Identity and Access
RapidMiner comes with a handy Identity and Access Management component which provides administrators with control over user authentication and authorization.
Here we cover the steps that need to be taken before end-users of an organization can start using RapidMiner, as well as more advanced topics such as federated identity and fine-grained role-based authorization.
Initial setup
When we provision access to RapidMiner for an organization, we provide their administrators with an initial login to our Identity and Access component. This is a special user which does not have access to the platform itself, its purpose is to create or federate users who will in turn have access the platform.
First, our customer success managers will reach out and share the initial credentials for this administrator login tied to your organization.
Use this to log in at the Identity and Access Management Console. You will be required to change your password on your first login.
Next, you can start provisioning users or configuring identity federation.
Basic user management
Let's cover basics next, such as creating new users, setting their (initial) passwords and assigning them roles so they can use the platform.
Creating users
First, log in to the Identity and Access Management Console with your special administrator user.
Click on Users, and on the Add User button.
Provide the user's name and email address.
After double-checking the email address, enable the Email Verified toggle.
Click Save.
Next, we have to create an initial password for the user. To do this, click on the Credentials tab.
Type a password and the password confirmation, then click Set Password.
tip
It is a good practice to create a temporary password, which will have to be changed by the user on their first successful login. If you wish to disable this for the current user, simply disable the Temporary toggle before setting the password.
Setting up access
We provide secure access using default settings according to the highest security standards.
For those customers which need very specific security and login settings, we also provide a lot of flexibility.
As a best practice, we recommend setting up identity federation for a seamless single sign-on experience for end-users.
Login settings
The Realm Settings menu provides options to configure the login experience for users. We will highlight a few of the most important ones here.
To enable self-service password reset, enable the Forgot password toggle on the Login tab.
To enable self-signup, enable the User registration toggle on the Login tab.
To keep users logged in between browser restarts, until the session expires, enable the Remember Me toggle on the Login tab.
To require email verification after first login, enable the Verify email toggle on the Login tab.
tip
Forgot password, user registration, and verify email functionality requires configuration for sending outgoing emails. This is coming soon.
Identity federation
Coming soon.
Roles
All users are created with the user role, which allows access to all applications of the platform.
More roles will be added as the platform evolves.
Security
We've taken great care about platform security, which also covers setting good defaults for timeouts, etc. However, we appreciate that some organization are stricter than others when it comes to security, and we wanted to make sure we give administrators the flexibility to tweak security settings to meet their own organization's standards.
Fine-tuning timeouts
We use industry best-practice values for timeouts and idle times, to create a user experience that's as frictionless as possible, but also secure.
If you wish, you can fine-tune these on the Tokens tab in the Realm Settings menu. The range of possibilities is quite large, you can use the tooltips to learn more about each timeout, here we will highlight a few key ones.
To change how long a user can stay idle without getting logged out, adjust the SSO Session Idle value.
To change how long before a user is logged out (idle or not), adjust the SSO Session Max value.
To change how long a user has to complete a login action (such as a password change), adjust the Login action timeout value.
To change how long a user has to complete a login, adjust the Login timeout value.
Password policies
When not using federated logins, administrators might want to impose policies which user passwords must adhere to.
To add password policies, click on the Authentication menu, and select the Password Policy tab.
Next, click on the Add Policy dropdown, and select the policy element you wish to add.
tip
As an example, if user passwords should be at least 10 characters long, select Minimum Length from the Add Policy dropdown. In the table row that appears, type 10 in the Policy Value column.
When you are done with adding all the password policy elements, click on Save to apply your changes, which will come affect all new users and password resets.
You can add several password policy requirements. All of them will be enforced.