Secure Multi-Tenant and Multi-User Environment
Large AggreGate installations are operated by many people, including system administrators, operators, analysts digging through data and preparing reports, company executives, etc. In such a complex environment it's extremely important to ensure security and restrict access to important data.
AggreGate Server may have an unlimited number of user accounts. System resources are usually owned by the user who creates them. User permissions are configured by editing a permissions table defining the user's access level to each of system resources. This lets administrators implement complex security schemes which actually reflect the user's role in the organization. Some examples:
Every record of permissions table may define user's access level for one resource, a group of resources or even a subtree of dependent resources.
Configurable user permissions also make operators' life simpler by allowing them to view only resources that are relevant to their job. For example, the following permission schema is often used for Time and Attendance control system:
Every user account has a set of preferences, such as time zone, date/time format and preferred language.
Normal and Role-based Users
A user account can either match a single physical person (e.g. John Doe or Mary Shelley) or a certain role of system operators (e.g. "Log-Angeles Zone Operator", "Report Designer" or "Network Engineer"). Physical person accounts can either have own permission tables or inherit permissions from role-based accounts.
External User Authentication via Active Directory or LDAP
Large AggreGate installations are operated by hundreds of individuals, each of them inheriting one of many roles. Creating and maintaining individual user accounts for them all is too laborious. However, it's possible to authenticate users through an LDAP server (such as Microsoft Active Directory), while authorization (assigning of user permissions) will use role-based AggreGate Server user accounts.
User self-registration is very helpful during the first stages of system deployment. System users may create their own accounts and provide some personal information (name, e-mail, company/department, phone no., etc). Once registered, they get their own login/password pair.
Self-registration can save lots of time for an administrator during initial deployment. When the system installation is over and production use starts, self-registration should be disabled for the sake of security.