On the Users page you create and manage the people who can log in to Sapera. You assign each user an organizational unit, control password and permissions, and can deactivate, unlock or log users out.
You find the page in Financial under Security → Users in the menu.
If you cannot see the menu item, you probably lack permissions — contact support.
NOTE: Depending on which plan you have with Cloud Retail Systems A/S, you may need to purchase access to more users. Contact support to learn more.
When you open the page, you see a list of all active users. Select a user in the list to be able to edit or perform actions on it.
At the top you can search the list with free text — type, for example, part of a name or an email to quickly find the right user. See How to search in lists for tips on searching.
The checkbox Show deactivated expands the list so it also shows users that have been taken out of operation. When the field is enabled, extra columns with deactivation and lock status are shown. With the Refresh/Reload button you retrieve the latest list from the system.
The list shows the most relevant information by default, and you can turn more columns on or off yourself:
Name is the user's login name, and Display name is the name shown in the user interface. Org. unit specifies the user's primary organizational unit. Last active shows when the user was last in the system. Login attempts with incorrect password counts failed logins with an incorrect password — if the number is high, the user may have been locked. Deactivated and Locked at are only shown when Show deactivated is enabled, and tell whether the user is taken out of operation, and when any lock occurred.
The following columns are hidden by default but can be turned on: ID (the user's internal id), Last logged in with automatic token, Updated by (who last changed the user) and Number of active refresh tokens (how many active sessions/devices the user has).
Above the list you find the buttons for working with users. Several of them require that you first select a user in the list.
Create new user (the blue plus button) is always available and opens an empty edit screen.
Edit user (the pencil icon) requires that a user is selected, and opens the user's information for editing.
Delete user requires a selected user. The system checks whether the user is in use elsewhere before it can be deleted — if the user is associated with data, it can be deactivated instead.
Deactivate user can only be used on an active, selected user and blocks login without deleting the user. Activate user is shown instead when a deactivated user is selected, and reopens for login.
Reset failed login attempts resets the counter for incorrect passwords. It is only active when the selected user has a number of failed attempts different from zero and is not deactivated. Use it if a user has been locked out after too many incorrect attempts.
Log out user ends the user's active sessions. The action is only available to administrators.
> Note for administrators: Access to see and use individual actions and fields is controlled by permissions such as `EnableDisableUser`, `EnableDisableOtherUserTwoFa` and `UIPermissionsAllowUserPermissionSetup`. If an employee is missing a button or tab, it is typically due to a missing permission.
When you create a new user or edit an existing one, you fill in the information on the edit screen.
Name is the user's login name. The field is required, must be at most 100 characters and is validated against allowed characters.
Display name is the name shown around the system, and is required.
Org. unit is selected from a drop-down list with your organization's unit tree and is required. It determines which part of the organization the user primarily belongs to.
Email is optional, but must be unique and in a valid email format if filled in.
Password is required when you create a new user. We recommend a long password with both uppercase and lowercase letters, numbers and special characters. On an existing user you do not change the password directly in the field — instead you use the button Change password (see below).
Enabled is a checkbox that is only visible if you have the permission to enable/disable users. It controls whether the user can log in.
Prevent automatic session renewal is a checkbox that is only shown for administrators. If enabled, the user's session cannot be renewed automatically in the background, so the user has to log in more often — relevant for security reasons.
Users on behalf of is a read-only field with a button that opens a dialog. Here you can link other users that this user can act on behalf of (see the section further down). When users on behalf of are linked, the field Allow selecting the main user in the select clerk dialog is shown, which controls whether the main user itself can also be selected in the "Select clerk" dialog in the Pos.
The edit screen has several tabs. Some of them require special permissions.
Group membership lets you see and edit which groups the user is a member of. In Sapera you can create groups and assign users to them — you can for example create the groups "Accounting", "Inventory" or "POS", where accountants, warehouse employees and cashiers respectively are gathered according to their areas of responsibility. Group membership is the recommended way to manage permissions, because the permissions then follow the group rather than the individual user.
Permissions lets you edit the user's individual access to content and functions. The tab is only visible to administrators or users with the permission to set up user permissions. Use it for fine-tuning beyond what the group memberships provide.
User info is visible to administrators and shows metadata about the user — see the section below. Tokens info is only shown on an existing user and gives an overview of the user's active sessions.
On the User info tab you can see information about the user, e.g. when the user first logged in, when the user was last active, and when the user was created and last updated.
The tab shows, among other things: Date of first login, Last active, Date of last logout, Created by, Created on, Updated by, Updated on, Deactivated by, Locked at, Access token valid for minutes, Automatic refresh token valid for minutes and User id.
For example:
Date of first login: 01-09-2020 13:37 — Last active: 02-02-2024 20:54 — Date of last logout: 27-01-2024 19:32 — Created by: Cloud Retail Systems — Created on: 08-10-2022 11:37 — Updated by: System — Updated on: 31-01-2024 14:55 — Access token valid for minutes: 10080 — Automatic refresh token valid for minutes: 20160 — User id: 19
The Tokens info tab is only shown on an existing user and gives an overview of the user's active sessions and devices. Here you see, for each token: Refresh token id, whether it is Active, which Login option was used, as well as the times for when the Refresh token and Access token were created and expire. The tab is useful if you want to see where and when a user is logged in.
On an existing user you change the password via the button Change password, which opens a dialog. Here you fill in three fields: the current password, the new password and a repetition of the new password. The two new fields must match, and the new password must comply with the system's password policy. We recommend a long password with uppercase and lowercase letters, numbers and special characters.
You can enable or disable two-factor authentication for a user via a dialog. 2FA provides an extra layer of security, where the user, in addition to the password, must confirm their login with a one-time code.
You can always enable or disable 2FA on your own profile. To change 2FA on another user, the special permission for this is required (`EnableDisableOtherUserTwoFa`).
The Users on behalf of feature lets a user act on behalf of other users. It is opened from the edit screen via the button next to the "Users on behalf of" field, which opens a dialog where you select the users the main user should be able to act as. It is typically used where several employees share a main user, but each must be able to be selected as a clerk. When users on behalf of are linked, you can use the field "Allow selecting the main user in the select clerk dialog" to control whether the main user itself may also be selected in the "Select clerk" dialog.
Who a user can create and edit depends on permissions. A user can only create and edit users in the organizational units they themselves have permissions for — so you cannot manage users outside your own area of responsibility.
As an exception, any user can always edit their own profile, regardless of the other permissions. This ensures that you can, for example, always change your own password or set up your own two-factor authentication.
The User info tab and the Permissions tab are only shown to administrators (or to users with the relevant setup permission). If you are missing a tab or a button described here, it is probably due to missing permissions — contact support or your administrator.
Want to know more?
Read more in these related articles:
Groups
This article explains how to create and manage user groups in Sapera
Login security
This article explains how to manage login security and IP access in Sapera
Activity log
Activity log
