User Configurations (for Admins)
This section of the User Management/User documentation provides details for administrators who manage other InsightCloudSec users.
User Administration
Refer to the details below on steps required for administrators to add a user, modify a user, or download a user.
Adding a User
To create a new user refer to the following steps.
From Administration > User Management select the Users tab on the User Management page and locate the Add User button on the top right corner.
Fill in the Create User form as follows:
- Select the type of Authentication you would like to assign the user.
- From the drop-down, select the Groups in which you want this new user to be included.
- Select the account type for the user: Basic User or Organization Admin.
- Complete the rest of the form details as desired.
Create User fields will vary based on the authentication type selected. For example, the option to enable API Key Generation is not available until after a user has been initially created._
Select Submit when you have completed the required details.
Modifying a User
Administrators have the ability to modify existing users (basic users or organization admins) through the Actions menu located to the left of the name of each individual user.
Check out the User Passwords & Multi-Factor Authentication page for additional details on password management and enabling MFA.
The following actions are available to modify basic users and organization admins:
| Modify User Actions | Result of Action | |
|---|---|---|
| Unlock Account | Unlocks target account by removing suspension for "locked" users | . |
| Lock Account | Suspends the user and prevents them from logging in without removing the account. | |
| Reset Password | Generates an email to the target user, asking them to set up a new password. | |
| Update User | Allows modification of name, email, and password. In addition, admins can provide users with the ability to generate API keys. | |
| Update Organization Access | For Organization Admin Only. Update the Organizations the Organization Admin has access to. | |
| Promote to Domain Admin | Adds domain admin privilege to the user. | |
| Modify Basic User Group Associations | Adds or removes user from Groups, which will grant/revoke privileges to a user from the Group’s roles. | |
| Require MFA for User | Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled. | |
| Reset MFA | Only enabled if MFA is required. Resets MFA requirement for target user. | |
| Disable MFA Requirement | Only enabled if MFA is required. Disables MFA requirement for target user. Refer to the User Passwords & Multi-Factor Authentication page | |
| Delete | Deletes user; record is maintained for change history accountability but name and email are purged. | |
| Change Authentication Server | Allows Admins to migrate an existing local user to an SSO provider to avoid having to delete/recreate the user. \n \nNote: Transitioning to "LOCAL" is not supported. |
Download Users
Administrators also have the ability to download a .CSV file of users from the Users tab. The download button is located at the top right of the Users tab in User Management.
API Keys
The API Keys view under User Management allows administrators to view, add, replace/revise, and delete API Keys for users.
Individual users have the ability to manage this for their own profile through the User Configuration - Manage Your Profile section.
A column with a status for API keys is also part of the view (and download) for both the Domain Admins and Users views under User Management.
Beginning with InsightCloudSec 22.3.1 administrators and users (via My Profile) have the ability to generate an API Key with an expiration value. This field will be available for any new API keys. To enable an expiration for a user with an existing API Key you will need to replace the current key.
Domain Admins
Domain Admins can be managed from the first tab in the User Management section (under Administration on the left-side menu). Several options for a Domain Admin are available via the actions menu.
Add Domain Admin
In addition, these steps are identical to create a Read-Only Admin, simply select Read Only for the account type.
- Navigate to Administration > User Management and select the Domain Admin tab.
- Locate the Add Admin to open the Create Admin form.
- Select the type of Authentication you would like to assign and then fill out the form as desired. Form fields will vary based on the type of authentication selected.
Modify/Update Domain Admin
To update an existing Domain Admin, navigate to Administration > User Management and select the Domain Admins tab. Click on the Actions menu to the left of the desired Domain Admin and select Update Admin to view/modify their settings.
The following actions are available to modify domain admin:
| Modify Domain Admin | Description |
|---|---|
| Unlock Admin | Unlocks target account by removing suspension for "locked" users. |
| Lock Admin | Suspends the user and prevents them from logging in without removing the account. |
| Update Admin | Modify name, email, and password. |
| Reset Password | Generates an email to the target user, asking them to set up a new password. |
| Revoke Domain Admin Role | Removes Domain Admin privileges. |
| Require MFA for User | Requires MFA for target user. User will be required to setup TFA on their next login attempt. Note: this option will only display if MFA is not already enabled. |
| Reset MFA | Resets MFA requirement for target user. (Appears only for users who have MFA enabled.) |
| Disable MFA | Disables MFA requirement for target user. (Appears only for users who have MFA enabled.) |
| Delete | Deletes user; record is maintained for change history accountability but name and email are purged. |
| Change Authentication Server | Updates the user's authentication server. |
Configure Inactive User Settings
From the Domain Admins page, you can enable and configure inactive user settings. Selecting the Settings button from the Domain Admins page allows you to update system configuration so that users who have not used InsightCloudSec in a given number of days are automatically removed from the system.
Read-Only Admin
InsightCloudSec includes support for a Read Only Admin, which allows a user to be given full read-only access to the entire installation; however, users of this type cannot take any lifecycle operations on cloud resources, create Insights, Bots, or any other administrative function within the tool. This feature is especially useful for customers running multiple organizations.
You can set up a Read-Only Admin either by selecting Add Admin on the Domain Admins tab of the Administration main page, then selecting Read Only Admin as the Account Type, or by modifying an existing Admin and changing the account type under the Actions menu.
Current User Sessions
Navigate to Settings > User Management > Sessions to see a list of current user sessions. The details of each session include:
- User ID -- The User ID for the individual session.
- Name -- The name associated with the user for the individual user session.
- Auth -- The type of authentication the user used to log in.
- Is API Session -- Denotes if the user is interacting with InsightCloudSec using the API.
- Expiration -- The date and time the user's session will expire. After this time, the user will be automatically logged out.
- Action -- Opens a contextual menu that includes the option to delete a session.