# User Administration

You can use the iCDR administrative console to create, list, lock and get information about users within the iCDR instance.

## Viewing Users

You can view users in the system using the `user.list` command, specifying optional filter parameters.

```
> user.list
SID                                    Name                     Last Auth              Lockout                ILA  A
fadca076-3690-4a6e-af9e-f1cd68e8c7e8   SYSTEM                                                                 0    *
c96859f0-043c-4480-8dab-f69d6e86696c   ANONYMOUS                                                              0    *
54558ca2-c093-11ea-9f6f-00155d640b09   Administrator            2021-02-21T17:08:57...                        0    *
2a348c6e-c158-11ea-9f6f-00155d640b09   demoadmin                2021-02-19T15:07:50...                        0    *
54558ca4-c093-11ea-9f6f-00155d640b09   Allison                  2021-02-16T12:00:31... 9999-12-21T18:59:59... 2    *
54558ca3-c093-11ea-9f6f-00155d640b09   Bob                                             9999-12-21T18:59:59... 0    *
```

The optional filter parameters for `user.list` are.

| Parameter | Description                                    | Example            |
| --------- | ---------------------------------------------- | ------------------ |
| `-l`      | Filter on locked status                        | `user.list -l`     |
| `-a`      | Shows obsolete non-active status users.        | `user.list -a`     |
| `-h`      | Shows only HUMAN users and hides system users. | `user.list -h`     |
| `-s`      | Shows only SYSTEM users and hides human users. | `user.list -s`     |
| `-u`      | Filters by a specific user name pattern        | `user.list -u Bob` |

## Adding Users

You can add a user to the iCDR instance using the `user.add` command:

```
> user.add -r CLINICAL_STAFF -u console -e user@user.com -p @Testing123
```

You may receive an error from the server, if this is the case the server will indicate the reason for the failure, for example, when adding a user where the specified password does not match the minimum password requirements:

```
> user.add -r CLINICAL_STAFF -u baduser -e bad@user.com -p blah
ERR: Exception has been thrown by the target of an invocation.
        1:The remote server returned an error: (422) Unprocessable Entity.
                REMOTE: Exception of type 'SanteDB.Core.Exceptions.DetectedIssueException' was thrown.
                REMOTE: RULE: Error Password failed validation
        2:The remote server returned an error: (422) Unprocessable Entity.
```

| Parameter | Description                              | Example                    |
| --------- | ---------------------------------------- | -------------------------- |
| `-r`      | The role(s) to assign the user           | `-r CLINICAL_STAFF -r VIP` |
| `-u`      | The username of the user                 | `-u BOB`                   |
| `-e`      | The security e-mail address of the user  | `-e foo@foo.com`           |
| `-p`      | The initial password to set for the user | `-p P@ssw0rd`              |

## Locking Users

To lock or unlock a user, the `user.lock` command is used specifying whether the lock should be set or unset.

To unlock the user bob:

```
user.lock bob
```

To lock the user bob:

```
user.lock -l bob
```

## User Info View

You can get extended information about a particular user by using the `user.info` command and specifying the username. For example, to get information about user bob:

```
> user.info allison
Name: Allison
SID: 54558ca4-c093-11ea-9f6f-00155d640b09
Email: allison@marc-hi.ca
Phone: tel:+19055751212;ext=4085
Invalid Logins: 2
Lockout: 9999-12-21T18:59:59.9999990-05:00
Last Login: 2021-02-16T12:00:31.2499360-05:00
Created: 2020-07-07T16:49:19.5797190-04:00 (SYSTEM)
Updated: 2021-02-16T17:42:36.4142670-05:00 (Administrator)
Roles: CLINICAL_STAFF , SENSITIVE_USERS
        Effective Policies:
                Unrestricted All [1.3.6.1.4.1.33349.3.1.5.9.2] : --- (default DENY)
                Unrestricted Administrative Function [1.3.6.1.4.1.33349.3.1.5.9.2.0] : Deny (explicit)
                Change Password [1.3.6.1.4.1.33349.3.1.5.9.2.0.1] : Deny (inherited from Unrestricted Administrative Function)
                Administer Data Warehouse [1.3.6.1.4.1.33349.3.1.5.9.2.0.10] : Deny (inherited from Unrestricted Administrative Function)
                Access Audit Log [1.3.6.1.4.1.33349.3.1.5.9.2.0.11] : Deny (inherited from Unrestricted Administrative Function)
                Administer Applets [1.3.6.1.4.1.33349.3.1.5.9.2.0.12] : Deny (inherited from Unrestricted Administrative Function)
                Assign Policy [1.3.6.1.4.1.33349.3.1.5.9.2.0.13] : Deny (inherited from Unrestricted Administrative Function)
                Create Role [1.3.6.1.4.1.33349.3.1.5.9.2.0.2] : Deny (inherited from Unrestricted Administrative Function)
                Alter Role [1.3.6.1.4.1.33349.3.1.5.9.2.0.3] : Deny (inherited from Unrestricted Administrative Function)
                Create Identity [1.3.6.1.4.1.33349.3.1.5.9.2.0.4] : Deny (inherited from Unrestricted Administrative Function)
                Create Local Users [1.3.6.1.4.1.33349.3.1.5.9.2.0.4.1] : --- (default DENY)
                Create Device [1.3.6.1.4.1.33349.3.1.5.9.2.0.5] : Deny (inherited from Unrestricted Administrative Function)
                Create Application [1.3.6.1.4.1.33349.3.1.5.9.2.0.6] : Elevate (explicit)
                Administer Concept Dictionary [1.3.6.1.4.1.33349.3.1.5.9.2.0.7] : Deny (inherited from Unrestricted Administrative Function)
                Alter Identity [1.3.6.1.4.1.33349.3.1.5.9.2.0.8] : Deny (inherited from Unrestricted Administrative Function)
                Alter Local Users [1.3.6.1.4.1.33349.3.1.5.9.2.0.8.1] : --- (default DENY)
                Alter Policy [1.3.6.1.4.1.33349.3.1.5.9.2.0.9] : Deny (inherited from Unrestricted Administrative Function)
                Login [1.3.6.1.4.1.33349.3.1.5.9.2.1] : Grant (explicit)
                Login as a Service [1.3.6.1.4.1.33349.3.1.5.9.2.1.0] : Grant (inherited from Login)
                OAUTH Login [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.0] : --- (default DENY)
                OAUTH client_credentials flow permission [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.0.1] : --- (default DENY)
                OAUTH password flow permission [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.0.2] : --- (default DENY)
                OAUTH authoization code grant flow permission [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.0.3] : --- (default DENY)
                OAUTH Password Reset grant (extended permission) [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.0.4] : --- (default DENY)
                Login for Password Reassignment [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.1] : --- (default DENY)
                Allow Impersonation of Application [1.3.6.1.4.1.33349.3.1.5.9.2.1.0.2] : --- (default DENY)
                Access Client Administrative Function [1.3.6.1.4.1.33349.3.1.5.9.2.10] : --- (default DENY)
                Unrestricted Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2] : Grant (explicit)
                Query Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.0] : Grant (inherited from Unrestricted Clinical Data)
                Write Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.1] : Grant (inherited from Unrestricted Clinical Data)
                Delete Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.2] : Grant (inherited from Unrestricted Clinical Data)
                Read Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.3] : Grant (inherited from Unrestricted Clinical Data)
                Export Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.4] : Grant (inherited from Unrestricted Clinical Data)
                Elevate Clinical Data [1.3.6.1.4.1.33349.3.1.5.9.2.2.5] : Grant (inherited from Unrestricted Clinical Data)
                Unrestricted Metadata [1.3.6.1.4.1.33349.3.1.5.9.2.4] : --- (default DENY)
                Read Metadata [1.3.6.1.4.1.33349.3.1.5.9.2.4.0] : Grant (explicit)
                Read Materials [1.3.6.1.4.1.33349.3.1.5.9.2.4.0.1.2] : Grant (inherited from Read Metadata)
                Query Materials [1.3.6.1.4.1.33349.3.1.5.9.2.4.0.1.3] : Grant (inherited from Read Metadata)
                Read Places & Orgs [1.3.6.1.4.1.33349.3.1.5.9.2.4.0.2.2] : Grant (inherited from Read Metadata)
                Query Places & Orgs [1.3.6.1.4.1.33349.3.1.5.9.2.4.0.2.3] : Grant (inherited from Read Metadata)
                Write Materials [1.3.6.1.4.1.33349.3.1.5.9.2.4.1.0] : --- (default DENY)
                Delete Materials [1.3.6.1.4.1.33349.3.1.5.9.2.4.1.1] : --- (default DENY)
                Write Places & Orgs [1.3.6.1.4.1.33349.3.1.5.9.2.4.2.0] : --- (default DENY)
                Delete Places & Orgs [1.3.6.1.4.1.33349.3.1.5.9.2.4.2.1] : --- (default DENY)
                Unrestricted Data Warehouse [1.3.6.1.4.1.33349.3.1.5.9.2.5] : --- (default DENY)
                Write Warehouse Data [1.3.6.1.4.1.33349.3.1.5.9.2.5.0] : --- (default DENY)
                Delete Warehouse Data [1.3.6.1.4.1.33349.3.1.5.9.2.5.1] : --- (default DENY)
                Read Warehouse Data [1.3.6.1.4.1.33349.3.1.5.9.2.5.2] : --- (default DENY)
                Query Warehouse Data [1.3.6.1.4.1.33349.3.1.5.9.2.5.3] : --- (default DENY)
                Unrestricted MDM [1.3.6.1.4.1.33349.3.1.5.9.2.6] : --- (default DENY)
                Write MDM Master [1.3.6.1.4.1.33349.3.1.5.9.2.6.1] : --- (default DENY)
                Read MDM Locals [1.3.6.1.4.1.33349.3.1.5.9.2.6.2] : --- (default DENY)
                Merge MDM Master [1.3.6.1.4.1.33349.3.1.5.9.2.6.3] : --- (default DENY)
                Special Security Elevation [1.3.6.1.4.1.33349.3.1.5.9.2.600] : Deny (explicit)
                Change Security Challenge Question [1.3.6.1.4.1.33349.3.1.5.9.2.600.1] : Deny (inherited from Special Security Elevation)
                Override Disclosure [1.3.6.1.4.1.33349.3.1.5.9.2.999] : Deny (explicit)
                Restricted Information [1.3.6.1.4.1.33349.3.1.5.9.3] : --- (default DENY)
                SUPER SECRET DISCLOSURE [2.25.3049340304933] : Grant (explicit)
```