Auditor can grant other users or groups the Log Auditor role or remove it from them. A Log Auditor can thus appoint additional Log Auditors or discharge others of this role. Following this logic, a Data Space Admin can transfer the Log Auditor role to another user by first granting them this role and by then having this new Log Auditor discharge the original Log Auditor. This can be useful for example to comply with data protection and privacy policies (in this scenario by preventing the original Log Auditor from continuing to have access to the system log).
Start Data Room
You can select a specific Data Room to open at startup, i.e. when the user first logs into the system. You can change this setting only after you have created the user and granted them access to certain Data Rooms.
As soon as the user has logged into the system and worked with DRACOON, this setting becomes ineffective since the Web Client remembers the user’s last-used Data Room and automatically opens it when logging in.
This tab allows you assign membership to any group to a new user. By doing so, a user receives all access rights for specific data rooms that have been determined for individual user groups. Additionally, the user receives all administrative roles that have been allotted to a group in order to manage DRACOON.
In the example above, the user was assigned to the group “Sales”.
You can only assign a user to groups if you have previously been allotted the role of Group Manager (see “Issued roles” above).
Adding a user to a user group as a Group Manager doesn’t guarantee that this new user will immediately be allowed to access the Data Rooms which have been authorized for the given group. DRACOON’s security concept is designed in such a way that only the Data Room Admins can control and grant access to their Data Rooms. A Data Room Admin can determine that they be notified when new users are admitted to a group that would obtain access to the Data Rooms due to the group access rights. The Data Room Admin has the final say and can reject the new user so that even though they are a member of the group, they cannot access the group’s Data Rooms.
Data room permissions
In this tab, you can define which Data Rooms a user has access to, as well as what kind of permissions they receive. To do so, first select the Data Room on the left side to which a user is to be given access to. Then, on the right side select all applicable permissions that a user is to receive.
- You can only distribute access rights to Data Rooms of which you are Data Space Admin.
- A user can have different access rights in different Data Rooms. For example, a user can be allowed to save files in the Data Room “Marketing” (e.g. by uploading them), while they are only allowed to read existing files in the Data Room “Sales” (see screenshot above).
- If a user has access to a Data Room, they don’t automatically have access to the subordinate Data Rooms. The access rights to subordinate Data Rooms must be granted separately. (However, the Data Room Admin of a subordinate Data Room can determine that access rights of superordinate Data Rooms are automatically “inherited” by the subordinate Data Room. In this case, the access rights of a subordinate Data Room do not have to be configured anew. Instead, the access rights of the superordinate Data Room are automatically transferred and are valid for the subordinate Data Room.
- In addition to the Data Room access rights, a user obtains all access rights which have been granted to a group – if this user is a member of this user group. For example, if the “Sales” user group has been granted the right to manage Share Links in the “Sales” Data Room, the new user also has this right as a group member, even though individually they have not been granted this right, as is visible in the screenshot above.
In the user overview, the user information, user groups and Data Rooms of a user can be edited at a later point.
By enabling the setting “user is locked”, a user can be barred from accessing the system. When this setting is enabled, a user is no longer able to log into their profile until this feature has been deactivated by a Data Space Admin or User Manager. This setting cannot be enabled on one’s own profile (a user cannot lock themselves out of the system).
In the user overview area, users can also be deleted. If this is done, a user is permanently deleted from the system and cannot be restored, including all their Share Links and Upload Accounts. However, the files which the user saved in the Data Space are not affected and are preserved in the system.
If a user which is to be deleted is the last user in a Data Room, a further user has to be given access to this Data Room to prevent the Data Room and all its contents from being deleted.
Configuring authentication via Active Directory/RADIUS
The authentication procedures Active Directory and RADIUS can be configured for the user object if they are activated in the system preferences.
The following items are only visible if authentication against an Active Directory is activated in the system preferences:
Activating Active Directory
If users are to be able to authenticate themselves against an Active Directory, this option must be selected.
Active Directory user name
Enter the user’s Active Directory user name (Windows login name) in this field.
The following items are only visible if authentication against RADIUS is activated in the system preferences:
If users are to be able to authenticate themselves against RADIUS, this option must be selected.
RADIUS user name
Enter the user’s RADIUS user name in this field.