How to delete a user from an imported Document Vault

I went up to the connection called Local Access Connection,

clicked on Login Accounts and there the account was listed.

When I clicked the account to highlight it, a Delete button appeared
and that was the one I was looking for.

I thought clicking Delete would take care of the problem, but it didn't.

Under Users, in the listing of Login Accounts the Core333\Carel account is still listed.

What is the most confusing to me is that is appears in the Login Account column, but in brackets it says that the login account is missing.

I'm lost. If there's somebody out there who can explain this I appreciate
an explanation and or solution.

I can try quick answer, but correct me if I'm wrong.

With M-server you have the server (services) and vaults(place for objects). You can have several vaults under the server.

First, to be able to use server, you create login account. Then you can add users for each vault separatedly. Some users can be under all vaults and some can open only one.

Now, if you open the M-files server Administration, you see the "hierarchy". Accounts are under Server connections and users are under each vault.

You can delete user from vault first disabling the user. Then you get the choice "Delete" visible.

Login Accounts can be either disabled (for example for short time) or deleted.

Did this clarify things? So now you have to disable the user from users and then you can delete it.

-emmi

Hi Emmi,

I didn't know that you first need to disable a user before you can delete the account.

I was able to remove the account and now it's the way I want it.

Thanks for your help.

Regards,

Carl.

I just figured out myself.. pictures in the guides (for example in M-files API, UserAccount Object) show just the delete. And there is no mentions about disabling in the guides. ???

I noticed I've been too sloppy with the words in the above text.. (modified it a little). The two accounts are Login Account and User Account. Login account can be seen as a single user identity and it is not a vault-specific object, but common for all vaults. Login account holds user-specific information not related to the vault, like the user's name, e-mail address and license type. This can be disabled too.

User Account for each vault holds the permissions for that specific vault for the document and to document vault itself (administrative rights).

Hi Emmi,

Thanks for the extra info. I will study it.

Below is text from the manual about Login Accounts, but I find it pretty confusing:

The document vault has users who must first authenticate themselves to M-Files Server. Before creating the users, login accounts must be created for the document vault on the M-Files Server. These login accounts are added to document vaults as users. Different users can be selected for document vaults from among the login accounts, and the same server login can be added to several document vaults.

Thanks for the update,

Regards,

Carl.

At first I was a little bit confused with login accounts and user accounts, too, and the user guide didn't help at all. I think these things could be written a little bit more informative way :) In API manual these are explained more carefully.

The document vault has users who must first authenticate themselves to M-Files Server.

This is clear, i think. But it could explain something more..

The users have different permissions (or rights) with the documents(objects) in the vault or for the vault itself. These permissions are set by User Account. Each vault have their own separate user accounts, since the rights may be different within different vaults. Each user has also general (global) properties, which are independent from the vaults, for example the identity (Full Name, email) and the authentication method. These global properties are set by Login Account.

Before creating the users, login accounts must be created for the document vault on the M-Files Server.

Means that to be able to use the vaults, the user has to have those global propertied set, i.e the one have to have a login account.

These login accounts are added to document vaults as users.

When creating a login account, the system adds automatically the name of the Login Account into the list of possible users for each vault. It doesn't create the user accounts, it just enables creation of the User Account for the new user.

Different users can be selected for document vaults from among the login accounts, and the same server login can be added to several document vaults.

So, when creating the User Accounts, you just select the Name from the list and this ensures that the user can log into server.

You told that you were able to delete the login account and after that you got the obvious error for the user account. I'm wondering why the deleting of the login account is not related to the user accounts. I think the user account should be at least disabled if the login account is removed? Or at least you could be prompted for that?

Is there a possibility or some needs for the situation where the is a User Account but not Login Account? Could that be an allowed state? Any ideas?

And, again these are just how I have seen the concepts. And writing these things down helps me understand the system a little bit more :)

-emmi

Hi Emmi,

Thanks for your feedback. I agree with you. It seems to me that they have
split up the Access Security in 2 layers.

The first security layer deals with user authentication for the server: Who are you? Do we know you? These credentials are specified in the Login Account,
so with a Login Account you can get on to the M-Files Server.

The second security layer deals with Authorization. Which vault can you access?
What permissions do you have for a particular vault? All the authorizations/ permissions a user has, are specified in the User Account.

Therefore, it makes sense that you first need to have a Login Account, because if the server doesn't know you, it will not be able to decide whether or not you are allowed to create a User Account.

You wrote:
"I think the user account should be at least disabled if the login account is removed?"

When the Login Account has been removed, it doesn't matter whether the
User Account has been disabled or not, because the User won't be able to get on to the Server anyway.

You wrote:
"Is there a possibility or some needs for the situation where the is a User Account but not Login Account? "

The only situation I can think of is when the M-Files application is being migrated, for example from a PC to a rack-mounted server. In that scenario
you don't want to lose the User Accounts, but there's a good chance that
the Authentication and Authorization mechanism will change, which would require setting up the Login Accounts from scratch. In this case there is no need to change the User Accounts just because M-Files will run on different hardware.

I've also found that writing stuff down creates a better understanding of the subject.

Thanks & regards,

Carl.