If your organization has not enabled Single Sign On (SSO), you need a login username and password to log in to Manage. Ask your installer for your username and password and the Manage server IP address. Manage runs in a web browser, such as Internet Explorer or Chrome. For example, if the address is 10.3.3.213, use https://10.3.3.213, or if the hostname is em_gates.bigstateu.edu, use https://em_gates.bigstateu.edu.

Since the URL uses the HTTPS protocol, your browser will warn you about security risk or that there is a problem with the server's certificate if the appropriate SSL certifications have not been attached to the server based on the server's assigned IP or hostname. Click through these warnings, or contact Enlighted support to start the process of generating and attaching the required SSL certifications.

Once signed in, you can sign out at any time by clicking Logout in the upper right-hand corner of the window.

To change your password, refer to the article Change Password.

Force Password Change

Administrators and Facility admins can force users to change passwords every six months. Navigate to Administration > System Management. Select the Settings tab and scroll down to Security Settings. Select the Require users to change the password every six months checkbox and click Apply.

TIP: A best practice is to sign in as user admin for setting up the system. Then after setup has been completed, each user should have a unique identity so that system usage can be traced back to a specific user.

Generate API Key

Users must be authenticated to send or receive API requests to and from Manage. The API calls include a timestamp of when the call was made to avoid replay attacks. For authentication, the user must send the following headers along with the REST API.

API key -- Unique identifier for the user (this is the user name, for example, Bob and the generated API key copied from the Manage system)
Timestamp -- Time, date, and day of the API call
Authorization -- SHA-1 authorization key (Calculated using the API key and timestamp).

Generate API Key for a User in Manage

To generate an API key for a user, navigate to Administration-> Authentication Management.

If the user has previously generated an API key, the last five characters of the key are shown in the API Key box to help the user identify the key in their ‘keyring’. If you need to generate a new API key, select the Generate new API Key checkbox to generate the API key. Click the Submit button.

You can leave the Change Password section fields blank. If you need to change your password, refer to the Change Password article.

Copy and save the new Enlighted API key that is displayed in a secure location as the key is not retrievable after the dialog window closes. Any previously associated key will be invalidated.

Refer to the article User Authentication for APIs to authenticate the user with the API key.

User Roles in Manage:

Each user is assigned a role and status. There are four roles that each user can have, each with unique permissions. Each role determines the actions that the user can perform and the information they have access to.

Administrator – This user performs and sets up the initial configuration, adds users, devices, configures profiles, and performs advanced functionality such as backups, firmware upgrades, and administration of all other users and facilities.
Facilities Admin – This user can perform functions relevant to the authorized facilities except for configuring LDAP Settings, Image Upgrade, Backup and Restore, and Upgrade.
Auditor – This user can view energy consumption details and display reports for authorized facilities and oversee the organization's operations and reports for further analysis.
Employee – This user can view energy consumption and floor plan facilities screens for authorized facilities, control switches and manage fixture profile instances in the same profile template.

Status:

Each user is assigned a status:

Active – Active users are those who sign in regularly to the system.
Inactive – Users can be changed to inactive users by the administrator or facility admin when they have not logged in to the system for more than 90 days.

To start managing user permissions, select Administration > User Management to manage users.

Add a User

Click New User to add users to the organization. Use unique usernames to identify users and allow access. If your administrator has set up Single Sign-on (SSO) authentication for your organization, check the SSO User checkbox. When SSO is enabled for your organization, the username must be an email address to validate the user on the authentication site. Users will be allowed to log in once, and access Enlighted Manage in the Cloud (EMC).

The procedure to configure the SSO server is described in Single Single-on (SSO) authentication.

After you enter the values and click the Save button, the user is added to the system, and the user details show up in the User Management window. Click on the Edit button to change the value of any field. Note that the username must be unique in the system.

Facility Access

In addition to the user role, each user is also assigned to a facility to which the user has access. Administrators have access to all facilities in the Assign Facility to User window.

If a user logs in successfully via SSO without an admin creating an account for that user first, the system automatically creates a new user with the 'employee' role without any facility access. The administrator must then assign the user the desired role and grant them privileges to the desired facilities. Refer to the article Assign Facility to a User for assigning facility access permissions.

Assign Facility to a User

After a user is added in Manage, an Admin or Facility Admin can grant them access to one or more facilities to sign in to the system. The new users will be able to create other users, modify profiles, generate reports, issue API calls for the assigned building. In this way, they can work and take actions relevant to their building or facility.

Use the Assign Facility button to grant the user access to a facility.

In the Assign facility, check the facility access level (green checkmark) to assign to the user and click Save.

Note that all facilities are shown in the Assign Facility to User when logged in as an Administrator. When a Facility Admin is logged in, only the facilities assigned to that Facility Admin are shown. The Facility Admins can create new users and assign access to the facility relevant to them.

For example, user Andy Helper is a Facility Admin with access to the Main building in Acme Headquarters. Andy can create other users, modify profiles, issue API calls, and generate reports only for the Main building assigned to him.

Full Access:

Users with full access to a resource must have all full access to all children of that resource within the context of the user's role. For example, a user with full access to a building must have full access to all the floors and areas within that building.

Floors:

A user cannot have partial access to a floor if the floor does not have any areas. In this case, a user can only have either full or no access to the floor. For example, the second floor does not have any areas. Therefore, the user has full access to the second floor.

Devices:

Devices (sensors, gateways, PLCs) are associated with areas and floors. A user will have full access to the devices on the floor or in an area only if the user has full access to that area or floor. A user cannot have partial access to a device.

Groups:

Motion, switch, and daylight groups are associated with a floor. A user has full access to a switch group only if the user has full access to the switch groups' parent floor. A user cannot have partial access to a switch group.

Partial Access:

Users with full access to a subset of buildings, but not all buildings, have partial access to the organization. For example, if a user has full access to one of the three areas on a floor, then the user has partial access to the area's parent floor, building, campus, and organization.

When a floor does not have any areas, the user can only have full or no access to the floor. Groups such as switch, motion, daylight are children of floors. A user has full access to a switch group only if the user has full access to the switch groups' parent (the floor). A user cannot have partial access to switch groups.

User Roles

There are four roles that each user can have; each represents a unique collection of permissions. Each role determines the actions that the user can perform and the information to which they have access. The application user experience is, in some cases, different based on the user's role. For example, the Reports tab is not displayed in the Main menu for users with the employee role. Learn more about adding and assigning roles to users.

Administrator – This user performs and sets up the initial configuration, adds users, devices, configures profiles, and performs advanced functionality such as backups, firmware upgrades, and administration of all other users and facilities.
Facilities Admin – This user can perform functions relevant to the authorized facilities except for configuring LDAP Settings, system upgrade, system backup and restore, and firmware upgrade.
Auditor – This user can view energy consumption details and display reports for authorized facilities, and oversee the organization's operations and reports for further analysis.
Employee – This user can view energy consumption and floor plan facilities screens for authorized facilities, control switches and manage fixture profile instances in the same profile template.

The table below outlines the five roles and what they can do. A check indicates that the individual permission is included.

Permissions	Admin	Facilities Admin	Auditor	Employee
User Management
Add Users *
Edit or delete Users *
Device Management (Sensors, Gateways, PLCs, Switches)
Add, Discover, Commission Devices
Light Profiles - Control Light level for task-based functions
View Profiles
Edit
Create, Delete Profiles
Switch/Motion/Daylight Groups
Create Groups
Edit, Delete Groups
Daylight Harvesting
Dim lighting when daylight is available
Energy Consumption
View energy savings
Reports
View Reports
Edit, Delete Report
BACnet
Manage BACnet configuration
APIs
Issue API calls including Occupancy
Administrative Functions
Image Upgrade
Backup and Restore
Schedule Demand Response, Holiday Overrides

User Role Permissions for APIs

This article provides guidance on API access by API endpoint and Manage role-based permissions. Access affects both the objects that can be requested as well as the objects that are returned when making API requests. The API permissions follow the below guidelines:

Users cannot get or post to object properties for objects to which the user has no access.
Users can only get metadata and aggregate energy consumption data for objects to which the user has full or partial access. For a description of full or partial access, refer to User Role Permissions.
1. Name
2. Object ID
3. Description, etc.
Users can only post object properties for objects to which the user has full access.
Users can get all object property data only for objects to which they have full access.
1. Sensor Details
2. Occupancy state
3. Device location
4. Energy (non-aggregate)
5. Applied profile
6. Scenes
7. etc.

403 Access Denied Message:

Access Denied! The user doesn't have the required permissions to access this 'object'

The warning message is displayed if the user doesn't have access based on role or access to the referenced object.

The object is defined by the structure of the API and the ID entered in either the API URI or the body of the request, if applicable. For example, if a user sent a campus_Id to which the user had no access in the 'GET All Buildings' API request, the user would receive a '403 Error' as the response. This is because the user does not have the required permissions to access this campus.

If the user has the option of making a request against two or more object types (e.g. floor or organization), the 403 Error message will use the object type of the object passed in the request (e.g., The 'GET All Scenes' API allows a user to pass either an organization_Id or floor_Id in the request. The error message will use either 'organization' or 'floor' based on which object_Id type is used by the user).

Energy and Environment APIs

For a description of full or partial access, refer to User Role Permissions.

Object_IDs allowed for a given API reflects the access to that resources required by a user in order to avoid a 403 error or for data to be returned. For example, a user can make a request to 'Get All Areas' for a floor to which they only have partial access (access to some, but not all areas on a floor), and the API response will only contain areas to which the user has been granted full access.

API Name

Admin

Auditor

Employee

Facilities Admin

BACnet

Object_ID Allowed (Request/Response)

Org

campus

Bldg

Floor

Area