Manage Users for Cloud Access Service
Use the Cloud Administration Console to perform the following user management tasks.
View User Information
You can use the Cloud Administration Console to view the following information for a user.
| User Information | Description |
|---|---|
| First Name, Last Name, Username, Alternate Username, Email Address, Manager | Information that identifies the user. Both the Alternate Username and Manager attributes are optional. The Alternate Username attribute can be used for the Active Directory userPrincipalName. The Manager attribute represents the distinguished name of the user's manager in Active Directory and LDAP identity sources and the e-mail address of the user's manager in local identity sources. |
| Account Created On | Date when the user account was added to Cloud Access Service (CAS). |
| User Status | Enabled. Users can access protected resources. Disabled. Users cannot access protected resources or register authenticators. Pending Deletion. The user and all associated data and authenticators will be automatically deleted from CAS seven days after being marked for deletion in the Cloud Administration Console. See Identity Sources for Cloud Access Service for information on how synchronization affects the user status. |
| High-Risk User | This attribute is licensed. See ID Plus Subscription Plans. Yes indicates the user is marked as high risk by an external third-party application. No is displayed if the user is not marked as high risk by an external third-party application. If you configured conditional access policies using the High-Risk User List attribute, this status can affect authentication requirements for the user. |
| Identity Source | User's identity source for CAS. |
SMS Phone Voice Phone | Displays user phone numbers after you click Show synchronized phone numbers. Phone numbers appear only if corresponding attributes were configured and synchronized. Note: For the users in the Unified Directory, the phone numbers that were provided while creating the users are displayed. You can edit the phone numbers. |
| Updated | Date and time when the user was last modified by the administrator, the user, CAS, or external systems. |
Refreshed | Date and time when the user's information was last synchronized with an identity source using any of the following methods:
If no changes are detected during synchronization, the Updated and Refreshed fields remain unchanged. |
| Registered Authenticators and Browsers | Includes devices where the RSA Authenticator app is installed, the user's registered FIDO authenticators, and known browsers. A browser becomes known when a user completes authentication and clicks Remember This Browser. RSA remembers the browser and identifies it with the Known Browser attribute in an access policy. If the user does not click Remember This Browser, the browser is not known. A known browser is deleted from the user's account after it has not been used for 90 days. Users who do not use a known browser within 90 days might have to reauthenticate. |
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the user's ID (email address).
If the user's ID appears in the list, this means that the user already exists in CAS.
If not, click Include and add users not synchronized to the Cloud Authentication Service to add the user. Make sure that you enter an exact match if you do not see the user in the list (For example, new users or users who are not authenticated). Click the prompt to find and automatically add the user to CAS.
Note: In certain cases, when customer's identity source configuration for user identifiers are mapped to email, sAMAccountName, and msDS-PrincipalName. The Customer can on board new users to cloud using email and sAMAcountName values via admin console or My Page or any SAML or ODIC Relying parties .
But if the customer selects "msDS-PrincipalName", which is a constructed attribute of Microsoft Active Directory, as a parameter to identify username in the user population, then the search does not fetch results because the Active Directory limits the usage of constructed attribute in search queries. Therefore, it is not utilized to on board new users from admin console by admins or by end users via My Page. However, when the user is added (synchronized) to the cloud, the user can access the application using any identifier, such as mail, sAMAccountName, or msDS-PrincipalName.
For descriptions of attributes, refer Active Directory Attributes Synchronized for Authentication.
Add a User in the Unified Directory
You can use the Cloud Administration Console to create a user in the Unified Directory. You can add the users’ details and set their initial passwords. Users can then log on to My Page and change their assigned password.
RSA makes an effort to prevent the use of passwords that are publicly listed as compromised in known data breaches. User passwords are compared against the list of compromised passwords provided in the file available at https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt. RSA also regularly monitors for updates to the compromised password list and refreshes it as necessary.
Procedure
In the Cloud Administration Console, click Users > Management.
On the User Management page, click Add a User.
Enter the following information:
| User Information | Description |
|---|---|
| Identity Source | Select the user's identity source for CAS . This field is required. |
| First Name, Last Name, Username, Alternate Username, Email Address | Enter the information that identifies the user. First Name, Username, and Email address fields are required. Last Name and Alternate Username fields are optional. |
| Manager's Email | Enter the e-mail address of the user's manager. This field is optional. |
| Group Membership | Enter the group name(s) in which that user is currently a member of. This field is optional. |
SMS Phone Voice Phone | Enter the user phone numbers. These fields are optional. |
| Password Creation, Password, Confirm Password | In the Password Creation field, the following options can be available based on the enabled options for initial password creation:
For information about how to enable the initial password creation options, see the "Add a Unified Directory Identity Source" section on the Unified Directory Identity Sources page. Type and confirm the password that the user will use for authentication. The password must meet the password policy requirements; the password must be between 10 and 64 characters. Users can change their initial or first-time passwords when they log on to My Page. These fields are required. |
Click Create User.
Edit User Details in the Unified Directory
If a user (created using the SCIM API or the Cloud Administration Console) belongs to local identity sources, you can edit the user's details. You can search for the user (Users > Management) and then click Edit User.
The following fields can be edited:
First Name
Last Name
Username
Alternate Username
Email Address
Group Membership (you can provide more than one group name)
SMS Phone
Voice Phone
Manager's Email
Import Users to a Local Identity Source
You can import users in the form of a CSV file to local identity sources. When importing users, you need to download and use the sample CSV file for the specific identity source as a template.
Procedure
In the Cloud Administration Console, click Users > Management.
On the User Management page, click Import Users.
In the Identity Source drop-down menu, select the name of the local identity source you want.
In the User CSV File field, click Choose File, navigate to the CSV file, and then click Open.
Click Import.
Note: Click the Download CSV Template button if you want to download a sample users import file.
CAS validates that the CSV file is formatted correctly and that all the attribute requirements are met.
Reset a User's Password
If a user requires a password reset, you can initiate the password reset. You can generate a one-time code and share it with a user, or send a user an email notification including a reset link, a one-time code, and an expiration time to reset their password.
Before you begin
In the Cloud Administration Console, select Enable under My Authenticators to enable My Page.
For LDAP and Active Directory (AD) identity sources, enable Use SSL/TLS encryption to connect to the directory servers. Click Add and select the LDAP server root certificate. In the Password Settings section, enable Allow Users to Change Passwords.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list to display the user's details and registered authenticators.
Note: The User ID is also the user's email address.
In the Password Reset & Enrollment section, select Password Reset. To customize the password reset link, see Customize and Configure Domain Name.
In the Valid for field, enter the expiration time of the password reset link.
Select one of the following reset code options:
Display— This option is selected by default. Click Generate Reset Code. Copy the code and share it with users.
Email— The user's email address is displayed by default, but you can remove it and add another verified email address for a user. Click Generate & Send Reset Code.
To configure the password reset email notification, click My Account > Company Settings > Email Notifications, and select Code for Reset Password. For more information, see Configure Email Notifications.
To configure the number of failed sign-in attempts allowed for a user, see Configure Session and Authentication Method Attempts.
Enable a User to Register an Authenticator
If a user does not have any registered authenticator and requires registering one, you can initiate the enrollment process for users. You can generate a one-time code and share it with a user, or send a user an email notification including an enrollment link, a one-time code, and an expiration time for authentication to register their first authenticator.
Before you begin
Enable My Authenticators under Access > My Page > My Authenticators.
Enable Enrollment Settings under Access > My Page > Enrollment.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list to display the user's details and registered authenticators.
Note: The User ID is also the user's email address.
In the Password Reset & Enrollment section, select Enrollment option. To customize the enrollment link, see Customize and Configure Domain Name.
In the Valid for field, enter the expiration time of the enrollment link.
Select one of the following Enrollment code options:
Display — This option is selected by default. Click Generate Enrollment Code, and then copy the displayed code to share it with the user.
Email — The user's email address is displayed by default, but you can remove it and add another verified email address for a user. Click Generate & Send Enrollment Code.
Note: This feature can be enabled only for users who have no registered devices.
To configure the enrollment email notification, click My Account > Company Settings > Email Notifications, and select Enrollment Code. For more information, see Configure Email Notifications.
To configure the number of failed sign-in attempts allowed for a user, see Configure Session and Authentication Method Attempts.
Provide an Emergency Access Code to a User
If a user forgets or misplaces a registered authenticator, you can provide the user with temporary access by generating an Emergency Access Code. If the user is online (able to access the company network without the registered authenticator), the next time the user attempts to access the protected resource, the user will be able to select Emergency Access Code from the list of available authentication options.
Emergency Access Codes can either be single-use or reusable, depending on how they are configured. When set to one-time use, the code expires immediately after a successful sign-in. Otherwise, it remains valid until the expiration period ends. You can set how long each Emergency Access Code remains active, from 1 minute to 7 days.
Super administrators can configure the default setting for all users through the Online Emergency Access One-Time Use setting in My Account > Company Settings > Sessions & Authentication.
If the user is offline, he or she can use Emergency Access Code to sign into a computer that is protected by the RSA MFA Agent for Microsoft Windows, even if the computer has no internet connection. If the computer has an internet connection, the same access code can be used online to access resources protected by CAS.
See how to provide an emergency access code to a user:
For details about access code configuration and lifetime, see Emergency Access Code.
Note: When an Emergency Access Code is generated for a user, you cannot simultaneously issue an Enrollment Code, and any previously issued Enrollment Codes for that user are invalidated as a result.
Before you begin
Know which applications in your company are configured to allow Emergency Access Code. Your Super Admin can confirm this information.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list to display the user's details and registered authenticators.
Note: The User ID is also the user's email address.
- If the user can access the company network, enter a number and select a time unit from the drop-down menu (Minutes, Hours, or Days) to set how long the Emergency Access Code remains valid. The valid range is from 1 minute to 7 days. The code can be used multiple times if the Generate next code for one-time use setting is disabled.
If the Generate next code for one-time use setting is enabled, the Emergency Access Code expires immediately after it is used or when the set expiry duration is reached, whichever occurs first. Please refer to the tooltip within this UI setting for more information.
Click Generate Code.
If Emergency Access Code is disabled for offline use (My Account > Company Settings > Sessions & Authentication), an 8-character alphanumeric code is generated that can only be used when the user is online. If Emergency Access Code is enabled for offline use, a 12-character alphanumeric code is generated that can be used both online and offline.
Users who are not enabled for offline authentication or who have not yet downloaded day files always receive an 8-character alphanumeric code that can only be used when the user is online.
Securely deliver the OTP to the user immediately. Tell the user to select Emergency Access Code the next time the user authenticates.
The OTP disappears from the User Management page after you leave the page and cannot be displayed again. If the user forgets the code, you must regenerate it.
Disable Emergency Access Code for a User
You can disable a user's Emergency Access Code before its online expiration date has elapsed. This date is configured on the Users > Management page. You cannot disable this access code after its online expiration date has elapsed.
Disabling Emergency Access Code for a user has the following impact:
The user cannot select Emergency Access Code when attempting to access resources protected by Cloud Access Service (CAS) because this method is not presented as an option.
You cannot view or re-enable the access code in the Cloud Administration Console. If the user needs emergency access, you must generate a new access code.
If your deployment has enabled Emergency Access Code for offline use and you disable it for a user after you have already given it to that user, the user can still use the disabled access code to sign in to a computer that is offline (with no internet connection) and is protected by the RSA MFA Agent for Microsoft Windows. The disabled access code can be used offline until one of the following events occurs:
The configured lifetime (1-30 days) has elapsed. The lifetime is configured on the My Account > Company Settings > Session & Authentication page.
The user has successfully authenticated, through the MFA Agent, using a method other than Emergency Access Code, to CAS. The disabled access code becomes invalid when a new access code is downloaded to replace the old one, beginning a new lifetime cycle.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID and, select the user from the list to display the user's details and registered authenticators.
Note: The User ID is also the user's email address.
Click Disable Access Code.
Synchronize One User
A Super Admin or Help Desk Administrator can synchronize one user from an identity source to view the user's most recent information from the directory server. Go to the User Management page for the user and click Synchronize.
When you search for an unsynchronized user in the Cloud Administration Console, that user is automatically added to CAS. For instructions, see View User Information.
For more information on synchronization, see Identity Sources for Cloud Access Service
Note: Synchronization is unavailable for users in the Unified Directory.
Enable or Disable a User
Enabled users can authenticate to access resources protected by CAS. Users are enabled by default when you add them to CAS through synchronization. Disabled users remain in CAS and their registered authenticators are not deleted, but they cannot access protected resources or register new authenticators.
Important Notes
Super Admins can enable or disable any administrator or user.
Help Desk Admins can enable or disable non-administrative users and Help Desk Admins, but they cannot enable or disable Super Admins.
An administrator cannot enable or disable his own account.
If you manually disable a user in CAS and that user is still enabled in the directory server, the user can continue to sign in to the application portal but cannot complete additional authentication. If you want to prevent the user from signing in to the portal, you must disable the user in the directory server.
Before you begin
Understand how identity source synchronization affects user enablement and disablement. For more information, see Identity Sources for Cloud Access Service.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, click Disable or Enable.
When prompted, confirm the action.
Override Mobile Lock for a User
You can temporarily unlock a mobile-locked device to allow authentication for a specified duration.
Procedure
In the Cloud Administration Console, click Users > Management, and then use the search function to search for the user for whom you want to override the mobile lock.
In the Registered Authenticators and Browsers section, select the Override Mobile Lock check box.
Note: If the Override Mobile Lock is currently unavailable, it means the user's device is currently not Mobile Locked.
(Optional) In the Override Duration field, enter a value and select the corresponding time unit from the drop-down list.
The time value can be modified by the client administrator:
Possible Minimum Value: 1h
Default Value: 8 h
Possible Maximum Value: 1 week
Click Save.
Delete a User's Authenticator
You can delete a CAS user's authenticator, including registered smartphones, Windows computers, FIDO authenticators, and known browsers, from RSA Authenticator. Deleting these authenticators has the following consequences:
The user can install the RSA Authenticator app on another device.
When the user inserts the FIDO authenticator for authentication, the user is prompted to re-register the authenticator if the user had previously registered the authenticator during the user's first FIDO authentication. If the user registered the authenticator using My Page, then FIDO will not appear as an authentication option until the user re-registers using My Page.
RSA no longer remembers the browser the next time the user attempts to open an application.
Note: This procedure does not delete a user's hardware authenticator. See Delete a User's Hardware Authenticator.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, click the icon next to the authenticator.
When prompted, click Delete.
After you finish
After you delete the authenticator, the next time the user's RSA Authenticator communicates with CAS, it displays a message to the user that the account has been removed from the device. The user cannot use the app for the deleted account without completing registration again. If the user has registered more than one account, he can use the app for accounts that were not deleted.
Assign a Hardware Authenticator to a User
Each user can have up to a maximum of five hardware OTP authenticators, including SecurID 700, RSA DS100, or OATH HOTP authenticators. These authenticators are managed within the Cloud Administration Console. You can assign hardware OTP authenticators to users before distribution. Upon receiving their authenticators, users must go to My Page to register and activate their credentials and test authentication.
If preferred, you can send unassigned hardware OTP authenticators to users and ask users to go to My Page to register their credentials and test authentication.
Note: You must upload decrypted credential files to CAS to see the Assign OTP Hardware Authenticator link.
Before you begin
Super Admins and Help Desk Administrators can perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list to display the user's details and registered authenticators.
Note: The User ID is also the user's email address.
On the user's detail page, click Assign OTP Hardware Authenticator.
The Manufacturer and Model lists show only the manufacturers and models for which OTP seeds have been imported. Once you select a model, the serial number prefix and the image of the authenticator will be displayed.
For OATH HOTP authenticators, if you selected "Yubico" as the manufacturer, refer to the following table for a list of the supported models and their corresponding serial number prefixes.
Model Serial Number Prefix YubiKey 5 Nano FIPS YU1 YubiKey 5 NFC FIPS YU2 YubiKey 5C FIPS YU3 YubiKey 5C Nano FIPS YU4 YubiKey 5C NFC FIPS YU5 YubiKey 5Ci FIPS YU6 YubiKey 5 Nano YU7 YubiKey 5 NFC YU8 YubiKey 5C YU9 YubiKey 5C Nano YUA YubiKey 5C NFC YUB YubiKey 5Ci YUC Enter the serial number of the authenticator that you want to assign.
- (Optional) Name the authenticator that you want to assign.
By default, the hardware authenticator name is the serial number, unless you enter a name or the user enters a name during registration.
Click Assign Authenticator.
Unassign a Hardware Authenticator from a User
You can unassign a user's hardware authenticator. Unassigning the hardware authenticator prevents the user from authenticating with it. If Authentication Manager (AM) is connected to the Cloud, all authenticators managed in the cloud for a user will be unassigned from that user in AM during the Cloud Sync Job run. The hardware authenticator is returned to the pool of unassigned authenticators, where it can be reassigned to another user or the same user.
Note: If the user's hardware authenticator is lost or no longer functional, it should be deleted instead of unassigned to ensure it cannot be reassigned. See Delete a User's Hardware Authenticator for more information.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
Click the black circle icon next to the hardware authenticator.
When prompted, click Unassign.
Disable or Enable a Hardware Authenticator
You can disable or enable a user's hardware authenticator. Registered authenticators are automatically enabled. You can unassign a disabled authenticator.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, the hardware authenticator is listed by name or serial number. Click the Edit icon next to the hardware authenticator.
Click Enabled or Disabled.
Click Save or Cancel.
Delete a User's Hardware Authenticator
You can delete a user's hardware authenticator from CAS. This is useful if the user has lost the hardware authenticator or it is no longer functional. Deleting a hardware authenticator has the following impact:
The hardware authenticator can no longer be used for authentication.
If the hardware authenticator’s seed was deleted from CAS, it cannot be assigned to a user again.
If the hardware authenticator is found, you must re-import the authenticator file before assigning it to another user.
Before you begin
You must be a Super Admin to perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
Click the black circle icon next to the hardware authenticator.
When prompted, click Delete.
Disable or Enable a FIDO Credential
You can disable or enable a user's FIDO credential. Registered credentials are automatically enabled.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, the FIDO credential is listed by name. Click the Edit icon next to the FIDO credential.
Click Enabled or Disabled.
Click Save or Cancel.
Manage User Phone Numbers
Phone numbers are required for users who authenticate using SMS OTP or Voice OTP. You can manage phone numbers for each user in the following ways:
Select a phone number that was synchronized from the identity source.
Manually enter a phone number that is not in the identity source. These phone numbers are stored only in CAS and are not added to the identity source or overwritten during synchronization.
Clear the phone number and blank out the field. Phone numbers that were synchronized from the identity source remain in the list but are not used during authentication and the user is not presented with SMS OTP or Voice OTP as an authentication option.
Procedure
- In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list to display the user's details and registered authenticators.
If the user has not yet been added to CAS, you are prompted to click Find users not yet synchronized. This will add them to the Cloud Authentication Service. Exact matches only. For example, this might include new users or users who have not previously authenticated. Click the prompt to find and automatically add the user to CAS.
Note: The User ID is also the user's email address.
In the SMS Phone or Voice Phone field, do one of the following:
Click Show synchronized phone numbers and select a number that was synchronized from the identity source.
Note: Show synchronized phone numbers does not appear if no phone numbers were synchronized from the user's identity source. If this occurs, confirm that phone number attributes were specified in the identity source configuration. Click Users > Identity Sources > Edit.
Enter a new phone number.
Note: To ensure that SMS and Voice OTPs are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1. Extensions are not yet supported.
Clear the field to prevent SMS OTP or Voice OTP authentication. Make sure no synchronized phone numbers are selected.
Click Save.
Note: For users available in Unified Directory, synchronization is not applicable. You can directly edit the phone numbers.
Mark a User for Automatic Bulk Deletion from CAS
You can delete users from CAS so they can no longer authenticate through the service or register an authenticator. Deletion removes all information and authenticators associated with the user from CAS. The preferred method for deleting users is automatic bulk deletion. You can perform this operation only on disabled users. The disabled users are removed from CAS in a two-step process:
First, you use the Cloud Administration Console to mark the disabled user for deletion, which changes the user's account status from Disabled to Pending Deletion. You can still view the user's detail information in CAS and synchronize the user in the Pending Deletion state.
CAS automatically deletes all users who have been Pending Deletion for seven days.
For example, if you mark the user for deletion on March 1, the user is automatically deleted from CAS on March 8. The user cannot register a device or authenticate to CAS while pending deletion or after deletion has taken place.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
Make sure the user is disabled. If necessary, click Disable.
Click Delete.
When prompted, confirm the delete action.
The user's status changes to Pending Deletion and the user will be deleted from CAS after seven days. When a user is deleted from CAS, all information about the user and their registered devices will also be removed. Hardware authenticators assigned to the user, with seeds uploaded to CAS (such as OATH HOTP and SecurID 700), will be returned to the pool of unassigned hardware authenticators. If Authentication Manager (AM) is connected to the Cloud, all authenticators managed in the cloud for a user will be unassigned from that user in AM during the Cloud Sync Job run.
Note: This operation is not available for users in the SCIM Managed, Azure Active Directory (SCIM), and AM internal database identity sources.
After you finish
If a deleted user's account remains enabled on the directory server and is within scope in the identity source filter and root, RSA will add the user record to CAS during the next identity source synchronization. To prevent RSA from adding the user back to CAS, you can do one of the following:
Disable the user in the directory server.
Delete the user from the directory server.
Make modifications to ensure that either the user is not in an organizational unit (OU) that is under the identity source root DN, or the user does not meet the User Search Filter criteria. You can modify either the user or the identity source configuration.
Delete a Single User Immediately from CAS
You can delete a single user from CAS and immediately remove all information and devices associated with the user. Hardware authenticators assigned to the user, with seeds uploaded to CAS (such as OATH HOTP and SecurID 700), will be returned to the pool of unassigned hardware authenticators. If Authentication Manager (AM) is connected to the Cloud, all authenticators managed in the cloud for a user will be unassigned from that user in AM during the Cloud Sync Job run.
RSA recommends that you perform most routine delete operations in bulk, as described in Mark a User for Automatic Bulk Deletion from CAS. Bulk deletion offers advantages, such as relieving you from having to manage large numbers of users individually, and giving you the option to undo the delete operation before users are purged from CAS. However, certain emergency situations might require you to delete individual users immediately. For example, suppose you are trying to synchronize a record that has the same email address as a slightly different record for the same user that already exists in CAS. The user record fails to synchronize and the user cannot authenticate. You must delete the existing record from CAS and resynchronize in order to recreate the user record correctly so the user can complete authentication.
Note: This operation cannot be undone, but you can re-add the user by resynchronizing.
Before you begin
You must be a Super Admin to perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
If the user is not disabled, click Disable.
Click Delete Now.
When prompted, confirm the delete action.
Note: This operation is not available for users in the SCIM Managed, Azure Active Directory (SCIM), and AM internal database identity sources.
Configure or Disable Automatic User Deletion - Bulk Maintenance
By default, CAS automatically changes the status of all Disabled users from AD and LDAP to Pending Deletion after the users have been disabled for 90 days. You can reconfigure this action to occur after users have been disabled from 30 to 180 days.
Bulk deletion helps prevent inefficiencies that result from processing large numbers of disabled users. If you have a large number of disabled users who are unlikely to use CAS again, RSA recommends that you allow the service to bulk delete those users. For example, you might bulk delete all users who were removed from the directory server within a certain timeframe, or all users who are no longer within scope of the synchronization filter.
Note: If you want to prevent automatic bulk deletion, you must disable this feature as described in the following procedure.
For a description of the Pending Deletion status, see Mark a User for Automatic Bulk Deletion from CAS.
Before you begin
You must be a Super Admin to perform this task.
Procedure
In the Cloud Administration Console, clickUsers > Bulk Maintenance.
If you want to reconfigure the number of days, select a number from the drop-down box and make sure the check box for Automatically change user status from Disabled to Pending Deletion for users who have been disabled for over n days is selected.
If you want to disable automatic deletion, deselect the check box.
Click Save.
(Optional) To publish this configuration and immediately activate it, click Publish Changes.
Undelete a User Who is Pending Deletion
You can prevent a single user from being automatically purged from CAS and change the user's status to Disabled by "undeleting" the user within seven days after the user was marked for deletion. Disabled users remain in CAS, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through CAS.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
Verify that the user's status is Pending Deletion, and click Undelete.
When prompted, confirm the Undelete action.
The user's status changes from Pending Deletion to Disabled.
Undelete Users Who Are Pending Deletion - Bulk Maintenance
If you accidentally delete a large number of users, you can restore them to their previous Disabled state before they are purged from CAS by undeleting the users in a bulk operation. The undelete action applies to all users who were marked for deletion within the number of days you specify. For example, you can undelete all users who were marked for deletion within the past three days.
Disabled users remain in CAS, but they cannot access protected resources or register devices. If the user is enabled in the directory server, you can re-enable the user to authenticate through CAS.
Procedure
In the Cloud Administration Console, click Users > Bulk Maintenance.
Complete the field Apply to users who were deleted in the past X days. Users who were marked for deletion within this many days will be undeleted. If you select 7+, all users who have been pending deletion for seven days or more will become Disabled.
Click Undelete and confirm the action.
The users' status is changed to Disabled.
Unlock All OTPs for a User
You must unlock the SecurID Authenticate OTP, SecurID hardware OTP credential, SMS OTP, and Voice OTP after they have been locked for a user. Unlocking these methods makes them available for authentication. Lockout settings are configured at My Account > Company Settings > Sessions & Authentication. Retries for each method are counted separately and each method is locked separately, but all methods are unlocked simultaneously. The lockout counter is cleared after either of the following events occur:
The user successfully authenticates. For example, if four retries are allowed and the user fails twice and succeeds on the third attempt, the lockout counter is set to 0 because the lockout maximum was not reached. Is this case, only the counter for the method being used is cleared.
You manually unlock the methods on the Users > Management page. In this case, the lockout counter for all OTP credentials are cleared, even if they were not previously locked.
Note: Only the user's authentication method is locked. The user's CAS account is not locked or inactivated.
You cannot manually unlock an Emergency Access Code. You must generate a new Emergency Access Code to give the user emergency access.
Before you begin
Super Admins and Help Desk Administrators can perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, click Unlock OTPs.
A success message appears after the methods are unlocked.
Unlock a User's Password
You can unlock a user's password after it has become locked. For more information about lockout settings, see Configure Session and Authentication Method Settings.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
A message indicates that the user's password is locked. Click Unlock.
The message Password successfully unlocked appears.
Generate a Registration Code
You can generate a Registration Code for users to register with the RSA Authenticator app. This method is intended for users who cannot obtain a Registration Code from any other source.
Note: Each user can register only one RSA Authenticator app. Therefore, a code cannot be generated for a user who has already registered an RSA Authenticator app.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
From the drop down list, select the app the user has.
Click Generate Code. The code displayed is valid for five minutes, is for one-time use, and cannot be viewed again after you leave the User Management page. The user's Organization ID also appears.
Provide the code and the Organization ID to the user in a secure manner.
Clear a Hardware OTP Credential PIN for a User
You can clear the PIN for a hardware OTP credential if the user has forgotten the PIN or the PIN is compromised. Before using the hardware OTP credential, the user must go to My Page and set a new PIN.
Before you begin
Super Admins and Help Desk Administrators can perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
On the user's detail page, the hardware OTP credentials are listed by name or serial number. Click the Edit icon next to the hardware authenticator.
Click Clear PIN.
Click Save or Cancel.
If you click Save, a message appears confirming that the PIN has been cleared.
Unlock a User's Enrollment Code
You can unlock a user's enrollment or validation code if they incorrectly enter the validation code 10 consecutive times.
Before you begin
Super Admins and Help Desk Administrators can perform this task.
Procedure
In the Cloud Administration Console, click Users > Management.
In the Search field, enter the User ID, and select the user from the list.
Note: The User ID is also the user's email address.
Click Unlock in the warning message and confirm the action.
The users' enrollment code is unlocked.
