RSA Authentication Manager UsersRSA Authentication Manager Users

If you use the internal database as an identity source, you can use the Security Console to manage all user data.

If you use an LDAP directory, the identity source is read-only. You can add users to an LDAP directory using a tool appropriate for the directory. After users are added, you can use the Security Console to perform certain administrative functions, such as enabling the user for risk-based authentication (RBA).

You can manage certain user account related activities on the User Dashboard page in the Security Console.

For more information, see User Dashboard.

You can perform the following procedures:

• Add a User to the Internal Database
• Search for Users
• Edit a User

Add a User to the Internal Database Add a User to the Internal Database

You can use the Security Console to add users to the internal database even if an LDAP directory is the primary identity source. Adding users directly to the internal database allows you to create a group of users different from those in identity source. For example, you might store a group of temporary contractors or a specific group of administrators in the internal database. You might also use the internal database to store a small number of users for a pilot project.

User data in an LDAP directory is read-only. You must add users to the LDAP directory using the directory tools. However, you can use the Security Console to perform certain administrative functions, such as assigning tokens or enabling a user for risk-based authentication.

To add a new user “with options” means that when you add user records, you can configure additional options for the user. For example, when you finish adding the user information, you can assign a token, add the user to a user group or assign the user an administrative role.

Procedure

1. In the Security Console, click Identity > Users > Add New.

   Note: To add a new user with additional options when you add user records, click Identity > Users > Add New With Options. For example, when you finish adding the user information, you can assign a token, add the user to a user group or assign the user an administrative role. Decide which options that you want to assign to the new user, and select the appropriate checkboxes.

2. In the Administrative Control section, from the Security Domain drop-down list, select the security domain where you want the user to be managed. The user is managed by administrators whose administrative scope includes the security domain you select.

3. In the User Basics section, do the following:

   1. (Optional) In the First Name field, enter the user's first name. Do not exceed 255 characters.

   2. (Optional) In the Middle Name field, enter the user's middle name. Do not exceed 255 characters.

   3. In the Last Name field, enter the last name of the user. Do not exceed 255 characters.

   4. In the User ID field, enter the User ID for the user. The User ID cannot exceed 255 characters. Make sure the User ID is unique to the identity source where you save the user. Do not use multi-byte characters, for example:

      

      Note: If you are creating an account for an administrator who requires access to the Security Console, the User ID must be unique within the deployment.

   5. (Optional) In the Email field, enter the user's e-mail address. Do not exceed 255 characters.

   6. (Optional) In the Certificate DN field, enter the user's certificate DN. The certificate DN must match the subject line of the certificate issued to the user for authentication. Do not exceed 255 characters.

4. In the Password section, do the following:

   Note: This password is not used for authenticating through authentication agents.

   1. In the Password field, enter a password for the user. Password requirements are determined by the password policy assigned to the security domain where the user is managed. This is the user’s identity source password, which may be different from alternate passwords provided by applications. For more information, see Password Policy.

   2. In the Confirm Password field, enter the same password that you entered in the Password field.

   3. (Optional) Select Force Password Change if you want to force the user to change his or her password the next time the user logs on. You might select this checkbox, for example, if you assign a standard password to all new users, which you want them to change when they start using the system.

5. In the Account Information section, do the following:

   1. From the Account Starts drop-down lists, select the date and time you want the user’s account to become active. The time zone is determined by local system time.

   2. From the Account Expires drop-down lists, select the date and time you want the user’s account to expire, or configure the account with no expiration date. The time zone is determined by local system time.

   3. (Optional) Select Disabled if you want to disable the new account.

   4. If a Locked Status option is selected, you can unlock the user by clearing all selected options.

6. (Optional) Under Attributes, enter the user’s mobile phone number in the Mobile Number (String) field.

7. Click Save.

Search for UsersSearch for Users

You can search for users in one identity source or across all identity sources that your role's scope allows you to manage.

When searching, consider the following:

• Most fields are not case sensitive. For a list of fields that are not case sensitive, see Search Fields That Are Not Case Sensitive. For an external identity source, case sensitivity is determined by the directory schema.
• When search criteria includes a restricted attribute, no search results are returned from security domains where the restriction is enforced.
• Each identity attribute definition includes a data type. The data type defined in the Security Console must exactly match the data type defined for the attribute in the LDAP directory schema. Otherwise, any users whose records contain this data type will not be retrievable in the Security Console. The system log indicates the reason for failure. If this occurs, you must delete the existing identity attribute definition, and add a new one using the correct data type. For more information, see Add an Identity Attribute Definition.

Note: You can use the asterisk (*) as a wildcard character.

Procedure

1. In the Security Console, click Identity > Users > Manage Existing.

2. To search for users in the same identity source, do the following:

   1. On the Search panel, from the Security Domain drop-down list, select the security domain that you want to search.

      Note: For using Advanced Search, from the Search pane, click Advanced Search.The advanced user search includes the standard user search options, and it also allows you to search by mobile number, account information, and password state.

   2. From the Identity Source drop-down list, select the identity source that contains the user records.

   3. From the For drop-down list, select the type of users for which you want to search.

   4. Use the Where fields to select the search criteria. For example, use the Where fields to enter “Last Name,” “starts with,” and “R” to search for users with last names that start with R. To search using additional criteria, select More Criteria.

   5. Click Search.

3. To search for users in a different identity source, do the following:

   1. On the Search panel, click Search for users across all identity sources.

   2. Click Search. Use the User Basics field to select the search criteria to narrow the scope of users.

   3. Click Search.

Edit a UserEdit a User

Use the Security Console to edit, duplicate, or delete a user that is stored in the internal database.

If a user is stored in an external LDAP directory identity source, you can edit only the following items in the user’s account:

• Security Domain

• Notes

• Password, including the ability to require a user to change their password

• Account start and expiration

• Account status (enabled or disabled)

  By default, you can manage the account status in the Security Console. You can configure an external identity source to use the account status in the LDAP directory, in which case you cannot manage the status in the Security Console.

  For more information, see the Operations Console Help topic “Identity Source Properties.”

• Locked status

• Security questions

• Display attributes

  You can manage attributes that are stored in the internal database only. You cannot manage attributes that are stored in an external identity source.

Before you begin

Your administrative permissions determine whether you can specify attributes for a user. You can only enter values for attributes that your role permits you to edit, even if the attribute is required.

Procedure

1. In the Security Console, click Identity > Users > Manage Existing.

2. Use the search fields to search for the user that you want to edit. Some fields are case sensitive.

3. Click the user that you want to edit, and select Edit.
   

   Task	Description	Procedure
   Duplicate a user	You can duplicate users who belong to an identity source that is associated with the internal database. Duplicating a user creates a new user record with identical user information to the original record, which means that first name, last name, and certificate DN are the same as the original user. The duplicate user, however, does not have the same user group or administrative role assignments, for example, as the original user. If you want to duplicate users who belong to an identity source that is associated with an LDAP directory, you must use the native LDAP directory interface.	In the Security Console, click Identity > Users > Manage Existing. Use the search fields to find the user that you want to duplicate. Some fields are case sensitive. Click the user that you want to duplicate, and click Duplicate. Assign a User ID and password to the new user, and make any other necessary changes to the new user record. Click Save.
   Delete a user	You can use the SecurID Authentication Manager Security Console to delete users who are stored in the internal database as their identity source. After you delete the user, you cannot manage the user with RSA Authentication Manager. For example, you can no longer enable the user for authentication. If the user that you delete is enabled for risk-based authentication (RBA), the system deletes the user device history and updates the feature license so that the seat is available to another user. You can delete users who use an LDAP directory as their identity source only by using the native LDAP directory interface.	In the Authentication Manager Security Console, click Identity > Users > Manage Existing. Use the search fields to find the user that you want to delete. Some fields are case sensitive. Select the users that you want to delete, and click Delete. Click OK.

4. Make the necessary changes to the user.

5. Click Save.

   If you have not saved your edits, you can click Reset to reset the user to be as it was before you began editing the user record.