Setting up user prototypes

When a new LDAP user logs in to a station for the first time, the system creates a user account in the UserService and names it based on the user name portion of the person’s login credentials as stored on the LDAP server. The system then populates the Attr (attribute) properties, such as Full Name, Email, and Language, directly from the LDAP server. It populates other properties, such as Permissions, from the local user prototype in the station. If no prototype is identified for the user, the system populates a new user's properties (all except password) using values defined in the Default Prototype. Assigning a user prototype is a way to group users who share the same permissions. Customizing the Default Prototype properties before you create users can simplify the creation process even in a non-network-user scenario.

The station is open in Workbench.
  1. To configure the Default Prototype, right-click the UserService in the Nav tree and click Views > AX Property Sheet.
  2. Expand the User Prototypes node and double-click the Default Prototype node.
  3. Make changes to the properties that apply to all system users, and click Save.
    To ease the burden of making new users, consider changing these properties: Expiration, Authentication Scheme Name and Prototype Name.
    When they log in, any new LDAP users inherit these values as the default properties, including permissions. And these values appear as the defaults when you create a new user. You can change them for a specific user at any time.
  4. To make a custom prototype, get a list of the attrPrototype names from your LDAP administrator.
    The attr prototype property usually defines the group to which the user belongs.
    For example, if you have user prototypes named "sysIntegrator" and "buildingManager", an LDAP user who is a member of the buildingManager group on the LDAP server inherits permissions from the buildingManager prototype.
  5. To make a custom prototype, right-click the Default Prototype in the Nav tree and click Duplicate.
    The Name window opens with the default name of defaultPrototype1.
  6. Change this name to the same name for the user group (type of user) on the LDAP server, such as Manager, Operator, Engineer, etc. and click OK.
  7. Repeat duplicating the Default Prototype and configuring properties until you have set up a separate prototype for each user group.
    LDAP users may belong to multiple groups on the LDAP server, but they can only be assigned one prototype. If an LDAP user belongs to multiple groups that match prototype names, the system defaults to the first prototype in the prototypes folder.
    For example, if you have prototypes named "sysIntegrator" and "buildingManager", with “sysIntegrator” being first in the list, and an LDAP user who is a member of both groups on the LDAP server, the user inherits permissions from the “sysIntegrator” prototype.
  8. When you are finished, save the station by right-clicking the station Config node on the Nav tree and clicking Actions > Save.