Organization administrator

Managing the organization

This topic outlines the required tasks that the organization administrator must do when setting up the organization for the first time.

Assign organization roles.
All users in the organization inherit the roles assigned at the organization level. Assign only the roles that are applicable at end-user level, such as the Print Release Management User role. For more information on the roles, see Understanding roles.
For an organization that has multiple child organizations, create a Child Organization Access Group, and then assign the group roles.
A Child Organization Access Group can be used to manage user access to all the child organizations. For more information, see Managing the Child Organization Access Group.
Create groups within the organization, and then assign the group roles.
Groups can be created to manage the users in the organization and establish a common set of roles. Members of the group inherit the roles and permissions that are assigned to a group. For more information, see Managing groups.
Set the password requirements.
Create users, import users, or configure the authentication provider to generate users automatically.
The Account Management web portal lets you create individual users. For organizations with many users, a batch import can be done using a CSV file. For more information, see Managing users.
Add users to a group.
Assign user roles.

The organization administrator can also do the following:

Configure an authentication provider.
Configure the printer login.
Manage badges and PINs.

Managing the Child Organization Access Group

This feature is available only in organizations that have been enabled for the creation of child organizations. From the parent organization, you can create the Child Organization Access Group, assign group roles, and add members. The members have access to all child organizations based on the roles assigned to the group.

This feature lets you manage user access to multiple child organizations easily. For example, if the Child Organization Access Group is assigned with the Fleet Management Administrator role, then all the members in that group are fleet management administrators in all the child organizations.

From the Account Management web portal, select the parent organization.
Click Groups.
From the Child Organization Access tab, do any of the following:
Create a group
1. Click Create Group or Create, and then type a unique group name.
  Note: We recommend naming the group as Child Organization Access Group to distinguish it from the regular groups created from the Groups feature. For more information on creating regular groups, see Managing groups.
2. Click Create Group.
Delete groups
1. Select one or more groups, and then click Delete.
  Note: You can also search for groups using the search bar.
2. Click Delete Groups.
Add members to a group
1. Click a group name.
2. From the Members tab, click Add Members or Add, and then select one or more users.
  Note: You can also search for users using the search bar.
3. Click Add Members.
Remove group members
1. Click a group name.
2. From the Members tab, select one or more users, and then click Remove.
3. Click Remove Members.
Assign group roles
Note: All users in the group inherit all the roles assigned to the group.
1. Click a group name.
2. From the Group Roles tab, click Assign Roles or Assign.
3. Select one or more roles.
  Note: For more information, see Understanding roles.
4. Click Assign Roles.
Remove group roles
1. Click the group name.
2. From the Group Roles tab, select one or more roles, and then click Remove.
3. Click Remove Roles.

Managing groups

A group is a collection of users that can be managed with a common set of roles or permissions.

The following groups are predefined, and are assigned with specific roles:

Admin
Fleet Management
Help Desk
Reporting

From the Account Management web portal, click Groups.
Do any of the following:
Create a group
1. Click Create, and then type a unique group name.
2. Click Create Group.
Delete groups
Deleting a group does not delete the users from the organization. The users are disassociated from the group, and then the group is removed from the system.
1. Select one or more groups, and then click Delete.
  Note: You can also search for groups using the search bar.
2. Click Delete Group or Delete Groups.
Add members to a group
1. Click a group name.
2. From the Members tab, click Add Members, and then select one or more users.
  Note: You can also search for users using the search bar.
3. Click Add Members.
Remove group members
1. Click a group name.
2. From the Members tab, select one or more users, and then click Remove.
3. Click Remove Members.
Assign group roles
All users in the group inherit all the roles assigned to the group.
1. Click a group name.
2. From the Group Roles tab, click Assign Roles or Assign.
3. Select one or more roles.
4. Click Assign Roles.
Remove group roles
1. Click the group name.
2. From the Group Roles tab, select one or more roles, and then click Remove.
3. Click Remove Roles.

Managing users

From the Account Management web portal, click Users.
Do any of the following:
Create a user
1. Click Create.
2. Type the email address, first name, last name, and display name of the user.
3. Type the department and cost center name where the user belongs.
4. Set the password manually, or email a link to the user to change the password.
5. Click Create User.
Edit a user
1. Click a user email address.
2. Do any of the following:
  - Edit the personal information.
  - Change the user password.
  - Assign user roles.
  - Register a badge.
    From the Printer Login section, click Edit beside Badge Login.
  - Add the user to a group.
  - Set the user PIN.
    Note: This setting is available only when the printer login is set to PIN Login or Badge + PIN as second factor. The PIN generation must be set to Administrator manually set.
    1. From the Printer Login section, click Set PIN or Reset PIN.
    2. Enter the PIN, and then click Generate PIN.
Delete users
1. Select one or more users, and then click Delete.
  Notes:
  - You can also search for users using the search bar.
  - The activities of a deleted user are still shown in the Analytics web portal, but the name and email address are removed from all the reports.
2. Click Delete Users.
Import users
The Import feature lets you create, update, and delete multiple users in an organization using a CSV or TXT file. You can also create user groups, and then assign a user to those groups.
1. Click Import Users or Import, and then browse to the CSV or TXT file.
2. If necessary, email a link to the user to change the password.
3. Click Import Users.
Note: The import log is sent to your email address.

Sample CSV format

EMAIL,OPERATION,PASSWORD,FIRST_NAME,LAST_NAME,DISPLAY_NAME,SHORTNAME,GROUPS,
CUSTOM_ATTRIBUTES,COST_CENTER,DEPARTMENT
jdoe@company.com,CREATE,,John,Doe,Johnny,jdoe,Group 1,"{'key1':'value1','key2':'value2'}"
llane@company.com,UPDATE,password2,Lois,Lane,Lois,llane,,
ckent@company.com,DELETE,,,,,,,

The import file header line must be the following and is case-sensitive: EMAIL,OPERATION,PASSWORD,FIRST_NAME,LAST_NAME,DISPLAY_NAME,SHORTNAME,GROUPS, CUSTOM_ATTRIBUTES,COST_CENTER,DEPARTMENT.

Line values and their conditions

EMAIL—Required for all users. EMAIL values that are in uppercase in the file are converted to lowercase before the operation is performed. For example, JDOE@company.com is converted to jdoe@company.com.
OPERATION—Required for all users.
Valid OPERATION values
- CREATE—Creates a user identified by the EMAIL value with the corresponding properties on the line.
- UPDATE—Updates the existing user identified by the EMAIL value with the corresponding properties on the line. You can use the [delete] action string to remove the first name, last name, display name, and shortname.
- DELETE—Deletes the existing user identified by the EMAIL value.
PASSWORD—Not required for any OPERATION, and can be empty only when “E-mail a link to change the password” option is selected when importing.
Note: Enable the “E-mail a link to change the password” option only when importing files with the CREATE operation.
FIRST_NAME—Not required for any OPERATION, and can be empty. The first name of the user. For example, John.
LAST_NAME—Not required for any OPERATION, and can be empty. The last name of the user. For example, Doe.
DISPLAY_NAME—Not required for any OPERATION, and can be empty. The name of the user that is sometimes used in display prompts or log reports. The DISPLAY_NAME value can be the full name with middle initial or any string. For example, John A. Doe. The DISPLAY_NAME value is not directly associated with the FIRST_NAME and LAST_NAME values.
SHORTNAME—Not required for any OPERATION, and can be empty. The SHORTNAME value is used when the organization has a shortname string that also identifies the user in the organization. For example, jdoe.
GROUPS—Not required for any OPERATION, and can be empty. Separate multiple groups by using commas and enclosing them in double quotation marks. For example, "Group1,Group2,Group3". GROUPS values that do not exist in the organization are created, and then added to the organization automatically.
Note: A group name must not contain the following characters: ! @ # $ % ^ & * ; + ? / \ [ ]. If these characters are used, then they are replaced with an underscore (_).
CUSTOM_ATTRIBUTES—Not required for any OPERATION, and can be empty. The CUSTOM_ATTRIBUTES value is a specially formatted JSON string for user metadata that is stored with the user. The value must be enclosed in double quotation marks. For example, "{'key1':'value1','key2':'value2'}"
COST_CENTER—Not required for any OPERATION, and can be empty. The COST_CENTER value is used for quota assignments and cost-center-level reporting in the Analytics web portal.
DEPARTMENT—Not required for any OPERATION, and can be empty. The DEPARTMENT value is used for quota assignments and department-level reporting in the Analytics web portal.

Notes:

All lines must have the same number of values as the header, including the commas. Follow empty values with commas. For example, jdoe@company.com,DELETE,,,,,,,
The file size must not exceed 1MB.
Importing a file with CREATE and UPDATE operations with more than one group assignment can take a few minutes.
If any line value contains a comma, such as the names, password, groups, or custom attributes, then the value must be enclosed in double quotation marks. For example, llane@company.com,UPDATE,"pass,word2",Lois,Lane,"Lois,Lane",llane,"Group1,Group2",

Configuring an authentication provider

The Lexmark Cloud Services website supports federation with an identity service provider (IDP) for authentication. Users can log in to the system using the credentials from their existing accounts.

Notes:

Contact your Lexmark representative before configuring the settings. If the settings are not configured correctly, then users can be locked out from Lexmark Cloud Services.
Before you begin, make sure that you have the correct authentication provider information, such as the SSO URLs and certificates.

From the Account Management web portal, click Organization > Authentication Provider.
Click Configure an Authentication Provider, and then add the domains.
Configure the single sign-on settings.
- Service provider entity ID—The base URI of the IDP of the organization that the Lexmark Cloud Services website can access.
- SSO target URL—The single sign-on (SSO) login URL of the IDP Active Directory Federation Services (ADFS) of the organization.
- SSO Logout URL—The SSO logout URL of the IDP ADFS of the organization.
- SSO name identifier format—The name ID of the IDP ADFS of the organization.
- Certificate—A signed certificate from the IDP ADFS of the organization. The certificate is required so that the Lexmark Cloud Services website can determine if it is communicating with the IDP ADFS.
Click Configure Authentication Provider.

Note: For more information on federating a CIAM organization, contact the Lexmark Professional Services team.