You can use the Security Console to add users to the internal database even if an LDAP directory is the primary identity source. Adding users directly to the internal database allows you to create a group of users different from those in identity source. For example, you might store a group of temporary contractors or a specific group of administrators in the internal database. You might also use the internal database to store a small number of users for a pilot project.
User data in an LDAP directory is read-only. You must add users to the LDAP directory using the directory tools. However, you can use the Security Console to perform certain administrative functions, such as assigning tokens or enabling a user for risk-based authentication.
In the Security Console, click Identity > Users > Add New.
In the Administrative Control section, from the Security Domain drop-down list, select the security domain where you want the user to be managed. The user is managed by administrators whose administrative scope includes the security domain you select.
In the User Basics section, do the following:
(Optional) In the First Name field, enter the user's first name. Do not exceed 255 characters.
(Optional) In the Middle Name field, enter the user's middle name. Do not exceed 255 characters.
In the Last Name field, enter the last name of the user. Do not exceed 255 characters.
In the User ID field, enter the User ID for the user. The User ID cannot exceed 255 characters. Make sure the User ID is unique to the identity source where you save the user. Do not use multi-byte characters, for example:
Note: If you are creating an account for an administrator who requires access to the Security Console, the User ID must be unique within the deployment.
(Optional) In the Email field, enter the user's e-mail address. Do not exceed 255 characters.
(Optional) In the Certificate DN field, enter the user's certificate DN. The certificate DN must match the subject line of the certificate issued to the user for authentication. Do not exceed 255 characters.
In the Password section, do the following:
Note: This password is not used for authenticating through authentication agents.
In the Password field, enter a password for the user. Password requirements are determined by the password policy assigned to the security domain where the user is managed. This is the user’s identity source password, which may be different from alternate passwords provided by applications. For more information, see View a Password Policy.
In the Confirm Password field, enter the same password that you entered in the Password field.
(Optional) Select Force Password Change if you want to force the user to change his or her password the next time the user logs on. You might select this checkbox, for example, if you assign a standard password to all new users, which you want them to change when they start using the system.
In the Account Information section, do the following:
From the Account Starts drop-down lists, select the date and time you want the user’s account to become active. The time zone is determined by local system time.
From the Account Expires drop-down lists, select the date and time you want the user’s account to expire, or configure the account with no expiration date. The time zone is determined by local system time.
(Optional) Select Disabled if you want to disable the new account.
If a Locked Status option is selected, you can unlock the user by clearing all selected options.
(Optional) Under Attributes, enter the user’s mobile phone number in the Mobile Number (String) field.