Manage Users for the Cloud Authentication Service

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on May 18, 2018
Version 12Show Document
  • View in full screen mode

Super Admins and Help Desk Administrators can perform the following user management tasks:

Note:   If the user cannot be found through Search, try synchronizing the user's identity source. You must be a Super Admin to synchronize identity sources

View User Information

You can use the Cloud Administration Console to view the following information for a user.

                                       
User InformationDescription
First Name, Last Name, Email Address

Information that identifies the user.

Account Created OnDate when the user account was added to the Cloud Authentication Service.
User Status

Enabled. Users can access protected resources.

Disabled. Users cannot access protected resources or register devices.

Pending Deletion. The user and all associated data and devices will be automatically deleted from the Cloud Authentication Service seven days after being marked for deletion in the Cloud Administration Console.

See Identity Sources for the Cloud Authentication Service for information on how synchronization affects the user status.

Identity SourceUser's identity source for the Cloud Authentication Service.

SMS Phone

Voice Phone

Displays user phone numbers after you click Show synchronized phone numbers. Phone numbers appear only if corresponding attributes were configured and synchronized.
Last Synchronized

Date when the user's information was last synchronized with an identity source using any of the following methods:

  • You clicked Synchronize on the User Management page for the user. A Super Admin or Help Desk Admin can synchronize a single user.
  • The user was updated through just-in-time, manual, or scheduled synchronization.
Registered Devices and Browsers

Includes devices where the RSA SecurID Authenticate app is installed, the user's registered FIDO token, and known browsers.

A browser becomes known when a user completes authentication and clicks Remember This Browser. RSA SecurID Access remembers the browser and identifies it with the Known Browser attribute in an access policy. If the user does not click Remember This Browser, the browser is not known.

Procedure 

 
 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

Results 

All information for the user is displayed.

Enable or Disable a User

Enabled users can authenticate to access resources protected by the Cloud Authentication Service. Users are enabled by default when you add them to the Cloud Authentication Service through synchronization. Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices.

Super Admins can enable or disable any administrator or user. Help Desk Admins can enable or disable non-administrative users and Help Desk Admins, but they cannot enable or disable Super Admins. An administrator cannot enable or disable his own account.

Before you begin 

Understand how identity source synchronization affects user enablement and disablement. See Identity Sources for the Cloud Authentication Service.

Procedure 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. On the user's detail page, click Disable or Enable.

  4. When prompted, confirm the action.

Delete a User's Device

You can delete a Cloud Authentication Service user's device, including registered FIDO Token and known browser, from RSA SecurID Access. Deleting these devices has the following consequences:

  • The user can install the RSA SecurID Authenticate app on another device.
  • When the user inserts the FIDO Token for authentication, the user is prompted to re-register the token.
  • RSA SecurID Access no longer remembers the browser the next time the user attempts to open an application.

Procedure 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

  3. On the user's detail page, find the device you want to delete and click the delete icon.

  4. When prompted, click Delete.

After you finish 

After you delete the device, the next time the user's Authenticate app communicates with the Cloud Authentication Service, it presents a message to the user that the company has been removed from the device. The user cannot use the app for the deleted company without completing device registration again. If the user has registered more than one company, he can use the app for companies that were not deleted.

Manage User Phone Numbers

Phone numbers are required for users who authenticate using SMS Tokencode or Voice Tokencode. You can manage phone numbers for each user in the following ways:

  • Select a phone number that was synchronized from the identity source.
  • Manually enter a phone number that is not in the identity source. These phone numbers are stored only in the Cloud Authentication Service and are not added to the identity source or overwritten during synchronization.
  • Clear the phone number and blank out the field. Phone numbers that were synchronized from the identity source remain in the list but are not used during authentication and the user is not presented with SMS Tokencode or Voice Tokencode as an authentication option.

Procedure 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered devices.

    Note:  If the user cannot be found, a Super Admin must synchronize the identity sources to update user information in the Cloud Authentication Service.

  1. In the SMS Phone or Voice Phone field, do one of the following:

    • Click Show synchronized phone numbers and select a number that was synchronized from the identity source.

      Note:  Show synchronized phone numbers does not appear if no phone numbers were synchronized from the user's identity source. If this occurs, confirm that phone number attributes were specified in the identity source configuration. Click Users > Identity Sources > Edit.

    • Enter a new phone number.

      Note:  To ensure that SMS and Voice tokencodes are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1. Extensions are not yet supported.

    • Clear the field to prevent SMS Tokencode or Voice Tokencode authentication. Make sure no synchronized phone numbers are selected.
  2. Click Save.

Delete a User from the Cloud Authentication Service

You can delete a user from the Cloud Authentication Service so the user can no longer authenticate through the service or register a device. Deletion removes all information and devices associated with the user from the Cloud Authentication Service. The user must be disabled in the Cloud Authentication Service before you perform the delete.

First, you mark the disabled user for deletion, which changes the user's account status to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize the user in the Pending Deletion state. After seven days, the user is automatically deleted from the Cloud Authentication Service. For example, if you mark the user for deletion on March 1, the user is automatically deleted from the Cloud Authentication Service on March 8. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place.

If a deleted user's account remains enabled on the directory server and is within scope in the identity source filter and root, RSA SecurID Access will add the user record to the Cloud Authentication Service during the next identity source synchronization. To prevent RSA SecurID Access from adding the user back to the Cloud Authentication Service, you can do one of the following:

  • Disable the user in the directory server.
  • Delete the user from the directory server.
  • Make modifications to ensure that either the user is not in an organizational unit (OU) that is under the identity source root DN, or the user does not meet the User Search Filter criteria. You can modify either the user or the identity source configuration.

Procedure 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. Make sure the user is disabled. If necessary, click Disable.
  4. Click Delete.
  5. When prompted, confirm the delete action.

    The user's status changes to Pending Deletion and the user will be deleted from the Cloud Authentication Service after seven days.

Undelete a User Who is Pending Deletion

You can prevent a single user from being automatically purged from the Cloud Authentication Service and change the user's status to Disabled by "undeleting" the user within seven days after the user was marked for deletion. Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through the Cloud Authentication Service

Procedure 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. Verify that the user's status is Pending Deletion, and click Undelete.
  4. When prompted, confirm the Undelete action.

    The user's status changes from Pending Deletion to Disabled.

 

 

Previous Topic:Device Registration
Next Topic:Run User Reports
You are here
Table of Contents > Users and Devices > Manage Users for the Cloud Authentication Service

Attachments

    Outcomes