Reference Content — User Accounts
You can use the reference content as supplemental information to the “How To” content.
User Account Sources
Privileged Access Service supports user accounts from multiple identity stores/account sources -- Active Directory or another LDAP-based service, G-Suite (Google), Privileged Access Service. On the User page, the Source column indicates the ID repository for that user account.
-
Active Directory/LDAP
These users are authenticated using their Active Directory/LDAP accounts. The Active Directory/LDAP account domain is shown in the parenthesis.
Privileged Access Service does not replicate Active Directory/LDAP accounts and their attributes in the Privileged Access Service. Instead, the new useraccounts are brought into Privileged Access Service when the user registers a device or opens a password-protected application.
If you have multiple connectors managing multiple, independent domain trees or forests, the Source column also shows the source domain.
To use Active Directory/LDAP as a source, you must install the connector. See How to install a IBM Security Connector for the details.
You must add an Active Directory/LDAP accounts to a role to deploy applications to those users. You can add either the user ActiveDirectory/LDAP accounts or the user Active Directory/LDAP groups to the role. See Assigning Users to Roles for the details.
-
G-Suite
These users are authenticated using their G-Suite (Google) accounts.
Privileged Access Service does not replicate G-Suite accounts and their attributes in the Privileged Access Service. Instead, the accounts arereferenced when the user registers a device or opens a password-protected application.
To use G-Suite as an account source, you must add it to Privileged Access Service. See How to Add a Directory Service.
-
IBM Security Directory
IBM Security Directory: Privileged Access Service includes this built-in identity repository. With this option, the Privileged Access Service accountis used to authenticate users. These users have a IBM Security Directory account and the account information resides in Privileged Access Service only.
You must create IBM Security Directory accounts explicitly before these users can register a device. You can add IBM Security Directory accounts individually or in bulk from a CSV file or Excel spreadsheet.
IBM Security Directory: Privileged Access Service includes this built-in identity repository. With this option, the Privileged Access Service account is used to authenticate users.
You can use all identity stores simultaneously. For example, if you decide to use Active Directory/LDAP as your primary identity store, the Privileged Access Service can provide a convenient supplemental repository for the following types of users:
-
Emergency administrators: If there is ever a network break down to the Active Directory domain controller, no one with just an ActiveDirectory/LDAP account can log in. However, if you create administratoraccounts in Privileged Access Service, these users can log in to Admin Portal launch web applications.
-
Temporary user: Some organization’s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task.If you have a temporary worker who needs access to just the applications youdeploy through the Privileged Access Service, it may be simpler to add the account to Privileged Access Service.
-
Contractors or less-trusted users: Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAPaccount provides. In this case, you create the account in the Privileged Access Service only.
To avoid users logging in to unintended repository accounts and other account related confusion, we recommend that you do not create duplicate accounts (same user name/password) in both the IBM Security Directory and Active Directory/LDAP.
User Account Statuses
After a user account has been created and brought into Privileged Access Service, the platform assigns it a status. These statuses are displayed on the User page for each user account.
Status | Indicates |
---|---|
Active | The user has either logged in to one of the portals or registered a device. |
Invited | An administrator has sent an invitation to register a device, however, the user has not responded. You can send an invitation when you create a IBM Security Directory account or separately to accounts in all sources using the Invite User button. The Last Invite column indicates the date and time of the most recent invitation. When you add accounts to Privileged Access Service using Bulk import, Admin Portal automatically sends an email invitation to all new accounts by default. |
Not Invited | The account was created in Privileged Access Service but no email invitations have been sent. Successfully provisioned users appear on the Users page with a status of Not Invited. |
Suspended | The user account is locked. There are several reasons why an account is locked, for example, it could locked by the system administrator or the user has reached the maximum number of log-in attempts. See How to Configure User Self-Service Options for account unlock options. |
User Management Commands
Admin Portal provides several user management commands. They are displayed when you right-click the name on the Users page and in the Actions menu on the account’s details page.
Command | Result |
---|---|
Delete | Deletes a IBM Security Directory account from Privileged Access Service. The user is no longer listed on the Users page and is no longer able to log in to the Admin Portal or Admin Portal. For Active Directory/LDAP user accounts, the deleted account is only removed from the Users page. You must use Active Directory Users and Computers to delete the Active Directory/LDAP account. See How to Delete User Accounts for more information. |
MFA Unlock | Suspends multi-factor authentication for 10 minutes. Multi-factor authentication requires users to perform additional steps (such as verify their identity by email or phone call) to log in to the Admin Portal and Admin Portal. If the user is having trouble logging in, select the user and select this action to let the user log in with just a user name and password. |
Send email invite for user profile setup | Sends an email to the selected users with their login account name. |
Reload | Updates the user’s rights immediately to put into effect any changes you have made to the account—for example, if you added the user to a new role or changed the user’s administrative privileges. Use this command immediately after modifying the user’s role or rights. |
Set Password | Prompts you to reset the user’s Privileged Access Service account password. In the window that appears, you enter a new password for the user. |
Notifying Users with Active Directory/LDAP Accounts
Users with Active Directory/LDAP accounts log in to the admin portal and register devices using their Active Directory/LDAP credentials.
To get Active Directory/LDAP users started with Privileged Access Service, you can send them an invitation or you can provide the following URL to the users and tell them to use their Active Directory/LDAP credentials to log in:
https://cloud.centrify.com/my
They use the same credentials to register devices.
Simplifying logging in to Privileged Access Service portals for Active Directory/LDAP accounts
Users with Active Directory accounts can log in to the Admin Portal without entering their user name and password from computers that are within your organization’s intranet. For example, you can log in to Admin Portal without entering your credentials by appending the login suffix to the portal’s URL as follows:
https://cloud.centrify.com/manage?customerid=<loginsuffix>
If you have not yet defined any other login suffixes, you can use the default suffix—your Active Directory account’s UPN suffix. For example, if your domain name is abcorp.com, you would enter the following URL to log in without entering your user name and password:
https://cloud.centrify.com/manage?customerid=abcorp.com
See How to Use Login Suffixes to learn about login suffixes.
Similarly, users can log in to the Admin Portal by adding the login suffix to their URL. In this case the syntax is as follows:
https://cloud.centrify.com/my?customerid=<loginsuffix>
Both of these methods use Integrated Windows Authentication to authenticate the user using their Active Directory credentials and require the user to be on your organizations intranet. You may need to reconfigure the default Integrated Windows Authentication settings and define IP Addresses on your IBM Security Connector to use this feature. See How to Configure Integrated Windows Authentication to configure a IBM Security Connector.
You can also define a login suffix as an alias for a long Active Directory/LDAP UPN suffix. See Creating an Alias for Long Active Directory Domain Names for the details.
Using Search and Sets
You use the user search and Sets (sets of users) to find specific users. User search and sets can be found in Admin Portal > Access > Users.
Most of the user sets are self explanatory. The following sets require more explanations:
-
All Active Users: Users who have logged in to or been invite to Privileged Access Service.
-
All Invited Users: Users who have not logged in to or been invite to the Privileged Access Service.
-
All Non-Active Users: Users who have been application provisioned but have never logged in.
User state (active or suspended) does not have any impact on these queries.