User Configurations (for Admins)

This section of the Identity Management/User documentation provides details for administrators who manage other InsightCloudSec users.

Identity management users tab

User Administration

Refer to the details below on steps required for administrators to add a user, modify a user, or download a user.

Adding a User

To create a new user refer to the following steps.

  1. From Administration > Identity Management select the Users tab on the Identity Management page and locate the Add User button on the top right corner.

  2. Fill in the Create User form as follows:

    1. Select the type of Authentication you would like to assign the user.
    2. From the drop-down, select the Groups in which you want this new user to be included.
    3. Select the account type for the user: Basic User or Organization Admin.
    4. Complete the rest of the form details as desired.

    Create User fields will vary based on the authentication type selected. For example, the option to enable API Key Generation is not available until after a user has been initially created._

  3. Select Submit when you have completed the required details.

Modifying a User

Administrators have the ability to modify existing users (basic users or organization admins) through the Actions menu located to the left of the name of each individual user.

Check out the User Passwords & Multi-Factor Authentication page for additional details on password management and enabling MFA.

The following actions are available to modify basic users and organization admins:

Modify User ActionsResult of Action
Unlock AccountUnlocks target account by removing suspension for "locked" users.
Lock AccountSuspends the user and prevents them from logging in without removing the account.
Reset PasswordGenerates an email to the target user, asking them to set up a new password.
Update UserAllows modification of name, email, and password. In addition, admins can provide users with the ability to generate API keys.
Update Organization AccessFor Organization Admin Only. Update the Organizations the Organization Admin has access to.
Promote to Domain AdminAdds domain admin privilege to the user.
Modify Basic User Group AssociationsAdds or removes user from Groups, which will grant/revoke privileges to a user from the Group’s roles.
Require MFA for UserRequires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.
Reset MFAOnly enabled if MFA is required. Resets MFA requirement for target user.
Disable MFA RequirementOnly enabled if MFA is required. Disables MFA requirement for target user. Refer to the User Passwords & Multi-Factor Authentication page
DeleteDeletes user; record is maintained for change history accountability but name and email are purged.
Change Authentication ServerAllows Admins to migrate an existing local user to an SSO provider to avoid having to delete/recreate the user. \n \nNote: Transitioning to "LOCAL" is not supported.

Download Users

Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.

API Keys

The API Keys view under Identity Management allows administrators to view, add, replace/revise, and delete API Keys for users.

Individual users have the ability to manage this for their own profile through the User Configuration - Manage Your Profile section.

A column with a status for API keys is also part of the view (and download) for both the Domain Admins and Users views under Identity Management.

Beginning with InsightCloudSec 22.3.1 administrators and users (via My Profile) have the ability to generate an API Key with an expiration value. This field will be available for any new API keys. To enable an expiration for a user with an existing API Key you will need to replace the current key.

API key - expiration value

Domain Admins

Domain Admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Several options for a Domain Admin are available via the actions menu.

Add Domain Admin

In addition, these steps are identical to create a Read-Only Admin, simply select Read Only for the account type.

  1. Navigate to Administration > Identity Management and select the Domain Admin tab.
  2. Locate the Add Admin to open the Create Admin form.
  3. Select the type of Authentication you would like to assign and then fill out the form as desired. Form fields will vary based on the type of authentication selected.

Modify/Update Domain Admin

To update an existing Domain Admin, navigate to Administration > Identity Management and select the Domain Admins tab. Click on the Actions menu to the left of the desired Domain Admin and select Update Admin to view/modify their settings.

The following actions are available to modify domain admin:

Modify Domain AdminDescription
Unlock AdminUnlocks target account by removing suspension for "locked" users.
Lock AdminSuspends the user and prevents them from logging in without removing the account.
Update AdminModify name, email, and password.
Reset PasswordGenerates an email to the target user, asking them to set up a new password.
Revoke Domain Admin RoleRemoves Domain Admin privileges.
Require MFA for UserRequires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled.
Reset MFAResets MFA requirement for target user. (Appears only for users who have MFA enabled.)
Disable MFADisables MFA requirement for target user. (Appears only for users who have MFA enabled.)
DeleteDeletes user; record is maintained for change history accountability but name and email are purged.
Change Authentication ServerUpdates the user's authentication server.

Configure Inactive User Settings

From the Domain Admins page, you can enable and configure inactive user settings. Selecting the Settings button from the Domain Admins page allows you to update system configuration so that users who have not used InsightCloudSec in a given number of days are automatically removed from the system.

Inactive user settings

Read-Only Admin

InsightCloudSec includes support for a Read Only Admin, which allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.

You can set up a Read-Only Admin either by selecting Add Admin on the Domain Admins tab of the Administration main age and then selecting Read Only Admin as the Account Type, or by modifying an existing Admin and changing the account type under the Actions menu.