User Configurations (for Admins)

User Configuration Options Available to Administrators Within InsightCloudSec

This section of the Identity Management/User documentation provides details for administrators who manage other InsightCloudSec users.

1413

Identity Management - Users Tab

User Administration

Refer to the details below on steps required for administrators to add a user, modify a user, or download a user.

Adding a User

To create a new user refer to the following steps.

1. From "Administration --> Identity Management" select the "Users" tab on the Identity Management page and locate the Add User button on the top right corner.

2. Fill in the "Create User" form as follows:

  • Select the type of "Authentication" you would like to assign the user.
  • From the drop-down, select the Groups in which you want this new user to be included.
  • Select the account type for the user: Basic User or Organization Admin.
  • Complete the rest of the form details as desired.

Note: Create User fields will vary based on the authentication type selected. For example, the option to enable API Key Generation is not available until after a user has been initially created.

3. Select "Submit" when you have completed the required details.

1159

Create New Basic User - Username and Password Authentication Example

Modifying a User

Administrators have the ability to modify existing users (basic users or organization admins) through the "Actions" menu located to the left of the name of each individual user.

The following actions are available to modify basic users and organization admins:

Modify User ActionsResult of Action
Unlock AccountUnlocks target account by removing suspension for "locked" users.
Lock AccountSuspends the user and prevents them from logging in without removing the account.
Reset PasswordGenerates an email to the target user, asking them to set up a new password.
Update UserAllows modification of name, email, and password. In addition, admins can provide users with the ability to generate API keys.
Update Organization AccessFor Organization Admin Only. Update the Organizations the Organization Admin has access to.
Promote to Domain Admin Adds domain admin privilege to the user.
Modify Basic User Group AssociationsAdds or removes user from Groups, which will grant/revoke privileges to a user from the Group’s roles.
Require MFA for UserRequires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.
Reset MFAOnly enabled if MFA is required. Resets MFA requirement for target user.
Disable MFA RequirementOnly enabled if MFA is required. Disables MFA requirement for target user. Refer to the User Passwords & Multi-Factor Authentication page
DeleteDeletes user; record is maintained for change history accountability but name and email are purged.
Change Authentication ServerAllows Admins to migrate an existing local user to an SSO provider to avoid having to delete/recreate the user.

Note: Transitioning to "LOCAL" is not supported.
2470

Identity Management - Modifying Users

Download Users

Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.

2472

Download Button on Users Tab

API Keys

The "API Keys" view under Identity Management allows administrators to view, add, replace/revise, and delete API Keys for users.

2278

API Key Administration.

A column with a status for API keys is also part of the view (and download) for both the "Domain Admins" and "Users" views under Identity Management.

1379

Domain Admins - API Fields

Beginning with InsightCloudSec 22.3.1 administrators and users (via "My Profile") have the ability to generate an API Key with an expiration value. This field will be available for any new API keys. To enable an expiration for a user with an existing API Key you will need to replace the current key.

944

API Key - Expiration Value Example

Domain Admins

Domain Admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Several options for a Domain Admin are available via the actions menu.

1383

Identity Management - Domain Admins

Add Domain Admin

In addition, these steps are identical to create a "Read-Only Admin", simply select "Read Only" for the account type.

1. Navigate to "Administration --> Identity Management" and select the "Domain Admin" tab.

2. Locate the "Add Admin" to open the "Create Admin" form.

3. Select the type of "Authentication" you would like to assign and then fill out the form as desired.

  • Form fields will vary based on the type of authentication selected.
2428

Identity Management - Create Admin

Modify/Update Domain Admin

To update an existing Domain Admin, navigate to "Administration --> Identity Management" and select the Domain Admins tab. Click on the "Actions" menu to the left of the desired Domain Admin and select "Update Admin" to view/modify their settings.

The following actions are available to modify domain admin:

Modify Domain Admin
Unlock AdminUnlocks target account by removing suspension for "locked" users.
Lock AdminSuspends the user and prevents them from logging in without removing the account.
Update AdminModify name, email, and password.
Reset PasswordGenerates an email to the target user, asking them to set up a new password.
Revoke Domain Admin Role Removes Domain Admin privileges.
Require MFA for UserRequires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.
Reset MFAResets MFA requirement for target user. (Appears only for users who have MFA enabled.)
Disable MFADisables MFA requirement for target user. (Appears only for users who have MFA enabled.)
DeleteDeletes user; record is maintained for change history accountability but name and email are purged.
Change Authentication ServerUpdates the user's authentication server

Configure Inactive User Settings

From the Domain Admins page, you can enable and configure inactive user settings. Selecting the "Settings" button from the Domain Admins page allows you to update system configuration so that users who have not used InsightCloudSec in a given number of days are automatically removed from the system.

2444

Inactive User Settings

Read-Only Admin

InsightCloudSec includes support for a Read Only Admin, which allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.

You can set up a Read-Only Admin either by selecting Add Admin on the Domain Admins tab of the Administration main age and then selecting "Read Only Admin" as the "Account Type", or by modifying an existing Admin and changing the account type under the Actions menu.

2464

Creating a Read Only Admin