User Management

The initial Org Owner for YubiEnterprise Services is set up by YubiEnterprise Services customer support.

In the case of a multinational organization shipping YubiKeys to both the EU and the US, two separate organizations will be set up. Even if the same person is the Org Owner for both, there is a separate account for each.

Managing Users

The following capabilities are available to org owners:

  • Invite a user to register for YubiEnterprise Delivery (or re-register if they have lost their YubiKey - i.e., account recovery by resetting the user)
  • Reset a user’s password
  • Change or remove a user’s role (removing the role has the effect of removing all permissions from that user)
  • Remove a user from an org
  • Suspend a user

Roles/Permissions

In addition to the org owner role, there are org admin roles and org auditor roles. Together they make up the org members. The names and email addresses of the org members are displayed on the Users tab of the Settings page. All users can view the role and email address of each org member.

Org members cannot have multiple roles within the same organization.

Admins and auditors do not see the controls for downloading CSV files or adding new members. The permission levels of the different members/roles are set out in the table below.

Org Member/Role Permissions
Permission Owner Admin Auditor
Add / Delete org members yes no no
Change member roles yes no no
Reset member login credentials yes no no
Make / Edit Shipment Requests yes yes no
Correct shipping addresses yes yes no
View Shipments / Purchase Orders / Org settings yes yes yes
Manage personal login credentials yes yes yes
View other roles’ details yes yes yes
Generate API token yes yes no

Downloading Org Member Details Spreadsheet

Org Owners can download a list of all the Org Members and their details in the form of a spreadsheet by clicking Download CSV from the Users tab of the Settings screen.

SSO: Single Sign-On

Single sign-on (SSO) is an authentication method that enables users to use a single set of credentials to access multiple applications and services securely. Employers frequently use SSO to safeguard their resources and streamline work processes by enabling employees to access a whole range or subset of applications and platforms without having to log in to each one separately. Most employees of an enterprise have already encountered SSO by logging in to a service provider using the enterprise’s Identity Provider (IdP), for example, Azure AD, Google for Workgroups, or Okta.

YubiEnterprise Services supports SSO. For an organization with SSO enabled, users do not have to register. Although they are added the same way as non-SSO-enabled users, instead of remaining in the Pending state until they follow the emailed instruction to register a security key, they are immediately added to the organization in the Active state. They can therefore use the service-provider-initiated login link to log in to the Console. For details, see Single Sign-On (SSO).

Managing Your Own Profile

To manage your own login credentials and API tokens, click on the profile icon (the green button with your initials) on the top right of any page. The profile page appears, showing your username and a button for each option.

If you have login credentials for more than one organization, the Authentication field lists those organizations. To change from one organization to another, click on the name of the desired organization.

Managing Login Credentials

Important

There is no going back if you click Manage Login Credentials: you must enter your current password. If you do not know your password, you will be automatically logged out immediately, and you will need to request a new password from your administrator.

To change your own password, click Manage Login Credentials, enter your current password, then your new password and confirm that new password by re-entering it.

Account Recovery and Password Reset

Org owners have the ability to:

  • Enable a user to recover their account, for example when they have lost their YubiKey
  • Reset a member’s password (sufficient if the member still has their YubiKey)
  • Change a member’s role

As an org owner, do any of the above by going to the Edit member page by clicking the Edit icon next to the red trashcan icon to the right of the member’s name.

The commands for these options are illustrated in the following screenshot of the Edit member page:

_images/user-mgmt.png

Org Owner’s View of the Edit member Page

User Account States

All YubiEnterprise Services users have one of the following account states. To locate a user’s account state, go to the Settings tab and click on Users. Locate your desired user, and check the State column to view the user’s account state.

  • Invited
    • The user has been invited to the system, but they have not yet activated their account. Most users have this state initially.
  • Active (demo mode)
    • The user has activated their account, but they have not yet registered a WebAuthn credential (e.g. a YubiKey). Console activity is restricted to the activities described in the Onboarding Workflow.
  • Active
    • The user has activated their account and registered a WebAuthn credential.
  • Account Reset
    • An Org Owner would do this if a user’s account has been compromised. The user state is displayed as “Account Reset” until the user follows the instructions in the Account Reset email the system sends.
  • Deactivated
    • The user has been removed from all orgs, and they can no longer log in to the console. All associated access tokens have been revoked. Org Owners may add the user to the org again at a later date.
  • Suspended

    • All access tokens have been revoked, but the user remains associated with their org. Users in this state are no longer allowed to log in to the console. Contact customer support to suspend a user in order to disable their YED access in response to a security concern. Only Yubico can put a user into this state or move them out of it. Any API token the user has is deleted, and login credentials are reset.

      Putting users into this state does not alter their org mappings; in other words, from the perspective of Yubico, they still exist, so if their access is re-instated, nothing further needs to be done.

      All owners of the user’s org receive an email notifying them that this user is suspended and that these owners must contact customer support for re-activation, since they themselves cannot edit this user at all.

      If a suspended user tries to log in, they get the userID / password invalid message.

Adding or Deleting an Org Member

Org Owners can add an Org Member by clicking Add new member from the Users tab of the Settings screen. The Add new member popup appears. Enter the new user’s email address and role (YubiEnterprise Auditor, YubiEnterprise Admin, Owner):

_images/201857-YE-Console-add-new-member.png

Add new member popup

For each new Org Member added by an Org Owner, the system generates the following email inviting the member to register:

From: no-reply@yubico.com
Date: Sep 10, 2020, 12:34 PM -0700
To: <new-user@example.com>
Subject: Welcome to YubiEnterprise!

**Please activate your account**

Hi,

Your system administrator has created a YubiEnterprise Delivery account for you.

To help you get started with YubiEnterprise Delivery Console, please see
Yubico's `Getting Started <https://www.youtube.com/watch?v=IHw5Qt-r-qM>`_ video.

Click the following link to activate your account:

**Activate your YubiEnterprise account**

This link expires in 7 days.
Your username is: <new-user@example.com>

This is an automatically generated message from Yubico. Replies are not monitored
or answered.

To delete an Org Member, on the Users tab of the Settings screen, the Org Owner clicks the trashcan icon to the right of the member’s role.

Lost or Reset YubiKey

If a user loses or resets their YubiKey, they can no longer log in to YubiEnterprise Delivery. Such a user must contact an org owner for their organization to have their account reset as described in Account Recovery and Password Reset. When the user acquires another security key to register, they can log in and register that second key. To avoid this scenario, it is best to register at least one other YubiKey at the same time as the first one, and to keep the additional YubiKey(s) in a safe place. For more information and instructions, see Spare YubiKeys.

Adding WebAuthn Credentials

To add WebAuthn credentials (register a security key), click your login icon - your initial - on the top right of any screen, then click Manage login credentials. The Account page is displayed:

_images/webauthn-credentials.png

Click Add, and the ensuing dialog prompts you to insert a security key, then asks you if you will allow the YubiEnterprise Delivery site (the Console) to “see” that key. Click Allow. In the screenshot above, the item registered as Authenticator is actually a YubiKey from the 4 Series.

Managing API Tokens

For information on API tokens and the relevant guidelines, see API Onboarding Playbook and API: Best Practices and FAQ respectively.

To file a support ticket with Yubico, click Support.