# Create Internal Users
To create an internal user, go to **Setup** → **Users & Groups** → **Internal Users** → **New User**.
In the **New user** dialog window, fill in the fields in these tabs:
1. **User details**: credentials and details of the internal user.
2. **Permissions**: permissions granted to the internal user.
3. **Access credentials**: authentication keys required for secure access to the Amazon S3 server.
## User details tab
Fill in these fields of the **Details** tab to configure the Internal User:
| Field | Description |
| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **NAME** | Name of the user |
| **SURNAME** | Last name of the user |
| **EMAIL** | Email of the user |
| **GROUPS** | Group/s to which the user will belong |
| **USERNAME (\*)** | Username to log into the application |
| **PASSWORD / CONFIRM PASSWORD (\*)** | Password to log into the application. See the details in the [Setting the password policy](/data-mover-1.21/security/users-and-groups/set-the-password-policy.md) page. |
| **ENABLED / DISABLED** | The user can be enabled or disabled in the system |
## Permissions tab
{% hint style="danger" %}
**By default, all permissions are disabled!**\
Only Administrators can set and change permissions granted to users and groups.
{% endhint %}
In the **Permissions** tab, you can configure the access rights assigned to the internal user you are creating by enabling or disabling specific options. These permissions determine what actions the user can perform within the system.
| Parameter | Description (Value) |
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **AUDITLOGSVIEW** | Permission to view audit logs. Users with this permission can access the audit menu and table (**Can Read/Can Write**) |
| **AUDITLOGSMANAGE** | Permission to modify audit configurations (**Can Read/Can Write**) |
| **A3** | Permission to add and/or edit users and groups (Can Read/Can Write)
The user must have this permission to access Data Mover
|
| **ACTORS** | Permission to add and/or edit external users and groups (**Can Read/Can Write**) |
| **APPLICATION-SERVER** | Permission to read and/or write the logs on the back-end (**Can Read/Can Write**) |
| **B2B-REPUTATION** | Permission to view the ranking of an Actor, provided by Bitsign (**Can Read**) |
| **BINDGROUPTOACTOR** | Permission to bind groups from IAM or LDAP (**Can Read/Can Write**) |
| **BINDUSERTOACTOR** | Permission to bind users from IAM or LDAP (**Can Read/Can Write**) |
| **CLUSTERS** | Permission to edit infrastructure details within the Company profile (**Can Read/Can Write**) |
| **COMPANY** | Permission to read/edit company profile (Can Read/Can Write)
The user must have this permission to access Data Mover
|
| **CONFIG** | Permission to edit Advanced Settings (Can Read/Can Write)
The user must have this permission to access Data Mover
|
| **CONFIGURATOR** | Permission to import and/or export business object configurations (back-end) (**Can Read/Can Write**) |
| **CONTRACTS** | Permission to add and/or edit contracts (**Can Read/Can Write**) |
| **CUSTOM-ATTRIBUTES** | Permission to add custom attributes to Actor (back-end) (**Can Read/Can Write**) |
| **DATAWATCHER** | Permission to access DATA WATCHER (Can Read/Can Write)
Important Note: This permission will be automatically available in new installations and in installations of Customers migrating from previous versions of the software. The read and write DATAWATCHER Permissions will be automatically set to ON for all users belonging to the Administrators’ group. All other Users will not have automatic access to DATA WATCHER and permission will have to be granted by the Administrator manually.
Starting from TF8, new permissions have been added for Data Watcher when it is in a bundle with Data Mover. See DW\* permissions below. To ensure compatibility with earlier versions of the software, the DATAWATCHER permission remains in the list and is only overwritten if at least one permission from the new list (i.e. the one starting with DW) is selected.
|
| **DMZ** | Permission to edit DMZ infrastructure details (**Can Read/Can Write**) |
| **DWALLDATAFLOWS** | Permission to see dataflows that do not belong to a model and dataflows that have been assigned specifically to the user (Can Read). |
|
Important note: Users having models assigned will continue to see all dataflows within that model, regardless of this permission.
| |
| **DWALLMODELEDDATAFLOWS** | Permission to see all modeled dataflows that are not assigned to a specific user (i.e., flows with free security) and dataflows that have been assigned specifically to the user (Can Read). |
|
Important note: Users having models assigned will continue to see all dataflows within that model, regardless of this permission.
| |
| **DWFLOWATTRIBUTE** | Permission to edit/view flow attributes (**Can Read/Can Write**) |
| **DWRUNSAVEDQUERY** | Permission to run a saved query (**Can Read/Can Write**) |
| **DWATTRIBUTE** | Permission to view/edit attributes (**Can Read/Can Write**) |
| **DWMODEL** | Permission to view/edit Dataflow models (**Can Read/Can Write**) |
| **DWSAVEDQUERY** | Permission to view/edit saved queries (**Can Read/Can Write**) |
| **DWFLOW** | Permission to view/edit all flow instances (**Can Read/Can Write**) |
| **DWCUTOFF** | Permission to view/edit Cut-Offs (**Can Read/Can Write**) |
| **DWCALENDAR** | Permission to view/edit Calendars (**Can Read/Can Write**) |
| **DWRESUMEDATAFLOW** | Permission to resume Dataflows in the Dataflow Inquiry (**Can Read/Can Write**) |
| **ENVIRONMENT** | The user **must have this permission** to access Data Mover |
| **FILERESOURCES** | Permission to add/edit File Resource profiles (**Can Read/Can Write**) |
| **GBI** | Permission to invoke GBI services (back-end) (**Can Read**) |
| **GROUPS** | Permission to edit groups (**Can Read/Can Write**) |
| **IDENTITY-ACCESS-MANAGEMENT** | Permission to read/edit Identity Access Management (IAM) settings (**Can Read/Can Write**) |
| **INCCALLS** | Permission to configure incoming calls (**Can Read/Can Write**) |
| **KEYSTORE** | Permission to read/write keys in the system store (**Can Read/Can Write**) |
| **LOCALNODES** | Permission to see the configuration for Spazio2 (**Can Read/Can Write**) |
| **LOCALPROTOCOLS** | Permission to edit the protocol server infrastructure details (**Can Read/Can Write**) |
| **METADATA** | Permission to read file metadata (**Can Read**) |
| **PERMISSIONGRANT** | Permission to set the permission on users/groups and VFS (ACL) (**Can Read/Can Write**) |
| **REMOTEPROTOCOLS** | Permission to edit the details of the remote connection to Actors (**Can Read/Can Write**) |
| **SPENG** | Permission to invoke the API for Steng (**Can Read/Can Write**) |
| **SPENGCEMANJOBCHANGEQUEUEOP** | The user can change the execution queue of a suspended or submitted Job by using the change queue command (Can Read/Can Write)
Note that the change queue option in the resume and abort and resubmit actions is not affected by this permission.
|
| **SPENGCEMANJOBS** | The user can access the Jobs section of Data One **(Can Read/Can Write)** |
| **SPENGCEMANJOBSABORTOP** | The user can execute the abort action on a Job **(Can Read/Can Write)** |
| **SPENGCEMANJOBSABORTRESUBMITOP** | The user can execute the abort and resubmit action on a Job **(Can Read/Can Write)** |
| **SPENGCEMANJOBSRESUBMITOP** | The user can execute the resubmit action on a Job **(Can Read/Can Write)** |
| **SPENGCEMANJOBSRESUMEOP** | The user can execute the resume action on a Job, WITHOUT changing the status of the execution queue **(Can Read/Can Write)** |
| **SPENGCEMANJOBSRESUMEQUEUEOP** | The user can execute the resume action on a Job and change the status of the execution queue **(Can Read/Can Write)** |
| **SPENGCEMANJOBSSUSPENDOP** | The user can execute the suspend action on a Job **(Can Read/Can Write)** |
| **SPENGJOBQUEUES** | The user can access the Job Queues section of Data One **(Can Read/Can Write)** |
| **STORAGECLASS** | Permission to add/edit Storage Class profiles (**Can Read/Can Write**) |
| **TMPOLICIES** | Permission to add and/or edit the TMPolicy (**Can Read/Can Write**) |
| **TRUSTSTORE** | Permission to read/write keys or certificates of trusted SSH/SSL Actors in the system store (**Can Read/Can Write**) |
| **UNTRUSTEDCACHE** | Permission to read/write keys or certificates of untrusted SSH/SSL Actors in the system store (**Can Read/Can Write**) |
| **UPLOAD** | Permission to import files (**Can Read/Can Write**) |
| **UPLOADTEMPLATE** | Permission to import email templates (**Can Read/Can Write**) |
| **USERCLASS** | Permission to add/edit Retention Class profiles (**Can Read/Can Write**) |
| **USERGROUPASSIGNMENT** | Permission to add user to a group (**Can Read/Can Write**) |
| **USERPUBKEY** | Permission to associate a user with a key in the Trust Store (**Can Read/Can Write**) |
| **USERS** | Permission to manage internal and external users (**Can Read/Can Write**) |
| **VFS** | Permission to add/edit VFS profiles (**Can Read/Can Write**) |
| **VFSEXPLORER** | Permission to navigate the Virtual File System (VFS) via File Search functionality (**Can Read**) |
| **WHO-DOES-WHAT** | AUDIT for workflow (**Can Read/Can Write**) |
| **WORKFLOW** | Permission to add/edit workflows (**Can Read/Can Write**) |
You can filter Permissions by their name in the **Filter Permission** edit box at the top of the panel.
Once you have created the User and configured its permissions, click **Create** to confirm.
### Access Credentials tab
The **Access Credentials** tab is available only if the **Amazon S3 server** is licensed in **Data Mover**.
In the **Access Credentials** tab, you can define authentication keys required for secure access to Amazon S3 resources.
Both keys can be entered manually or can be automatically generated by clicking the **Generate** button.
| Field | Description |
|---|
| Access key | Unique identifier used to authenticate the internal user when accessing Amazon S3. This key works together with the Secret key to provide secure access. |
| Secret key | Confidential key paired with the Access key. It must be entered exactly as generated or provided. |
For Amazon S3, **the certificate must have the Extended Key Usage (EKU) extension**. A self-signed certificate is not enough, the client connection would not work.
Once you have defined the authentication keys, click **Create** to confirm.
## Edit User Attributes
To Edit the attributes of a user, click the 
icon on the right of the screen. The dialog window with User Details and Permissions entered for the User will be loaded and you will be able to modify attributes as needed. Click Save to confirm your changes.
On the right of the screen, clicking the three-dot icon, the following options will appear:
| | |
| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **UNBIND FROM REPOSITORY** | Select this option, the user will no longer have access to external configuration of user permissions such as LDAP and IAM. Once selected, the user will be removed from the Result list. To bind the user again, select the BIND USER button. |
| **DISABLE** | Selecting this option, the user will no longer be able to authenticate in PRIMEUR Data Mover. Once confirmed, the entry will change to ENABLE. |
| **DELETE** | Select this option, the user will be removed from PRIMEUR Data Mover. |
## Import Users
To import a user, go to **Setup** → **Users & Groups** → **Internal Users** → **BIND USER**. In the drop-down list, select the user you want to import. When done, choose the BIND button to confirm.
A maximum of 10 Internal Users will be listed. If the Internal User you are looking for is not included in the list, enter the name of the User and run the search again.
{% hint style="danger" %}
Users imported with the BIND functionality who are not registered in the Data Mover internal product repository **are not subject to the password policies configured in Data Mover**.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.primeur.com/data-mover-1.21/security/users-and-groups/create-internal-users.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.