User Management

This page describes all aspects of managing users in Katalogue.

A User in Katalogue is an entity tied to a person and is the means to let this person login and access resources in Katalogue.
A User Group in Katalogue is a collection of Users. One of its main purposes is to enable automatic user management.

Recommended setup for user management in Katalogue:

1. Create one Microsoft Entra Id user group for each of the Katalogue roles. Optionally, multiply these for each katalogue environment you have, e.g. create groups like Katalogue - PROD - VIEWER.
2. Manage user membership in those user groups, preferrably through your organization’s access management portal.
3. Sync the user group with Katalogue to automatically add/remove users and manage their roles.

This ensures an automatic workflow with minimum involvement from Katalogue admins.

User Types

There are two main types of users in Katalogue - local and provisioned from an external source like Microsoft Entra Id.

Local Users

Local users, and their username and password, are created and managed locally in Katalogue. Login to Katalogue is performed with a traditional Username & Password authentication.

Tip

Local users are only recommended in a startup/test scenario. Use externally provisioned users in a production scenario, as managing multiple users with Katalogue-unique login credentials will quickly become cumbersome. Having people to remember separate login credentials for Katalogue is also a blocker for wider adoption in most organizations.

Note

The password is hashed with a cryptographic algorithm upon creation, meaning that the password is never logged nor stored in clear text. A password length of at least 12 characters is also enforced.

Externally Provisioned Users

The recommended way of working with users in Katalogue is to delegate user management to an external source, and then import users from that source into Katalogue. Katalogue currently supports user provisioning from Microsoft Entra Id through OpenID Connect.

There are multiple benefits with this approach:

• Better security - Central user management means that Katalogue does not have to handle passwords, when a user account is suspended or deleted, it will also be deleted in Katalogue etc.
• Better UX - Users use the same credentials for all internal services.
• Less admin work - Changes to user data such as updated photo or changed title is automatically synced

User Group Types

There are two main types of user groups in Katalogue - local and provisioned from an external source like Microsoft Entra Id.

Local User Groups

Local user groups are created and managed locally in Katalogue. It’s main purpose is to allow assigning ownership of assets to a group of users or grouping users for easier management, but they can also be used to automatically manage the user roles of local users.

Externally Provisioned User Groups

User Groups, and all users that are a member of the user group, can be synced from an external source. Katalogue currently supports user group provisioning from Microsoft Entra Id through OpenID Connect.

User Roles

Permissions in Katalogue is controlled by the means of user roles.

Viewer

The Viewer role is the minimum role available and it gives read permission to all assets in the “BROWSE”-section in the navigation menu.

Viewers cannot access any pages or items in the “MANAGE”-section in the navigation menu, with the exception of individual users and user groups. The user and user group view is limited, Viewers can see assets assigned to the user and basic profile info like name and photo, but not user role or group memberships.

Editor

The Editor role is the minimum role required to edit any asset in Katalogue. It gives read permission like the Viewer role, and Editors can in addition to this edit (create, update, delete) all assets in the “BROWSE”-section in the navigation menu, except Glossaries and Systems.

Admin

The Admin role is the highest privilege role available and it gives all permissions (read, create, update, delete) for all assets and aspects of Katalogue. This role is required to manage datasource connections, tasks, users and server settings.

Permission Overview

This table lists all major assets in Katalogue and the permissions on them for each user role.

R = Read permission
W = Write (Create, Update, Delete) permission

Asset Type	Viewer	Editor	Admin
System	R	R	RW
Datasource	R	RW	RW
Dataset Group	R	RW	RW
Dataset	R	RW	RW
Field	R	RW	RW
Glossary	R	R	RW
Business Term	R	RW	RW
Field Description	R	RW	RW
Field Description Value	R	RW	RW
Connection	-	-	RW
Task	-	-	RW
Custom Attribute	-	-	RW
User	R*	R*	RW
User Group	R*	R*	RW
Settings	-	-	RW
Settings - Datatype	-	-	RW
Settings - Field Unit	-	-	RW
Settings - Data Sensitivity Label	-	-	RW

* Can only see a limited number of attributes.

Adding Users

Local Users

Tip

In a production scenario, it is recommended to only work with externally provisioned user groups and not with individual users, see Adding User Groups.

To add a local user:

1. As an admin, go the Users page and create a new user by clicking the +ADD button.
2. Select Local as User Type.
3. Fill in the following mandatory information:
   • Full Name
   • Username (must be unique)
   • Email (must be unique)
4. If email notifications is enabled and Send welcome email with auto-generated password is checked (which it is by default), the user will receive a welcome email with login instructions, its username and a randomly generated password from Katalogue when created.
   Disable this option to enter a password manually. It must be at least 12 characters long.
5. Select a Role for the user(s), see User Roles for more details. All users will get the same role. If you need to assign different roles to the users, go through this process for each role.
6. If Require password change on next login is checked (which it is by default), the user will be forced to enter a new password when logging in for the first time.
7. Click ADD to save the user.
8. If Send welcome email with auto-generated password was not selected, remember to share the password with the user.
9. The user can now login.

Externally Provisioned Users

Individual users must be added manually to Katalogue for the first time. See Syncing Externally Provisioned Users & User Groups on required prerequisities and how to keep this in sync over time.

Tip

In a production scenario, it is recommended to only work with externally provisioned user groups and not with individual users, see Adding User Groups.

To add a user from an external source:

1. As an admin, go the Users page and create a new user by clicking the +ADD button.
2. Select Microsoft Entra Id as User Type.
3. Use the search box to find the user(s) to add. If the user you are looking for is not found, check the Default User Base Filter in Settings -> User Provisioning.
4. Select a Role for the user(s), see User Roles for more details. All selected users will get the same role. If you need to assign different roles to the users, go through this process for each role.
5. If Send welcome email is checked (which it is by default) and email notifications is enabled, the user will receive a welcome email with login instructions from Katalogue when created.
6. Click ADD to save the user. The user can now login.

Adding User Groups

Local User Groups

To add a local user group:

1. As an admin, go the User Groups page and create a new user group by clicking the +ADD button.
2. Select Local as User Group Type.
3. Fill in the following mandatory information:
   • Name
4. Check (disabled by default) Enable User Provisioning for the user group if you want the user group to control the user role of its members. If this is disabled, the user group will only serve as a collection of users.
   • If enabled, select a Default User Role for the user group, see User Roles for more details.
5. Click ADD to save the user group. Any users in the user group that does not yet exist in Katalogue will now be added, and all members will be given the highest-privilege role in all user provisioning user groups they are a member of.

Note

The Send welcome email to new users option in Settings -> Notifications does not apply to local user groups.

Externally Provisioned User Groups

Externally provisioned User Groups must be added manually to Katalogue for the first time. See Syncing Externally Provisioned Users & User Groups on required prerequisities and to keep this in sync over time.

To add a user group from an external source:

1. As an admin, go the User Groups page and create a new user group by clicking the +ADD button.
2. Select Microsoft Entra Id as User Group Type.
3. Check (disabled by default) Enable User Provisioning for the user group. This lets the user group add/delete users and set the user role. If this is disabled, the user group will only sync user membership with existing users in Katalogue.
4. Select a Default User Role for the user group, see User Roles for more details. This role will apply to all user groups that are selected in the next step.
5. Use the search box to find the user group(s) to add. If the user group you are looking for is not found, check the Default User Group Base Filter in Settings -> User Provisioning.
6. If Send welcome email to new users in the Settings -> Notifications is checked (which it is by default), all users in the user group that does not yet exist in Katalogue will receive a welcome email with login instructions from Katalogue when created.

7. If all of the steps above are followed, the only secret Katalogue need to handle is the Azure app registration’s Client Secret ().

8. Click ADD to save the user group. Any users in the user group that does not yet exist in Katalogue will now be added, and all members will be given the highest-privilege role in all user provisioning user groups they are a member of.

Disabling Users

Users can be manually disabled in Katalogue at any time. Disabled users cannot login and is thus prevented from accessing any Katalogue resources.

Microsoft Entra Id sync tasks will automatically disable users that are deleted from Entra id, or removed from all user-provisioning users groups that are synced with Katalogue, if the user is associated with one or more assets in Katalogue. Otherwise, the user will be deleted.

To disable a user manually:

1. As an admin, go to Users.
2. Select the user(s) to disable and click Edit.
3. Check the Disable checkbox.
4. Click Save. The user(s) are immediately prevented from login in, and any currently logged in users will be logged out upon the next interaction with Katalogue that fetches data from the backend API.

To re-enable a disabled user, follow the steps above and un-check the Disable checkbox.

Syncing Externally Provisioned Users & User Groups

This section goes through how to setup a Microsoft Entra Id sync task to sync user data and user group memberships.

Prerequisities

First, enable Microsoft Entra Id SSO and then configure user provisioning.

It is also highly recommended, but not mandatory, to setup email notifications. This enables Katalogue to send emails with login instructions to new users. This feature, along with user group syncing, means that user management will be a completely automated task for Katalogue admins.

Creating and Running a Microsoft Entra Id Sync Task

To sync changes to user data and user group data & memberships, create a Microsoft Entra Id Sync Task:

1. As an admin, go to Tasks and create a new task by clicking the +ADD button.
2. Select Microsoft Entra Id Sync as Task Type.
3. Click +ADD to create the task.
4. Run the sync task by selecting it and clicking Run.
5. Once completed, the users, user groups and user group memberships will be updated.

See Microsoft Entra Id Sync Task Logic for details on the sync logic.

Microsoft Entra Id Sync Task Logic

This section goes through how changes in Microsoft Entra Id is affecting users and user groups in Katalogue during a Microsoft Entra Id Sync Task. The headings refer to changes on the Microsoft Entra Id side.

Danger

Users and user groups in Katalogue and Entra Id is matched on the Microsoft Entra Id attribute mapped to the Katalogue attribute Id in the User Provisioning Settings. If this attribute is changed in either of the systems, or if the mapped attribute in the settings is changed, the sync will result in a insert & delete operation instead of an update.

Danger

There is an edge case where users can be unintentionally deleted/disabled, potentially resulting in a lockout from admin features. If an individual user is added from an external source, and if there are user provisioning user groups from an external source, and if the individual user is not a member of any user provisioning user groups (local or external), running the Microsoft Entra Id sync task will delete the user.

To prevent this, simply create a local user provisioning user group and assign the individually added users as members of that group.

To recover from such a lockout state, manually add a user to the public.user database table.

New User Group

No effect in Katalogue, user groups must be manually added to Katalogue for the first time.

New User

No effect in Katalogue, users must be manually added to Katalogue for the first time - except if the new user is also added as member to any of the user groups that are synced with Katalogue. See New User Group Members for this scenario.

New User Group Members

If the user group is configured as a user provisioning user group, and the user does not already exist in Katalogue, the user will be created and given the same role as the default role of the user group.

If the user group is configured as a user provisioning user group, and the user does already exist in Katalogue, the user will be added as a member to the user group. The user’s role will be set to the default role with highest privilege of all user provisioning user groups (local or external) the user is a member of.

If the user group is not a user provisioning user group, the user will not be added to Katalogue. If the user does already exist in Katalogue, it will be added as a member to the user group. Its role will be unaffected.

Updated User & User Group

The user and user group attributes will be updated.

Removed User Group Membership

If the user group is configured as a user provisioning user group, the user will be removed from the user group. The user’s role will be set to the default role with highest privilege of all user provisioning user groups (local or external) the user is still a member of.

If the user is no longer member of any user provisioning user groups (local or external), the user will be deleted. See Deleted User for this scenario.

If the user group is not a user provisioning user group, the user will be removed from the user group. The user will not be deleted and its role will be unaffected.

Deleted User

If the user is deleted in Microsoft Entra Id, Katalogue will try to delete the user.

The user will be deleted if the user is not assigned (as e.g. owner) with any assets.

The user will be disabled if the user is assigned to one or more assets. Those assets should be re-assigned to another user, and then the user will be deleted during the next sync.

Note

Edge case: Disabled users will never be re-enabled again by the sync task. This results in an edge case - if a user that was previously disabled because it was removed from all user groups, re-appear as member of the user groups synced with Katalogue, the user will remain disabled. An admin must manuallt re-enable the user again. Why? Since the sync job does not know if the user was disabled by a previous sync job or if someone intentionally disabled the user in GUI.

Deleted User Group

The user group will be deleted from Katalogue.

If the user group is a user provisioning user group, its members will either be deleted or given a new role according to the logic described above.

If the user group is not a user provisioning user group, its members will remain untouched.