User Configurations (for Admins)
User Configuration Options Available to Administrators Within InsightCloudSec
This section of the Identity Management/User documentation provides details for administrators who manage other InsightCloudSec users.
Identity Management - Users Tab
User Administration
Refer to the details below on steps required for administrators to add a user, modify a user, or download a user.
Adding a User
To create a new user refer to the following steps.
1. From "Administration --> Identity Management" select the "Users" tab on the Identity Management page and locate the Add User button on the top right corner.
2. Fill in the "Create User" form as follows:
- Select the type of "Authentication" you would like to assign the user.
- From the drop-down, select the Groups in which you want this new user to be included.
- Select the account type for the user: Basic User or Organization Admin.
- Complete the rest of the form details as desired.
Note: Create User fields will vary based on the authentication type selected. For example, the option to enable API Key Generation is not available until after a user has been initially created.
3. Select "Submit" when you have completed the required details.
Create New Basic User - Username and Password Authentication Example
Modifying a User
Administrators have the ability to modify existing users (basic users or organization admins) through the "Actions" menu located to the left of the name of each individual user.
- Check out the User Passwords & Multi-Factor Authentication page for additional details on password management and enabling MFA.
The following actions are available to modify basic users and organization admins:
| Modify User Actions | Result of Action |
|---|---|
| Unlock Account | Unlocks target account by removing suspension for "locked" users. |
| Lock Account | Suspends the user and prevents them from logging in without removing the account. |
| Reset Password | Generates an email to the target user, asking them to set up a new password. |
| Update User | Allows modification of name, email, and password. In addition, admins can provide users with the ability to generate API keys. |
| Update Organization Access | For Organization Admin Only. Update the Organizations the Organization Admin has access to. |
| Promote to Domain Admin | Adds domain admin privilege to the user. |
| Modify Basic User Group Associations | Adds or removes user from Groups, which will grant/revoke privileges to a user from the Group’s roles. |
| Require MFA for User | Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled. |
| Reset MFA | Only enabled if MFA is required. Resets MFA requirement for target user. |
| Disable MFA Requirement | Only enabled if MFA is required. Disables MFA requirement for target user. Refer to the User Passwords & Multi-Factor Authentication page |
| Delete | Deletes user; record is maintained for change history accountability but name and email are purged. |
| Change Authentication Server | Allows Admins to migrate an existing local user to an SSO provider to avoid having to delete/recreate the user. Note: Transitioning to "LOCAL" is not supported. |
Identity Management - Modifying Users
Download Users
Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in Identity Management.
Download Button on Users Tab
API Keys
The "API Keys" view under Identity Management allows administrators to view, add, replace/revise, and delete API Keys for users.
- Individual users have the ability to manage this for their own profile through the User Configuration - Manage Your Profile section.
API Key Administration.
A column with a status for API keys is also part of the view (and download) for both the "Domain Admins" and "Users" views under Identity Management.
Domain Admins - API Fields
Beginning with InsightCloudSec 22.3.1 administrators and users (via "My Profile") have the ability to generate an API Key with an expiration value. This field will be available for any new API keys. To enable an expiration for a user with an existing API Key you will need to replace the current key.
API Key - Expiration Value Example
Domain Admins
Domain Admins can be managed from the first tab in the Identity Management section (under Administration on the left-side menu). Several options for a Domain Admin are available via the actions menu.
Identity Management - Domain Admins
Add Domain Admin
In addition, these steps are identical to create a "Read-Only Admin", simply select "Read Only" for the account type.
1. Navigate to "Administration --> Identity Management" and select the "Domain Admin" tab.
2. Locate the "Add Admin" to open the "Create Admin" form.
3. Select the type of "Authentication" you would like to assign and then fill out the form as desired.
- Form fields will vary based on the type of authentication selected.
Identity Management - Create Admin
Modify/Update Domain Admin
To update an existing Domain Admin, navigate to "Administration --> Identity Management" and select the Domain Admins tab. Click on the "Actions" menu to the left of the desired Domain Admin and select "Update Admin" to view/modify their settings.
The following actions are available to modify domain admin:
| Modify Domain Admin | |
|---|---|
| Unlock Admin | Unlocks target account by removing suspension for "locked" users. |
| Lock Admin | Suspends the user and prevents them from logging in without removing the account. |
| Update Admin | Modify name, email, and password. |
| Reset Password | Generates an email to the target user, asking them to set up a new password. |
| Revoke Domain Admin Role | Removes Domain Admin privileges. |
| Require MFA for User | Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled. |
| Reset MFA | Resets MFA requirement for target user. (Appears only for users who have MFA enabled.) |
| Disable MFA | Disables MFA requirement for target user. (Appears only for users who have MFA enabled.) |
| Delete | Deletes user; record is maintained for change history accountability but name and email are purged. |
| Change Authentication Server | Updates the user's authentication server |
Configure Inactive User Settings
From the Domain Admins page, you can enable and configure inactive user settings. Selecting the "Settings" button from the Domain Admins page allows you to update system configuration so that users who have not used InsightCloudSec in a given number of days are automatically removed from the system.
Inactive User Settings
Read-Only Admin
InsightCloudSec includes support for a Read Only Admin, which allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.
You can set up a Read-Only Admin either by selecting Add Admin on the Domain Admins tab of the Administration main age and then selecting "Read Only Admin" as the "Account Type", or by modifying an existing Admin and changing the account type under the Actions menu.
Creating a Read Only Admin
Updated 7 months ago