- 10 minutes to read

What is a User?

A User in Nodinite is an individually named Windows account explicitly granted access to the integration monitoring platform. Unlike Windows AD Groups which grant access to entire teams, Users provide granular, person-by-person access control for scenarios requiring individual accountability, external partners, or special permissions.

Ready to add users? See Add or manage User for step-by-step instructions.

Overview

Nodinite authenticates each User using Windows built-in Windows authentication via IIS. This mechanism applies to end-users accessing the Nodinite Web Client and Web API.

Each User must be:

  1. A valid Windows Domain account (or local Windows account in Workgroup mode)
  2. Explicitly named in the Nodinite Users collection
  3. Assigned to at least one Role with access to Log Views and/or Monitor Views

Individual Users are managed separately from Windows AD Groups, giving administrators flexibility to combine both approaches based on organizational needs.

User identity
Example of the identity name displayed in the Web Client showing domain and username.

Why Use Individual Users?

Individual User assignment offers advantages for scenarios where group-based access is insufficient:

  • Individual accountability - Track exactly who accessed which resources in the Audit Log
  • External partner access - Grant access to consultants, vendors, or contractors from different domains
  • Special permissions - Provide elevated access (e.g., Administrator role) to specific individuals
  • Temporary access - Grant short-term access without modifying Active Directory groups
  • Granular control - Assign unique role combinations not matching any organizational group structure
  • Email notifications - Configure individual email addresses for personalized monitoring alerts

Tip

For teams and departments, prefer Windows AD Groups for easier management. Use individual Users for exceptions and special cases.

How User Authentication Works

When a user accesses Nodinite, the authentication flow proceeds as follows:

  1. User opens Nodinite Web Client in browser
  2. IIS challenges for credentials (Windows authentication enabled)
  3. User provides Windows credentials - DOMAIN\username or username (current logged-in user if on domain)
  4. IIS validates credentials against Active Directory or local Windows accounts
  5. Nodinite checks Users collection - Is this Windows account explicitly named?
  6. Nodinite checks Windows AD Groups - Is user member of any configured groups?
  7. If found, load Roles - Retrieve all Roles assigned to this User (directly or via AD groups)
  8. Grant access based on Roles - User sees Log Views and Monitor Views permitted by their Roles

The built-in Auditing ensures that all sensitive User operations are recorded in the Nodinite Audit Log.

Example Scenario

Active Directory setup:

  • Windows account: CONTOSO\alice.smith

Nodinite configuration:

  • Individual User: CONTOSO\alice.smith
  • Assigned to Roles: "Production Administrator" + "SAP Specialist"
  • Email: alice.smith@contoso.com (for monitoring alerts)

Result:

  • Alice can log in to Nodinite using her Windows credentials
  • She has Production Administrator + SAP Specialist permissions (cumulative)
  • Monitoring alerts for her assigned views are sent to her email
  • All her actions are logged under CONTOSO\alice.smith for audit purposes

Individual Users vs Windows AD Groups

Choose the right access management approach based on your organizational needs:

Factor Individual Users Windows AD Groups
Best For External partners, special permissions, temporary access, executives, individual accountability Departments, teams, projects, support tiers, ongoing organizational access
Management Manual - each user added/removed individually in :Nodinite: Automatic - AD group membership changes immediately grant/revoke access
Scalability Low - tedious for large teams High - one group entry covers entire team
Onboarding Speed Slow - requires :Nodinite: administrator action Fast - IT adds to AD group, access is immediate
Audit Granularity High - exact person identified in logs Medium - group membership must be cross-referenced with AD logs
Email Notifications Unique email per user configured in :Nodinite: Email from AD group (requires AD email attribute or alarm plugin configuration)
Cross-Domain Access Yes - add users from trusted domains or external partners Limited - requires trusted domain relationships
Role Flexibility High - each user can have a unique combination of Roles Medium - all group members share the same Roles
Maintenance Overhead High - manual updates for each personnel change Low - IT manages AD group membership

When to Use Individual Users

Use individual User assignment in these scenarios:

  • External consultants/vendors - PARTNER\john.vendor from different Windows domain
  • Executives - Special access for VPs, CTOs who need visibility across all integrations
  • Shared service accounts - CONTOSO\svc-monitoring (though prefer AD groups for service accounts)
  • Temporary contractors - 30-day project access without creating permanent AD groups
  • One-off special access - Single person needs unique Role combination not matching any group
  • Compliance auditing - Auditors need read-only access to production logs for limited time
  • Email customization - Individual users need unique email addresses different from corporate email

When to Use Windows AD Groups

Prefer Windows AD Groups in these scenarios:

  • Departments - Finance, HR, IT, Operations teams
  • Projects - Temporary project teams with multiple members
  • Support tiers - L1/L2/L3 support with different access levels
  • Geographical regions - North America, Europe, Asia teams
  • Functional roles - Developers, testers, business analysts
  • Long-term teams - Any group with 3+ members expected to remain stable

See What is a Windows AD Group for details.

Mixing Individual Users and Windows AD Groups

Nodinite allows you to combine individual Users and Windows AD Groups on the same Role:

Example:

  • Role: "Production Logs"
  • Assigned to:
    • Windows AD Group: CONTOSO\Operations Team (15 members)
    • Individual User: PARTNER\consultant.external (vendor consultant)
    • Individual User: CONTOSO\cto (CTO with special access)

Result: All 17 people (15 team members + 2 individuals) have Production Logs access.

This hybrid approach gives you:

  • Efficiency - Manage the 15-person team via AD group
  • Flexibility - Add the 2 special cases as individual Users
  • Cumulative permissions - Users who are both in the AD group AND individually named receive all permissions from both assignments

Prerequisites and System Requirements

Before adding individual Users, ensure these requirements are met:

Infrastructure Requirements

  • Windows Domain or Workgroup environment with valid Windows accounts
  • Nodinite server joined to the same domain (or trusted domain relationship configured)
  • IIS Windows Authentication enabled on Nodinite Web Client and Web API application pools
  • Network connectivity - DNS resolution and domain controller reachability from Nodinite server

Administrator Access

You must be a member of the Administrators Role to manage Users in Nodinite.

User menu item
Example of the Users menu item in the Administration sidebar (requires Administrator role).

You can manage Nodinite Users from the Administration section of the sidebar in the Nodinite Web Client.

List of users
Example list of users from the Users - Overview showing currently configured individual users.

Permissions and Access Control

Administrator Role Required

Only users assigned to the Administrators Role can add, edit, or remove individual Users.

Regular users cannot modify the Users collection, even if they have Administrator-level access to specific Log Views or Monitor Views.

Cumulative Permissions

When a User is assigned to multiple Roles, they receive all permissions from all Roles (cumulative, not restrictive).

Example:

  • User: CONTOSO\alice.smith
  • Assigned to Roles:
    • "SAP Production Logs" (access to SAP Log Views)
    • "Repository Contributor" (access to Repository Model)
  • User gets: SAP Log Views + Repository Model access (combined permissions)

Additionally, if Alice is also a member of AD group CONTOSO\Developers which is assigned to "Test Environment" Role, she receives all three Roles (SAP Production + Repository + Test Environment).

Audit Logging

All User operations are automatically logged in the Audit Log:

  • User added or removed from Nodinite
  • User assigned to or removed from Roles
  • User configuration changes (email, description)

This provides full accountability and compliance traceability.

Limitations

This Page Applies to Windows Authentication Mode Only

This page documents Users and Windows AD Groups, which are used when your Nodinite environment is configured for Windows Authentication mode.

Nodinite supports two authentication modes (chosen during environment setup in the Nodinite Portal):

  1. Windows Authentication mode (this page) - Uses Users, Windows AD Groups, and Roles
  2. OAuth 2.0 / OIDC mode - Uses Claims, Policies, and Roles

If you are using OAuth 2.0 / OIDC authentication:

When using Windows Authentication mode (this page applies):

  • Users must have valid Windows domain credentials (DOMAIN\username format)
  • Azure AD cloud-only accounts not supported (must be synced to on-premise AD)
  • Local application accounts (custom username/password databases) not supported

Domain Membership Required

Users must belong to the same Windows Domain/Forest where Nodinite is installed, or a trusted domain with established trust relationships.

Cross-domain access requires:

  • Trusted domain relationship configured in Active Directory
  • DNS resolution between domains
  • Domain controller reachability

Workgroup mode: Users from the local Windows Accounts database on the Nodinite server.

Manual Management Overhead

Unlike Windows AD Groups where membership changes automatically propagate, individual Users require manual maintenance:

  • User leaves company - Administrator must remove from Nodinite Users collection
  • Role changes - Administrator must update Role assignments in Nodinite
  • Email changes - Administrator must update email address in Nodinite

For teams of 5+ people, prefer Windows AD Groups to reduce manual overhead.

Name Format Strict

User names must be entered in strict format: DOMAIN\username or username (for Workgroup mode).

Invalid formats:

  • username@domain.com (UPN format not supported)
  • username (without domain, when in domain mode)
  • DOMAIN/username (forward slash instead of backslash)

See Add or manage User for validation examples and troubleshooting.

Common Scenarios

Scenario 1: External Consultant Access

Situation: Vendor consultant needs 60-day access to production SAP integration logs for troubleshooting.

Solution:

  1. Consultant's company provides Windows account from trusted domain: PARTNER\john.consultant
  2. Nodinite administrator adds individual User: PARTNER\john.consultant
  3. Assign to Role: "SAP Production Logs" (with description "Vendor access expires 2026-04-30")
  4. Configure email: john.consultant@partner.com for monitoring alerts
  5. After 60 days, remove User from Nodinite

Benefits: No Active Directory group creation needed, exact access duration control, email notifications work despite external domain.

Scenario 2: Executive Dashboard Access

Situation: CTO and VP of Operations need read-only access to all production integration health dashboards, but they're not part of any operational team.

Solution:

  1. Add individual Users: CONTOSO\cto and CONTOSO\vp.operations
  2. Create Role: "Executive Dashboard" (read-only access to all production Monitor Views)
  3. Assign both users to "Executive Dashboard" Role
  4. Configure emails: cto@contoso.com, vp.operations@contoso.com for critical alerts only

Benefits: Executives get access without joining IT/Operations AD groups, separate audit trail for executive access, customized email notification settings.

Scenario 3: Mixed Team and Individual Access

Situation: 12-person Operations team needs production monitoring, plus 2 application owners from different departments need access to their specific integrations.

Solution:

  1. Create Windows AD Group: CONTOSO\Operations Team with 12 members
  2. Add as Windows AD Group in Nodinite, assign to "Production Monitoring" Role
  3. Add individual Users:
    • CONTOSO\sarah.finance (Finance app owner) → assign to "Finance Integrations" Role
    • CONTOSO\mike.sales (Sales app owner) → assign to "Sales Integrations" Role
  4. All 14 people can access Nodinite with appropriate permissions

Benefits: 12-person team managed efficiently via AD group, 2 application owners get specialized access as individuals, combined approach scalable and flexible.

Tip

Please honor the principle of least privilege - grant users only the minimum access required for their job function.

Next Step

Get Started

Add or manage User - Add individual users and assign roles
Add or manage Windows AD Group - Set up group-based access for teams

Configure Access

Add or manage Role - Create roles with specific permissions
Add or manage Log View - Define which logs users can access
Add or manage Monitor View - Configure monitoring dashboards

Access Management

Access Management - Overview of Users, Groups, Roles, Claims, and Policies
What is a Windows AD Group - Learn about group-based access management
What is a Role - Understand role-based access control

Views and Permissions

What is a Log View - Configure log access permissions
What is a Monitor View - Set up monitoring dashboard access

Auditing and Security

Log Audits - Track user activity and access changes
Principle of Least Privilege - Security best practice