You can edit the details pertaining to existing list of users and change details such as email id, access level, password policy, department and location. Also, you can enable or disable two-factor authentication for any user, at anytime.
To edit users,
- Navigate to Users tab.
- Click the User Actions icon against the desired user and select Edit User from the drop down list.
- In the dialog box that opens, you can edit the following:
- Email ID
- Access level
- Access scope
- Password policy
- You can also enable or disable two-factor authentication for the particular user. In case RSA SecurID is used as the second authentication factor, you need to ensure that the user name in RSA Authentication Manager and the corresponding one in Password Manager Pro are the same. In case, for the already existing RSA users, if the user name in Password Manager Pro and RSA Authentication Manager are different, you can do a mapping of names in Password Manager Pro instead of editing the name in RSA. Mapping can be done from here through RSA SecurID UserName. (Assume the scenario that in Password Manager Pro you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in Password Manager Pro. In RSA Authentication Manager, assume that the username is recorded as rob. In normal case, there will be mismatch of usernames between Password Manager Pro and RSA Authentication Manager. To avoid that, you can do a mapping in PMP - ADVENTNET\rob will be mapped to rob).
- You can use Access Scope to change an Administrator/Password Administrator/Privileged Administrator into a Super Administrator by choosing the option All Passwords in the system. When you do so, they will be able to access all passwords in Password Manager Pro without any restriction. Conversely, a Super Administrator can be changed to his earlier role of Administrator/Password Administrator/Privileged Administrator by choosing the option Passwords Owned and Shared.
Note: If you are an administrator, you will not be allowed to change your access level or scope because the currently logged in administrator's access level cannot be changed. So, you will have to request another administrator to do the change.
Administrators can delete those users who are no longer required. The delete operation is permanent and cannot be reverted.
Alternatively, administrators have the option to move user accounts to Trash from which they can be restored at a later point of time.To delete a user,
- Navigate to Users tab.
- Click the User Actions icon against the desired user and select Delete user from the drop-down list.
- In the pop-up window that opens, you will have two options:
- Delete: To delete an intended user permanently, select the user name and click on Delete.
- Move To Trash: This option can be used to move users to Trash without deleting them permanently. Users moved to the Trash will not be removed from Password Manager Pro, and they can be restored at any time until the Password Manager Pro encryption keys have been rotated. However, once the key rotation is done, the users in Trash and all associated credentials will be removed from the system.
- Since Password Manager Pro will enforce the resources owned by a user to be transferred to another user before the former can be deleted, there will not be any loss of enterprise data. However, all the personal data stored by that user will be deleted once and for all. The audit trails will clearly capture all these changes and deletion. The audit trails depicting the activities of the user will remain unaffected in the database even after deleting the user. Audit trails will not be deleted.
Note: Users imported from AD, Azure AD, and LDAP directories cannot be moved to Trash.
To restore a user account that has been moved to Trash, navigate to Users tab and click on the Trash box icon at the top right corner.
A list of users in the Trash will open in a pop-up box from which the intended users can be restored.
Password Manager Pro will allow users to be deleted only if the user/users do not own any resource. If the user owns any resource, then you need to transfer the ownership of all the resources to some other user with administrator-type role.
The currently logged in user will not be allowed to delete themselves.
To delete the in-built 'admin' user,
Before proceeding to delete the admin user, check if the admin user owns any resource. If so, the resources should be transferred to another user with administrator-type role.
- Navigate to Users tab.
- In case the admin owns resources, transfer all those resources to another user by clicking on "User Actions" icon against the admin user and selecting Transfer Ownership from the drop down.
- If you have logged in as the admin user who has to be deleted, then you have to request some other administrator to delete your account, because the currently logged-in user cannot delete themselves.
- The above procedure holds good for deleting any user with an administrator-type role.
Handling user accounts deleted from AD/Azure AD/LDAP directories
- Whenever a user account is deleted directly at the user directory from which it was imported to Password Manager Pro (PMP) i.e. from AD, Azure AD or LDAP directory, PMP identifies those deleted user accounts the next time a respective synchronization schedule is run. The identified user accounts are then subsequently disabled in PMP and held as locked accounts. Note that PMP will identify deleted user accounts only if you have set up synchronization with the respective user directory.
- After disabling the user accounts, PMP informs the administrators (and users whose roles permit them user management privileges) via email as well as an alert notification within the product. Clicking the alert notification will open a dialog box as shown below:
- The administrator can review the disabled accounts and then choose to delete those user accounts permanently from Password Manager Pro by clicking the Delete button in the dialog box above. On the other hand, to activate the accounts,
- Navigate to Users >> More Actions >> Lock Users.
- In the new window that opens, you will find the disabled user accounts listed under the Locked Users column. Move the required account to the Active Users column and click Save as shown below:
- Alternatively, you can also activate individual user accounts by locating the required user, clicking on User Actions icon beside the user, and selecting Unlock User from the drop down menu as shown below:
- A dialog box will open as shown below:
- Click Unlock to confirm the action and the disabled user will be restored.
Managing notification email addresses in Password Manager Pro
Password Manager Pro allows you to configure generic email addresses as recipients of notification emails for scheduled tasks' completion statuses and license expiry alerts. You can keep track of all such external email addresses being used in Password Manager Pro and also delete them if needed. Additionally, the email addresses of users captured in the User Sessions audit can also managed using this provision, in the event of those users being removed from Password Manager Pro.
To view the list of notification email addresses,
- Navigate to Admin >> Manage >> Notification Email IDs.
- In the new dialog box that opens, you will find the email addresses listed under four different sections—Schedules, License Expiry Notifications, SSH/SSL Notifications, and User Sessions Audit, if there are any.
- Review the listed email addresses under each section, select the one that you want to delete and click Delete.