Managing user operations
In a typical enterprise environment, user information and attributes must be updated continuously, and their updated status must be maintained efficiently. This chapter provides help with managing user management operations. It includes:
Disabling a user account
If you want to disable or deactivate a user, follow the below-mentioned procedure:
Navigate to Manage → Users.
Search or select the user within the user list from the user tab.
Browse the user details and uncheck the active mark check.
Changing a user account password
Follow any one of the methods to change the user account password.
Method 1:
Navigate to the "Manage" section and click on the Asset Management option.
- Click on the 'action' icon next to the required asset name.
- Click Managed Linked Account.
- A new form will appear where you can add an account and edit the existing account.
- Click on one of the existing account names to change its password.
- Change the password and click on the button "Change Password"; your password will be changed.
| Description | Representation |
|---|---|
| Action |  |
Method 2:
Navigate to the "Manage" section and click on the Account option.
Select "+Add New Account(s)" from the drop-down menu.
- From the drop-down menu, click New Account.
Click on the hostname of which you want to change the password from the list in front of you.
- Click the required account name.
Change the password and click on the button "Change Password." Your password will be changed.
Changing user status
A Sectona PAM user's status can be one of the following:
Pending Approval - The user must be approved by a user to be enabled in the system.
Active - The user can authenticate and access functions of the system.
Disabled - The user is not permitted to use the system, and logging on is denied. This status is enabled based on Dormancy threshold settings configured in the User authentication policy. For more information, refer section here.
Dormant - The user is not permitted to use the system, and logging on is denied. User account status is Inactive when the solution administrator manually disables the account.
Locked - The user is not permitted to use the system, and logging on is denied. This status is enabled based on Account lockout threshold settings in user authentication settings. For more information, refer to the section here.
To change the status of an account, refer to the below procedure:
Navigate to Manage → Users.
Click on the user you wish to update.
Under the Status section, check or uncheck the Active checkbox to modify the status as Active or Inactive.
- Click Update.
Adding user-specific account alias
In case named user accounts to have multiple privileged accounts without any standard naming convention, User Aliases can be added for each user to define user profiles. For example, username John (active director authenticated) has multiple privileged accounts like jhn12 (for administration) and 1823jhn (for job management); you can define an alias for user John by listing all usernames or types of usernames he frequently accesses. Follow the steps listed below for adding user aliases:
Navigate to Manage → Users.
Select the user you wish to add an alias to.
Click on the 'action' icon and then click on Configure User Alias.
Provide an alias name and click on Add, then it is added to the user list.
Click on Save.
| Description | Representation |
|---|---|
| Action | |
Adding security to sessions taken by the user
When a user accesses an asset using a particular account, the recording of that session is visible under Session → Session View.
To add security to those sessions in regards to, which session recording should be visible to a user, the following ways can be used:
Adding security using User Groups
Navigate to Manage → Users.
Click on the 'action' button and select Security Settings.
Tick the Session View Restricted To checkbox.
Click on the Specific User Groups radio button and select the User Group from the drop-down menu.
Click on Save.
| Description | Representation |
|---|---|
| Action | |
Under this configuration, the users of the selected user group will be able to view the session recordings under Session → Session View.
Adding security using Account Groups
Navigate to Manage → Users.
Click on the 'action' button and select Security Settings.
Tick the Session View Restricted To checkbox.
Click on the Specific Account Groups radio button and select the Account Group from the drop-down menu.
Click on Save.
| Description | Representation |
|---|---|
| Action | |
Under this configuration, the user with accounts belonging to the selected account group will be able to view the session recordings under Session → Session View.
Adding session timeout for user
Navigate to Manage → Users.
Click on the a'ction' button and select Security Settings.
Untick the Global checkbox under Session Lockout and select a session timeout value from the drop-down menu.
Click on Save.
Under this configuration, the session taken by the user will be terminated after the specified session lockout value.
The global value for Session Timeout is under System → System Defaults → User Session Lockout (Minutes).
Adding security using Thin Client
Navigate to Manage → Users.
Click on the 'action' button and select Security Settings.
Tick the Allow Access via Thin Client checkbox.
Click on the Allow Only From Specific Clients checkbox and mention the keys of the client machine in the text field.
Click on Save.
Under this configuration, the user can take sessions only from the machines whose keys are specified in the settings.
To get the key to your client machine, follow the below steps:
Login to PAM → Click on User Profile → Settings → Download Utilities → Click on Thin Client ID.
A window will display the key of your client machine for 15 seconds. To copy the key, click on the Copy to Clipboard button.
Resetting the multifactor authentication of user
To reset multifactor authentication for a user, click on the action icon of the user and click on Reset Multifactor. On the reset multifactor window, choose the appropriate authentication type applied to the user and click on Reset.
Note: If the user resets the Multi-factor authentication, the system generates a log, which contains information, such as Log Type [Info], Log Description [ErrorCode - Message], UI Description [ErrorCode - Message], Log Source, Data Info [Multifactor Type] reset by [CurrentUser] for [logonname].