5. User management

5.1. Admin user password


To change the admin user’s password, click on Settings in the left side menu in the Intella Connect Dashboard.

Intella Connect Settings

The fields New admin password and Repeat admin password are used to change the admin user’s password. Once these two fields are filled in, click on the Save changes button to change the password. After clicking the button, the notification Password changed successfully will be shown and you will be logged out from the Intella Connect Dashboard. To log back in, please use admin as user name together with the newly configured password.

5.2. Managing Users and Permissions - the RBAC model

For managing Authentication and Authorization Intella Connect uses a mechanism called Role Based Access Control (RBAC). To effectively manage user accounts and their permissions, it is advisable to get familiar with this mechanism. It is a very simple yet powerful tool, allowing for full flexibility in creating various levels of access restrictions.

Below we describe the key entities used in an RBAC model:

  • User (account) - represents a single person who has access to an application. Each user is identified by a unique username and password, which needs to be presented for authentication purposes. This is how Intella Connect is able to recognize their identity and determine what each one of them can or cannot do.

  • Permission - represents access to a given resource or operation, for example the ability to tag items, access to a case or to a specific item. Permissions can grant or prohibit access to a certain action. There are different types of permissions defined in Intella Connect. Administrators should get acquainted with them, because only then they will be able to properly manage access to various parts of Intella Connect.

  • Role - roles can be considered as a set of permissions with a unique name. Roles are defined by server administrators. There is no limit on the number of roles that can be created. A roles can have zero or more permissions assigned to them. Permissions assigned to a role effectively define what actions a user with a given role is entitled to.


    Note: RBAC gives Administrators unlimited flexibility in defining complex hierarchies of users closely matching their own organizations. However, we strongly recommend keeping the number of roles relatively small, so that the whole model remains manageable over time.

For simplicity, managing user accounts has been separated from managing roles and permissions. Both those features are accessible after clicking on User management in the left side menu in the Intella Connect Dashboard.

User management sections

5.3. Create new users, modify and delete existing users

To create new users, modify and delete existing users, click on User management in the left side menu in the Intella Connect Dashboard.

User management

5.3.1. Create new user

New users can be added by clicking on the Add button.

Create new user

Note: Passwords can be generated by clicking on the generate random password link.

Once the user name and password fields are filled in, click on the Set button to add a user.

5.3.2. Usernames

Intella Connect uses case insensitive comparison for usernames. This means, that “Admin”, “admin” and “aDmIn” are essentially the same user. In various places in the user interface the username will be rendered using a lowercase. The current set of acceptable characters in usernames contains of:

  • digits (0-9)
  • letters (a-z, A-Z)
  • the underscore (_)
  • the at sign (@)
  • a dot (.)

Usernames should be at least 3 characters long.


Note: Despite the fact that Intella Connect renders usernames in lowercase, they are never modified when compared on the server (comparison simply ignores casing). Therefore Intella Connect is safe from issues that might be a result of lowercasing UTF-8 characters using custom system locale.

5.3.3. Change user’s password

Select the user whose password you would like to change and click on the Set password button.

Select user

Once the password fields are filled in, click on the Set button to change the user’s password.

Change password

Note: Changing a user’s password will take effect after the user’s session expires or when the case sharing is restarted.

5.3.4. Delete existing user

Select the user for whom you want to revoke access and click on the Revoke access button.

After confirming the user removal, the selected user will no longer have access to any part of the Intella Connect system.


Note: Revoking a user’s access will take effect after the user’s session expires or when the case sharing is restarted.

5.4. Managing Roles and Permissions

Intella Connect comes with a set of predefined permissions that can be assigned to any of the roles defined by the server administrator. It also comes with two default roles called Reviewer and Administrator.


Backwards compatibility notes:

If you are migrating from previous versions of Intella Connect 1.7.x, the Reviewer role will be created for you and assigned to all the users that previously had access to a particular case. This means that you will not have to perform any manual actions yourself when upgrading to Intella Connect 1.7.3.

If you are migrating from previous versions of Intella Connect 1.8.x, the Administrator role will be created for you and assigned to the “admin” user that previously had unrestricted access to Intella Connect Dashboard. This means that you will not have to perform any manual actions yourself when upgrading to Intella Connect 1.8.3 and you will still be able to login using “admin” account as you used to with earlier versions.

The Reviewer role has three permissions assigned to it by default, which lets users with this role to:

  • participate in a review of cases in which they are assigned this role
  • exports items in those cases
  • print item reports from inside the previewer

This is demonstrated in the picture below, along with the user interface for RBAC management.

Default role

Note: In this section we only manage roles and their permissions. The last step will be to assign some roles to users in a context of given case, but this task is performed in the Cases sharing panel.

The Administrator also comes with few default permissions assigned to it. Those allow to manage all cases handled by Connect and also manage users and modify crucial server settings. This role cannot be removed or altered. Moreover, the user “admin” has this role assigned by default and it cannot be revoked from this user. This prevents situations where administrators would accidentally lock themselves out from access to Intella Connect by not leaving a single user with server management permission. The user “admin” is also the first user to create roles for other users with server or case management permissions and assign them.

Default admin role

5.4.1. Adding and Deleting roles

Adding new roles is straightforward: click on the Add button located underneath the Roles label. You will be asked for a name for the new role. Roles names should be unique. The new role will be immediately visible in the roles list.


Note: After a role has been added, it does not have any permissions assigned to it. It is also not assigned to any user automatically. This means that after a role has been added, it does not affect effective user permissions yet.

You can also delete roles easily, by selecting them in the roles list and clicking on the Delete button. You will be asked for confirmation, after which the role will be removed from the list. Deleting a role does not mean that this deletes the permissions associated with it, as those are defined by Intella Connect itself.


Note: Deleting a role that was already assigned to some user will have an instant impact on the user’s permissions, they will be recomputed instantly. This will happen even if the case is currently being shared.

5.4.2. Granting and Revoking permissions

Granting (or adding) and revoking permissions works very similar to roles management. Remember that permissions are always managed in a context of a role, so you have to select a role first in order to see what permissions are assigned to it already and modify this set.

Clicking on Grant new will open up a modal dialog that is used for selecting a desired permission. Permissions have their own unique internal IDs which are hidden from the view, so in the first combobox you can see a more human-readable description that should immediately let you know what that permission stands for.

Some of the permissions can be added to a role just once (like case access), other can be assigned multiple times (like reducing access to tagged items). In the latter case, the user interface will change a bit and you will be asked to add additional data which is needed by the permission to fulfil its purpose. Again, for the example of limiting access to tagged items, you will be asked to supply the tag name so that Intella Connect knows which tagged items are considered off-limits for users with that role. The user interface should render some hints as you proceed, making the process fairly straightforward.

Granting a new permission for the mentioned example is illustrated below:

Granting permission

Revoking a permission works similar to deleting a role. You will be asked for a confirmation, after which the permission should disappear from the permissions list. This will have an immediate impact on the role that it was assigned to.

5.4.3. Permission types

Below is the list of permissions currently available in Intella Connect. We intend to add more permission types to this list in future releases:

  • Can access a case and participate in the review - this permission allows users to access a given case and perform a review. If a user does not have this permission for a certain case, he will not be able to get past the login prompt.
  • Can export items - allows users to create export sets and download items in their original format.
  • Cannot see items tagged with... (this one needs an extra parameter: a tag name) - this permission allows for hiding certain items from certain reviewers, while letting others see the entire data set. Please read more below.
  • Can delete tags and taggings from other reviewers - users having this permission will be allowed to delete tags and taggings created by other reviewers. In previous versions of Intella TEAM, only Case Manager was allowed to do that. Now this action is available to every user having this permission.
  • Can print item report - allows users to print a PDF report for an item rendered inside the Previewer.
  • Can manage own cases and authorize reviewers - user with this permission will have access to Intella Connect Dashboard, specifically, sections Cases, Activity stream and About. The cases list will be showing only those cases of which this user is the creator.
  • Can manage all cases and authorize reviewers - user with this permission will have access to Intella Connect Dashboard, specifically, sections Cases, Activity stream and About. The cases list will be showing all available cases.
  • Is an Administrator of this Connect Server - allows users to access Intella Connect Dashboard, specifically, sections User management, System notifications, Settings and About.

5.4.4. Note on “Cannot see items tagged with...” permission

This permission must be used with an extreme caution because in case of any user error it can lead to disclosing of privileged items.

One must observe that always the data is organized in a tree-like hierarchy, where child items are linked to their parents. This tightly relates to the data consistency and opens an interesting question. If only the parent of an item would be hidden, where to Location Facet should place it’s children?

To avoid such purely theoretical debates Intella Connect will hide an item along with all of it’s descendants when using “Cannot see items tagged with...” permission.

Consider this: user A is granted with this permission (for “Privileged” tag) in a data set of 100 items. 10 of those items are tagged with the “Privileged” tag. One of these privileged items has 5 children, e.g. attachments or nested items. This means that user A will be able to see 85 items from this data set (10 + 5 = 15 items are hidden). The privileged 15 items will not show up in the cluster map, search results, facets, etc. If tagged items contain child items, they will be filtered from the results as well. User A will also have no access to the “Privileged” tag in the Tags facet, so he cannot himself modify it to change what he can or cannot see.

Introduction of hierarchical tags in Intella Connect has caused for this mechanism to be extended as well. Since now “Privileged” tag can be anywhere in the tag tree structure, then all tags (and items tagged with them) in a tag subtree starting with this tag will also be considered hidden. Also, tag names are no longer guaranteed to be unique in the entire tag tree. Therefore if there are several tags called “Privileged”, all of them will be managed by this set of rules.


Disclaimer about limiting access to items: use of this permission should be undertaken with caution in order to prevent leaking of sensitive data. We advise users to test this solution thoroughly before using it in production. It is also important to apply a proper workflow when limiting access to items. For instance, creating an export set first and later applying restrictions to items is a potential leak of information, because the export set could have included privileged items before any restrictions were applied.

Also, if a user with access to privileged items adds them to an export package, they become accessible to all other users with access to that case and with the exporting permission.

Finally, using permissions to hide privileged items does not mean that those items are removed from the case. They are still present in the case database, but simply excluded from the results and hidden in the user interface for those users not entitled to view them. Therefore a clever attacker could still try to gain access to privileged data by attempting various attacks or malicious usage of communication channels. We advise to conduct a thorough security audit before giving case access to untrusted parties.

5.4.5. Assigning roles to users

It is important to understand that Roles can be assigned in two ways:

  • Roles are assigned to users per case. This means that a user can have different roles in different cases. In Intella Connect each user can have zero, one or many roles assigned to it in any given Case. To assign roles to users per case, click on Cases in the left side menu in the Intella Connect Dashboard, select a case and then click on Authorizations button:
Assign roles to users per case
  • Roles are assigned to users globally. Only certain permissions can be assigned to users globally and such permissions are related to server or case management. To assign roles to users globally, click on User management in the left side menu in the Intella Connect Dashboard, Server and case administration section and then Global authorizations button:
Assign roles to users globally