Users

Description

The user is the core object of the system. In Soffid, a user means an identity (usually a person). Every user can have a number of accounts spread on different information systems.

In traditional system managements, one can assign roles and permissions to accounts. Then, the administrator uses to grant the account to one single user. In Soffid you can have a global view of permissions assigned to any user. Being the user the main management object, you have a more clear perspective in terms of operation, security and end-user engagement.

It is important to know that dependency rules can be established between systems, so a user with a role or permission in one system will automatically be assigned a role or permission in another system, according to the system policies.

The administrator can also identify the potential users of shared or system management accounts. These accounts are managed in a slightly different way. See the Accounts and Password Vault pages for more information.

Sometimes is possible to find that there are any user with duplicated user data. To solve that problem, Soffid provides the merge functionality. That allows you to combine two user records, selecting the proper data to fix that situation.

Related objects

  1. Groups
  2. Account
  3. Roles
  4. Shared accounts
  5. Audit
  6. Logs 
  7. Workflows

Standard user attributes

Basic

On the basic user tab, you can view all the user attributes. Other attributes can be customized in Soffid.

Common attributes
  • User name: short name to identify the user. It uses can be either a name abbreviation, an employee Id or a system generated number.
  • First name: name of the user.
  • Last name: first surname.
  • Middle name: used like second surname.
  • Full name: firstName + lastName + middleName.
Mail service
  • Internal eMail: this will be the mail address that will appear on outgoing emails from this user..
  • Mail aliases: In this box there will be a comma-separated list of mail addresses that will be forwarded to this user mailbox. It will you one to one aliases and one to many distribution lists.
  • External email: additional external email.
  • Mail server: select which server will host its user mail.
User status
  • Enable: uncheck in order to prevent this user from logging into any system.
  • Multi session: uncheck to prevent this user from using more than one device at a time. If the user logs into the system when another session is active, the single sign-on agent will manage it in order to close the first session before opening a new one. This checkbox is only effective when using Soffid ESSO
  • Comments. 
Organization
  • Type: identifies the password policy that is to be applied. More information on this link User Type.
  • Primary group: select which organization unit this user belongs to.
  • Home server: select which server will host its user folder. It is linked to the Home Drive attribute on Active Directory.
  • Profile server: select which server will host its user profile. It is linked to Roaming UserProfile on Active Directory.
  • Manager: select which another user, who will be the manager 
Other
  • NIF
  • Phone
Audit information
  • Created by: user who created it.
  • Created on: when this one was created.
  • Modified by: responsible for the user's last change.
  • Modified last on: date of last user modification.

Groups

Your company is organized in different business units, departments or workgroups. In Soffid, they all are named as groups. Some systems, like Active Directory use the groups to control or restrict access to resources. A Soffid Group is more like an Active Directory OU.

On the groups tab, you can manage all the groups that the user belong to. By default, only the group name will be displayed, but some other custom properties can be defined in the Metadata page.

By clicking on a record, Soffid shows group membership details. It is possible to change the group, the start date and add comments.

It is also possible to assign a new membership clicking the button with the add symbol (+) , and  to revoke the group membership from the group details or by selecting one or more records from the list and clicking the button with the subtraction symbol (-).

Accounts

An account is the way a user is presented on a target system.

On the accounts tab you can view the accounts that belong to the user that is currently displayed, group by password domains.

Soffid smart engine will automatically create, disable or remove user accounts depending on the system policies.

Also, you can manually add a new account for a system, rename an existing one, delete it or change its password. You can also see when the password was last set and its expected expiration date. Mind that you cannot change a single account passwords, as long as any password belongs to a password domain, so each password belonging to the same user and password domain will be change at a time. When you apply user changes, autmatically that will be forwarded to target systems

Mind that Soffid smart engine can revert some of your changes, if those changes are violating any system policy.

Each change made at Soffid console is asynchronoulsy replicated into managed system. At accounts tab, the administrator can check when each account was updated last. When Soffid console notices there the replication process is failing, an exclamation sign will apear next to account name.

When the settings for a managed system excludes a user to be replicated, no account will be created for him. In case the user was replicated and due to user attributes changes it should be exluded, its account will be disabled and it will apear with line-through style.

At agent configuration screen, the administrator can configure when to create or enable user accounts depending on the user type or the group the user belongs to. When the settings for a managed system excludes a user, no account will be created for him. In case the account exists and due to user attributes changes it should be exluded, its account will be disabled and it will apear with line-through style.

Regarding automatic account creation, it's important to know that if a user needs an account with a name, based on the user domain configuration, and that such account already exists as a shared or single user account, this account won't be created or assigned. Nevertheless, if such account already exists as an unmanaged account, this existing account will be assign to the user along their role grants.

By clicking on a record Soffid shows more accurate information about the account. It is possible to rename the account, changing it, change the account status or delete de account.

Roles

A role is a collection of permissions that can be granted to a user. With this permissions the user will access to another system and perform some operations.

On the roles tab you can assign or revoke roles to any user. Each role needs an account to be applied to. So, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate wich of the suitable accounts will be granted the role.

More and more, when the role should be scoped, the operator must select a right scope for the role. The scope and its allowed values are defined at application management page.

By clicking on a record Soffid shows more information about the rol, this information can not be updated. In this screen you can browse through the different roles.

It is also possible to revoke the the role to the user from the entitlement details or by selecting one or more records from the list and clicking the button with the subtraction symbol.

Roles list shows a column to display when there are risks with the roles assigned to the user. If you click on a record, Soffid will show the entitlement details included the SoD rules with the risks detail. 

For more information about SoD visit the  Segregation of Duties page.

Additionally you can download a CSV file with the user's role information, or upload a CSV file to assign or revoke roles to the user.

Effective Roles

Hierarchy of permissions assigned to or inherited. 

This screen details the effective roles for the selected user. 

  • By direct assignment of the role: when you assign a role to a user, you are assigning to the user all the permissions defined for that role.
  • By belonging to a group: when you add a user to a group, the users will have all the roles assigned to the group
  • By rules defined in the system: when a rule is satisfied for a user, the system assign the roles defined in the rule to the user.

Shared accounts

This is a privileged account that can be used by several users.

On the shared account tab, you can see all shared user account. You can view information about the system, the acount, the date of update, when was the last login, when the password was changed and the expiration date.

By clicking on a record, you can browse to the share account details page.

Sessions

On the sessions tab, you can view sessions opened by the user. Here will be shown any open ESSO session, showing the host that has created the session and the host where the user is connected from, if applicable. The port number is the TCP/IP port number the ESSO session manager is listening to. It is used by the synchronization server to check for session validity.

ESSO Integration

Multi-session attribute: ESSO will prevent any user from having more than one session at a time, unless it has the multisession attribute checked.

If ESSO detects the user trying to log in has an active session, it will do the following job:

  • The previous session will be noticed of such a duplicate session.
  • The new session will have the choice to:
    • Give up and not to log in.

    • Wait until the previous session is closed.

    • Force the previous session to log out. It the user selects to close the remote session, the remote user will still have the chance to accept or reject such an action.

No user with active flag unchecked will be allowed to log in or use any system managed through ESSO.

User Processes

On the user processes tab you can view the business processes in which the user has been managed. It shows information about the process, the status process and when it was initiated and ended.

    NOTE: Mind that this page does not show the business processes the user has acted.

    Pending tasks

    When a user has pending tasks, an icon will be appearing at the right corner. If the status of pending tasks is "Error", the icon will be a highlight alert icon, if the status is "Pending", the icon will be a wifi icon.

    That window displays the most relevant task data, the task name, the agent that manages the task, the status task, the scheduled to will be executed, ... That pending tasks information is only available in consultation mode. 

    Actions

    Users query actions

    Query

    Allows you to query users through different search systems, Quick, Basic and Advanced.

    Add or remove columns

    Allows you to show and hide columns in the table.

    Add new

    Allows you to add a new user in the system. You can choose that option on the hamburger menu or clicking the add button (+).To add a new user it will be mandatory to fill in the required fields

    Delete

    Allows you to remove one or more users by selecting one or more records and next clicking the button with the subtraction symbol (-).To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Import

    Allows you to upload a CSV file with the user list to add or update users to Soffid.First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

    Download CSV file

    Allows you to download a CSV file with the basic information of all users. 

    Bulk actions

    Allows massive operations to be performed on all system users.  With that operation, updates can be made to any of the user's parameters. First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the hamburguer icon.For more information visit the Bulk action page.

    Merge

    Allows you to merge two identities when you identify that is necessary.

    First of all, you need select two identities. Second, you need to click the hamburger icon and select the merge action. Then Soffid will display a window where you need to select the correct value for each standard and custom parameter. Finally, you need to apply changes to save the updates, or back to cancel that action.

    User detail actions

    Apply changes

    Allows you to save the data of a new user or to update the data of a specific user. To save the data it will be mandatory to fill in the required fields.

    When you apply changes, automatically that will be forwarded to target systems.

    Delete

    Allows you to remove a specific user. You can choose that option on the hamburger icon.

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes. 

    Audit

    Browses to the Audit page and shows all the detailed actions performed over the user. It is allowed to filter the information displayed and also to download a CSV file with the audit information.

    Access logs

    Browses to the Logs page and shows all the detailed logs about the user actions. It is allowed to filter the information displayed and also to download a CSV file with the logs information.

    Propagates the changes

    Allows you to propagate the user changes to the repository systems configured. It is only necessary when the task engine mode is configured as Manual, visit the smart engine setting page for more information.

    Groups actions

    Assign Groups

    Allows you to add a new group membership. You can choose that option on the hamburger menu or clicking the add button (+).

    Then you need to select a group the user will belong to it.  Next you need to define, if it is neccessary  the membership properties. And finally you need to apply changes.

    Delete Groups

    Allows you to delete groups membership. You can select one or more groups and next clicking the button with the subtraction symbol (-). 

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Accounts actions

    Change password

    Allows you to change the password for a domain. The password can be generated automatically, or you can set the password.

    It will be mandatory the password comply with the Password policies defined for the domain.

    New Account

    Allows you to add new account for a user and a specific target system. 

    Fist of all, you need to select the target system, then Soffid will show the target system name and the account name. The account name could be updated, but always with an account name which no be already in use on the target system. Then you need to choose the account status and finally you can set the system properties. That properties depends on the target system and do not be mandatory.

    Delete Account

    Allows you to delete an account for a specific user. To delete the account first, you need to click the account, and Soffid will show a form with the account data. Then you need to click the hamburger icon and select the delete action. To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Update Account

    Allows you to update the account name and the account status. To update the account first, you need to click the account, and Soffid will show a form with the account data. Then you could change the account name and/or the account status. If you change the account name, you must to choose an account name that are not already in use.

    Roles actions

    Assign Role

    Allows you to assign a new role to the user. You can choose that option on the hamburger menu or clicking the add button (+).

    Then you need to select a role form the role list. If it is necessary, the next step will be to set the scope. Then you need to check and fill in the membership properties. And finally  apply changes.

    Revoke Role

    Allows you to revoke one by one or to revoke some roles at the same time. 

    To revoke some roles at the same time, you need to select the roles, and then click the button with the subtraction symbol (-). 

    To revoke one role, you can click the role, and then Soffid will show a form with the details. Then you can click the delete button (trash icon). 

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation. 

    Import

    Allows you to upload a CSV file with the role list to assign permission.

    First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

    Download CSV file

    Allows you to download a CSV file with all the information about user roles. 

    Sessions actions

    Download CSV file

    Allows you to download a CSV file with all the information about sessions.