Manage Users for the Cloud Authentication Service

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by Joyce Cohen on Jun 19, 2018
Version 14Show Document
  • View in full screen mode

You can perform the following user management tasks:

 

 

Note:   If the user cannot be found through Search, try synchronizing the user's identity source. You must be a Super Admin to synchronize identity sources

 

View User Information

 

You can use the Cloud Administration Console to view the following information for a user.

                                       

User InformationDescription
First Name, Last Name, Email Address

Information that identifies the user.

Account Created OnDate when the user account was added to the Cloud Authentication Service.
User Status

Enabled. Users can access protected resources.

Disabled. Users cannot access protected resources or register devices.

Pending Deletion. The user and all associated data and devices will be automatically deleted from the Cloud Authentication Service seven days after being marked for deletion in the Cloud Administration Console.

See Identity Sources for the Cloud Authentication Service for information on how synchronization affects the user status.

Identity SourceUser's identity source for the Cloud Authentication Service.

SMS Phone

Voice Phone

Displays user phone numbers after you click Show synchronized phone numbers. Phone numbers appear only if corresponding attributes were configured and synchronized.
Last Synchronized

Date when the user's information was last synchronized with an identity source using any of the following methods:

  • You clicked Synchronize on the User Management page for the user. A Super Admin or Help Desk Admin can synchronize a single user.
  • The user was updated through just-in-time, manual, or scheduled synchronization.
Registered Devices and Browsers

Includes devices where the RSA SecurID Authenticate app is installed, the user's registered FIDO token, and known browsers.

A browser becomes known when a user completes authentication and clicks Remember This Browser. RSA SecurID Access remembers the browser and identifies it with the Known Browser attribute in an access policy. If the user does not click Remember This Browser, the browser is not known.

 

Procedure 

 

 
 

 

 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

 

Results 

 

All information for the user is displayed.

 

Enable or Disable a User

 

Enabled users can authenticate to access resources protected by the Cloud Authentication Service. Users are enabled by default when you add them to the Cloud Authentication Service through synchronization. Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices.

 

Super Admins can enable or disable any administrator or user. Help Desk Admins can enable or disable non-administrative users and Help Desk Admins, but they cannot enable or disable Super Admins. An administrator cannot enable or disable his own account.

 

Before you begin 

 

Understand how identity source synchronization affects user enablement and disablement. See Identity Sources for the Cloud Authentication Service.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. On the user's detail page, click Disable or Enable.

  4. When prompted, confirm the action.

 

Delete a User's Device

 

You can delete a Cloud Authentication Service user's device, including registered FIDO Token and known browser, from RSA SecurID Access. Deleting these devices has the following consequences:

  • The user can install the RSA SecurID Authenticate app on another device.
  • When the user inserts the FIDO Token for authentication, the user is prompted to re-register the token.
  • RSA SecurID Access no longer remembers the browser the next time the user attempts to open an application.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.

  3. On the user's detail page, find the device you want to delete and click the delete icon.

  4. When prompted, click Delete.

 

After you finish 

 

After you delete the device, the next time the user's Authenticate app communicates with the Cloud Authentication Service, it presents a message to the user that the company has been removed from the device. The user cannot use the app for the deleted company without completing device registration again. If the user has registered more than one company, he can use the app for companies that were not deleted.

 

Manage User Phone Numbers

 

Phone numbers are required for users who authenticate using SMS Tokencode or Voice Tokencode. You can manage phone numbers for each user in the following ways:

 

  • Select a phone number that was synchronized from the identity source.
  • Manually enter a phone number that is not in the identity source. These phone numbers are stored only in the Cloud Authentication Service and are not added to the identity source or overwritten during synchronization.
  • Clear the phone number and blank out the field. Phone numbers that were synchronized from the identity source remain in the list but are not used during authentication and the user is not presented with SMS Tokencode or Voice Tokencode as an authentication option.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list to display the user's details and registered devices.

    Note:  If the user cannot be found, a Super Admin must synchronize the identity sources to update user information in the Cloud Authentication Service.

 

  1. In the SMS Phone or Voice Phone field, do one of the following:

    • Click Show synchronized phone numbers and select a number that was synchronized from the identity source.

      Note:  Show synchronized phone numbers does not appear if no phone numbers were synchronized from the user's identity source. If this occurs, confirm that phone number attributes were specified in the identity source configuration. Click Users > Identity Sources > Edit.

    • Enter a new phone number.

      Note:  To ensure that SMS and Voice tokencodes are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1. Extensions are not yet supported.

    • Clear the field to prevent SMS Tokencode or Voice Tokencode authentication. Make sure no synchronized phone numbers are selected.
  2. Click Save.

 

Mark Users for Automatic Bulk Deletion from the Cloud Authentication Service

 

You can delete users from the Cloud Authentication Service so they can no longer authenticate through the service or register a device. Deletion removes all information and devices associated with the user from the Cloud Authentication Service. The preferred method for deleting users is automatic bulk deletion. You can perform this operation only on disabled users. The disabled users are removed from the Cloud Authentication Service in a two-step process:

 

  1. First, you use the Cloud Administration Console to mark the disabled user for deletion, which changes the user's account status from Disabled to Pending Deletion. You can still view the user's detail information in the Cloud Authentication Service and synchronize the user in the Pending Deletion state.
  2. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days.

 

For example, if you mark the user for deletion on March 1, the user is automatically deleted from the Cloud Authentication Service on March 8. The user cannot register a device or authenticate to the Cloud Authentication Service while pending deletion or after deletion has taken place.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. Make sure the user is disabled. If necessary, click Disable.
  4. Click Delete.
  5. When prompted, confirm the delete action.

    The user's status changes to Pending Deletion and the user will be deleted from the Cloud Authentication Service after seven days.

 

After you finish 

 

If a deleted user's account remains enabled on the directory server and is within scope in the identity source filter and root, RSA SecurID Access will add the user record to the Cloud Authentication Service during the next identity source synchronization. To prevent RSA SecurID Access from adding the user back to the Cloud Authentication Service, you can do one of the following:

 

  • Disable the user in the directory server.
  • Delete the user from the directory server.
  • Make modifications to ensure that either the user is not in an organizational unit (OU) that is under the identity source root DN, or the user does not meet the User Search Filter criteria. You can modify either the user or the identity source configuration.

 

Delete a Single User Immediately from the Cloud Authentication Service

 

You can delete a single user from the Cloud Authentication Service and immediately remove all information and devices associated with the user.

 

RSA recommends that you perform most routine delete operations in bulk, as described in Mark Users for Automatic Bulk Deletion from the Cloud Authentication Service. Bulk deletion offers advantages, such as relieving you from having to manage large numbers of users individually, and giving you the option to undo the delete operation before users are purged from the Cloud Authentication Service. However, certain emergency situations might require you to delete individual users immediately. For example, suppose you are trying to synchronize a record that has the same email address as a slightly different record for the same user that already exists in the Cloud Authentication Service. The user record fails to synchronize and the user cannot authenticate. You must delete the existing record from the Cloud Authentication Service and resynchronize in order to recreate the user record correctly so the user can complete authentication.

 

Note:  This operation cannot be undone, but you can re-add the user by resynchronizing.

 

Before you begin 

 

You must be a Super Admin to perform this task.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. If the user is not disabled, click Disable.
  4. Click Delete Now.
  5. When prompted, confirm the delete action.

 

Undelete a User Who is Pending Deletion

 

You can prevent a single user from being automatically purged from the Cloud Authentication Service and change the user's status to Disabled by "undeleting" the user within seven days after the user was marked for deletion. Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through the Cloud Authentication Service

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Management.
  2. In the Search field, enter the user's User ID, which is also the user's email address. Select the user from the list.
  3. Verify that the user's status is Pending Deletion, and click Undelete.
  4. When prompted, confirm the Undelete action.

    The user's status changes from Pending Deletion to Disabled.

 

Undelete Users Who Are Pending Deletion - Bulk Maintenance

 

If you accidentally delete a large number of users, you can restore them to their previous Disabled state before they are purged from Cloud Authentication Service by undeleting the users in a bulk operation. The undelete action applies to all users who were marked for deletion within the number of days you specify. For example, you can undelete all users who were marked for deletion within the past three days.

 

Disabled users remain in the Cloud Authentication Service, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through the Cloud Authentication Service.

 

Procedure 

 

  1. In the Cloud Administration Console, click Users > Bulk Maintenance.
  2. Complete the field Apply to users who were deleted in the past X days. Users who were marked for deletion within this many days will be undeleted. If you select 7+, all users who have been pending deletion for seven days or more will become Disabled.
  3. Click Undelete and confirm the action.

    The users' status is changed to Disabled.

 

 

 

 

 

Previous Topic:Device Registration
Next Topic:Run User Reports
You are here

Table of Contents > Users and Devices > Manage Users for the Cloud Authentication Service

Attachments

    Outcomes