User Management

The initial Console Owner for an organization using YubiEnterprise Services is set up by YubiEnterprise Services customer support during onboarding. The initial owner then sets up additional YubiEnterprise Console users for the organization.

Note

Ensure your organization has at least two Console Owners. That is the only role that can perform password and account resets for users who have been locked out. If your organization only has one Console Owner and that person locks themselves out or leaves your organization, you must contact Yubico to set up a new Console Owner which might delay shipment requests.

Each user in an organization has a single account, the username for which is their email address. Via email, the user is asked to complete the setup of their account by setting a password and registering a YubiKey (the WebAuthn credential). For more details, see Onboarding Workflow.

In the case of a multinational organization shipping YubiKeys to both the EU and the US, two separate organizations will be set up. Even if the same person is the Console Owner for both, there is a separate account for each.

Viewing Users

In the Console, click Settings > Users to open the Users page. What you see here depends on your role. You can only access user information through the Customer view with either the Console Owner, Console Admin, or Console Auditor role. Only Console Owners can edit or delete users, Admins and Auditors can only view the user information.

For distributor and reseller types of organizations, there are also Distributor and Reseller roles that control permissions for these users. For more information, see Roles and Permissions.

_images/settings-tab3.png

Customer/Console Owner view of Settings

The following user information is displayed:

  • Email - Email address used to log in to the Console.
  • Roles - The role that the user has in the system, see Roles and Permissions.
  • Last login - Expressed in terms of period in the past, for example, “2 years ago”.
  • State - The state of the user’s account, for example “Active”, see User Account States.
  • MFA - Indicates whether the user has enabled multi-factor authentication (tick) or not (x).
  • Password - Indicates whether the user has set a password (tick) or not (x).
  • Edit / Delete - Icons for editing or deleting users, only for Console Owners.

Adding or Deleting Users

Note

Adding or deleting users can only be done from the Customer view by a Console Owner.

Do the following to add a user:

  1. On the Settings > Users page, click Add new member. The Add new member dialog appears.
_images/add-new-member.png
  1. Enter the new user’s email address and select a role - YubiEnterprise Console Owner, Admin, or Auditor. If your organization is a distributor or reseller you will also have options to assign Distributor or Reseller roles to your users. For more information, see Distributor Role and Reseller Role.
  2. Click Save.

For each new user, the system generates the following email inviting the user to register:

From: no-reply@yubico.com
Date: Sep 10, 2020, 12:34 PM -0700
To: <new-user@example.com>
Subject: Welcome to YubiEnterprise!

**Please activate your account**

Hi,

Your system administrator has created a YubiEnterprise Delivery account for you.

To help you get started with YubiEnterprise Delivery Console, please see
Yubico's `Getting Started <https://www.youtube.com/watch?v=IHw5Qt-r-qM>`_ video.

Click the following link to activate your account:

**Activate your YubiEnterprise account**

This link expires in 7 days.
Your username is: <new-user@example.com>

This is an automatically generated message from Yubico. Replies are not monitored
or answered.

Do the following to delete a user:

  1. On the Settings > Users page, click the trashcan icon on the line for the user you want to delete.
  2. Click Remove user in the confirmation dialog that appears.

Managing Your Account

To manage your account settings, click on your user icon in the upper right corner and select Manage credentials to open the Account page.

_images/manage-credentials.png _images/account-page.png

Managing Login Credentials

To change your password, enter your current password and desired new password in the Change password section of the Account page. When done, click Change password.

If you forgot your password, a Console Owner needs to reset your password. You will receive an email with a link and instructions for creating a new password.

Switching Organizations

If you have login credentials for more than one organization, you can switch between them from the more options menu in the top left corner. Click the organization name to open the menu, then select the name of the desired organization to open the dashboard for that organization.

_images/org-switch1.png

Adding WebAuthn Credentials

From the WebAuthn credentials section in the Account page you can manage WebAuthn credentials and security keys for your account.

_images/webauthn-cred-add.png

To register a security key, click Add and follow the instructions in the dialog that appears. Registered keys will appear in the list of WebAuthn credentials.

To change the name of an existing key, click Edit, make your changes, and click Save. To remove a key from your account, click Remove.

Lost or Reset YubiKey

If you lose or reset your YubiKey, you can no longer log in to the Console. If this happens, you must contact a Console Owner for your organization to have your account reset as described in Account Recovery and Password Reset. When you acquire a replacement security key, you can then log in and register that second key.

Important

It is strongly recommended to register at least one other YubiKey at the same time as the first one, and to keep your YubiKeys in a safe place. For more information, see Spare YubiKeys.

Account Recovery and Password Reset

Note

Only Console Owners can manage account recovery, do password resets, and change user roles.

Do the following:

  1. Go to the Settings > Users page.

  2. Click the pencil icon on the line for the user you want to edit. The Edit member page appers.

    _images/user-mgmt3.png

  3. You can do the following changes:

    • Reset user - Enable user account recovery, for example in case of a lost YubiKey.
    • Reset password - Reset a user’s password, sufficient if the user still have their YubiKey.
    • Change role - Update a user’s role.

  4. Click Save.

Managing API Tokens

An API token is used by an API caller account for authentication when integrating applications with the YubiEnterprise Delivery service. For information on how to generate and manage API tokens, see Managing API Tokens.

Roles and Permissions

In addition to the Console Owner, Console Admin and Console Auditor roles for Customer (account) organization members, there are also Reseller and Distributor roles. These provide access to specific views for distributors and resellers to view their customers’ purchase orders and inventories.

_images/viewing-roles1.png

A Console user can have one or none of the organization member roles, and may have one or both of the Distributor and Reseller roles. All organizations must always have at least one Console Owner, and can have one or more users with the Console Admin or Console Auditor roles.

An organization can for example be both a Customer ordering keys for its own employees, and a Reseller selling keys to end customers. This scenario requires at least one user with the Console Owner role for the organization, and the Reseller role for one or more users in the organization.

The following section describes the different roles and their permissions in more detail.

Customer Roles

The table below describes the permissions for the Console Owner, Console Admin and Console Auditor roles for a Customer (account) organization.

Permission Owner Admin Auditor
Add/delete organization members yes no no
Change member roles yes no no
Reset member login credentials yes no no
Create/edit shipment requests yes yes no
Correct shipping addresses yes yes no
View shipments/purchase orders/org settings yes yes yes
Manage personal login credentials yes yes yes
View other roles’ details yes yes yes
Generate API token yes yes no
Download CSV files yes no no

Console Owners, Admins, and Auditors can all view the names, email addresses and assigned roles of organization members displayed on the Settings > Users page.

Note

Only the end customer can view the Personally Identifiable Information (PII) entered for creating shipment requests. Neither the distributor nor the reseller can view the PII entered by their end customers for creating shipment requests.

In order to view Personally Identifiable Information (PII), new and existing users must accept the applicable terms and conditions when they log in for the first time after the release of YubiEnterprise Services 2.4.0.

Distributor Role

The Distributor role is used by organizations that sell Yubico products to resellers. As a user with the Distributor role, you have access to the Distributor view where you can monitor end customers’ product inventory and activities in your reseller network.

Note

The Distributor role does not provide permission to view or manage user information.

The Distributor view lets you access the Settings > Resellers page where you can provide access for your resellers to view purchase order information.

_images/distributor-view-settings.png

To allow your resellers to access purchase order information for end customers, set the View purchase orders toggle to “on” for the desired reseller. This setting also enables resellers to allow their end customers to access purchase order information. To revoke access to purchase order information, set the toggle to “off”.

Important

If you disable this access for a reseller, then neither that reseller nor their end customers can see any inventory purchased through this reseller.

As a Console Owner for a distributor organization, you can assign the Distributor role to users from your organization. When adding a user as described in Adding or Deleting Users, you will see the option for assigning the Distributor role in the Add new member dialog.

_images/add-user-distributor.png

Reseller Role

The Reseller role is used by organizations that sell Yubico products to end customers. As a user with the Reseller role, you have access to the Reseller view where you can monitor end customers’ product inventory and purchase orders.

Note

The Reseller role does not provide permission to view or manage user information.

The Reseller view lets you access the Settings > Customers page where you can provide access for customers to view purchase order information.

_images/reseller-view-settings.png

To let a customer access purchase order information, set the View purchase orders toggle to “on” for the desired customer. To revoke access to purchase order information, set the toggle to “off”.

Important

If you disable this access for a customer, this customer will not be able to see any inventory purchased from you. If a distributor is involved, the distributor must also first enable this setting for you as a reseller, in order for your end customer to see the purchase order information.

As a Console Owner for a reseller organization, you can assign the Reseller role to users from your organization. When adding a user as described in Adding or Deleting Users, you will see the option for assigning the Reseller role in the Add new member dialog.

_images/add-user-reseller.png

User Account States

All Console users have one of the following account states. To view a user’s account state, click Settings > Users, locate the desired user, and view the State column.

Invited
The user has been emailed a login link for the system, but they have not yet done so and thereby activated their account. Most users have this state initially.
Active (demo mode)
The user has activated their account, but they have not yet registered a WebAuthn credential such as a YubiKey. Console activity is restricted to the activities described in Onboarding Workflow.
Active
The user has activated their account and registered a WebAuthn credential.
Account Reset
A Console Owner can do this if a user’s account has been compromised. The user state remains as “Account Reset” until the user follows the instructions in the Account Reset email sent by the system.
Deactivated
The user has been removed from all organizations, and they can no longer log in to the Console. All associated access tokens have been revoked. Console Owners can add the user to the organization again at a later date.
Suspended

If a user becomes a security concern, disable system access for that user by contacting YubiEnterprise Support to have the user suspended. Any API token the user has is deleted, and their login credentials are temporarily invalidated.

  • If a suspended user tries to log in, they get the “userID/password invalid” message.
  • Only Yubico can suspend a user and only Yubico can lift such a suspension.
  • Although all access tokens are revoked, the user remains associated with their organization, so that if the suspension is lifted, Console Owners are not required to recreate the affected user.
  • All owners of the suspended user’s organization receive an email notifying them that this user is suspended and they must contact YubiEnterprise Support to have the suspension lifted.

SSO: Single Sign-On

Single sign-on (SSO) is an authentication method that enables users to use a single set of credentials to access multiple applications and services securely. Employers frequently use SSO to safeguard their resources and streamline work processes by enabling employees to access a whole range or subset of applications and platforms without having to log in to each one separately. Most employees of an enterprise have already encountered SSO by logging in to a service provider using the enterprise’s Identity Provider (IdP), for example, Azure AD, Google for Workgroups, or Okta.

YubiEnterprise Services supports SSO. For an organization with SSO enabled, users do not have to register. Although they are added the same way as non-SSO-enabled users, instead of remaining in the Invited state until they follow the emailed instruction to register a security key, they are immediately added to the organization in the Active state. They can therefore use the service-provider-initiated login link to log in to the Console. For details, see Single Sign-On (SSO).

To file a support ticket for YubiEnterprise Delivery, click Support.