.. Settings.rst .. _settings-label: ================ User Management ================ The initial **Console Owner** for an organization using YubiEnterprise Services is set up by YubiEnterprise Services customer support during onboarding. The initial owner then sets up additional YubiEnterprise Console users for the organization. .. LAAS-5759 .. NOTE:: Ensure your organization has at least two Console Owners. That is the only role that can perform password and account resets for users who have been locked out. If your organization only has one Console Owner and that person locks themselves out or leaves your organization, you must contact Yubico to set up a new Console Owner which might delay shipment requests. Each user in an organization has a single account, the username for which is their email address. Via email, the user is asked to complete the setup of their account by setting a password and registering a YubiKey (the WebAuthn credential). For more details, see :ref:`onboarding-label`. In the case of a multinational organization shipping YubiKeys to both the EU and the US, two separate organizations will be set up. Even if the same person is the Console Owner for both, there is a separate account for each. .. _viewing-users-label: Viewing Users ============= In the **Console**, click **Settings** > **Users** to open the **Users** page. What you see here depends on your role. You can only access user information through the **Customer** view with either the **Console Owner**, **Console Admin**, or **Console Auditor** role. Only Console Owners can edit or delete users, Admins and Auditors can only view the user information. For distributor and reseller types of organizations, there are also **Distributor** and **Reseller** roles that control permissions for these users. For more information, see :ref:`user-permissions-label`. .. image:: graphics/settings-tab3.png :width: 800 *Customer/Console Owner view of Settings* The following user information is displayed: * **Email** - Email address used to log in to the Console. * **Roles** - The role that the user has in the system, see :ref:`user-permissions-label`. * **Last login** - Expressed in terms of period in the past, for example, "2 years ago". * **State** - The state of the user's account, for example "Active", see :ref:`account-states`. * **MFA** - Indicates whether the user has enabled multi-factor authentication (tick) or not (x). * **Password** - Indicates whether the user has set a password (tick) or not (x). * **Edit / Delete** - Icons for editing or deleting users, only for Console Owners. .. _add-users-label: Adding or Deleting Users ======================== .. NOTE:: Adding or deleting users can only be done from the **Customer** view by a Console Owner. Do the following to *add* a user: 1. On the **Settings** > **Users** page, click **Add new member**. The **Add new member** dialog appears. .. image:: graphics/add-new-member.png :scale: 75 % 1. Enter the new user's email address and select a role - **YubiEnterprise Console Owner**, **Admin**, or **Auditor**. If your organization is a distributor or reseller you will also have options to assign **Distributor** or **Reseller** roles to your users. For more information, see :ref:`distributor-role-label` and :ref:`reseller-role-label`. 2. Click **Save**. For each new user, the system generates the following email inviting the user to register: .. code-block:: From: no-reply@yubico.com Date: Sep 10, 2020, 12:34 PM -0700 To: Subject: Welcome to YubiEnterprise! **Please activate your account** Hi, Your system administrator has created a YubiEnterprise Delivery account for you. To help you get started with YubiEnterprise Delivery Console, please see Yubico's `Getting Started `_ video. Click the following link to activate your account: **Activate your YubiEnterprise account** This link expires in 7 days. Your username is: This is an automatically generated message from Yubico. Replies are not monitored or answered. Do the following to *delete* a user: 1. On the **Settings** > **Users** page, click the trashcan icon on the line for the user you want to delete. 2. Click **Remove user** in the confirmation dialog that appears. .. _managing-your-account-label: Managing Your Account ===================== .. LAAS-5658 To manage your account settings, click on your user icon in the upper right corner and select **Manage credentials** to open the **Account** page. .. image:: graphics/manage-credentials.png :width: 250 .. _account-page-label: .. image:: graphics/account-page.png :width: 800 Managing Login Credentials -------------------------- To change your password, enter your current password and desired new password in the **Change password** section of the :ref:`Account page `. When done, click **Change password**. If you forgot your password, a Console Owner needs to :ref:`reset your password`. You will receive an email with a link and instructions for creating a new password. .. LAAS-5664 .. _org-switch-label: Switching Organizations ----------------------- If you have login credentials for more than one organization, you can switch between them from the more options menu in the top left corner. Click the organization name to open the menu, then select the name of the desired organization to open the dashboard for that organization. .. image:: graphics/org-switch1.png :width: 250 .. _webauthn-creds-label: Adding WebAuthn Credentials --------------------------- From the **WebAuthn credentials** section in the :ref:`Account page ` you can manage WebAuthn credentials and security keys for your account. .. image:: graphics/webauthn-cred-add.png :width: 500 To register a security key, click **Add** and follow the instructions in the dialog that appears. Registered keys will appear in the list of WebAuthn credentials. To change the name of an existing key, click **Edit**, make your changes, and click **Save**. To remove a key from your account, click **Remove**. .. _loss-label: Lost or Reset YubiKey --------------------- If you lose or reset your YubiKey, you can no longer log in to the Console. If this happens, you must contact a Console Owner for your organization to have your account reset as described in :ref:`account-reset-label`. When you acquire a replacement security key, you can then log in and register that second key. .. IMPORTANT:: It is strongly recommended to register at least one other YubiKey at the same time as the first one, and to keep your YubiKeys in a safe place. For more information, see `Spare YubiKeys `_. .. _account-reset-label: Account Recovery and Password Reset ----------------------------------- .. NOTE:: Only Console Owners can manage account recovery, do password resets, and change user roles. Do the following: 1. Go to the **Settings** > **Users** page. 2. Click the pencil icon on the line for the user you want to edit. The **Edit member** page appers. .. image:: graphics/user-mgmt3.png :width: 800 3. You can do the following changes: * **Reset user** - Enable user account recovery, for example in case of a lost YubiKey. * **Reset password** - Reset a user's password, sufficient if the user still have their YubiKey. * **Change role** - Update a user's role. 4. Click **Save**. Managing API Tokens ------------------- An API token is used by an API caller account for authentication when integrating applications with the YubiEnterprise Delivery service. For information on how to generate and manage API tokens, see :ref:`lifecycle-label`. .. _user-permissions-label: Roles and Permissions ===================== In addition to the Console Owner, Console Admin and Console Auditor roles for Customer (account) organization members, there are also Reseller and Distributor roles. These provide access to specific views for distributors and resellers to view their customers’ purchase orders and inventories. .. image:: graphics/viewing-roles1.png :width: 200 A Console user can have one or none of the organization member roles, and may have one or both of the Distributor and Reseller roles. All organizations must always have *at least one* Console Owner, and can have one or more users with the Console Admin or Console Auditor roles. An organization can for example be both a *Customer* ordering keys for its own employees, and a *Reseller* selling keys to end customers. This scenario requires at least one user with the Console Owner role for the organization, and the Reseller role for one or more users in the organization. The following section describes the different roles and their permissions in more detail. Customer Roles -------------- The table below describes the permissions for the Console Owner, Console Admin and Console Auditor roles for a Customer (account) organization. .. table:: +-------------------------------------------------+-----+-----+-------+ |Permission |Owner|Admin|Auditor| +=================================================+=====+=====+=======+ |Add/delete organization members |yes |no |no | +-------------------------------------------------+-----+-----+-------+ |Change member roles |yes |no |no | +-------------------------------------------------+-----+-----+-------+ |Reset member login credentials |yes |no |no | +-------------------------------------------------+-----+-----+-------+ |Create/edit shipment requests |yes |yes |no | +-------------------------------------------------+-----+-----+-------+ |Correct shipping addresses |yes |yes |no | +-------------------------------------------------+-----+-----+-------+ |View shipments/purchase orders/org settings |yes |yes |yes | +-------------------------------------------------+-----+-----+-------+ |Manage personal login credentials |yes |yes |yes | +-------------------------------------------------+-----+-----+-------+ |View other roles' details |yes |yes |yes | +-------------------------------------------------+-----+-----+-------+ |Generate API token |yes |yes |no | +-------------------------------------------------+-----+-----+-------+ |Download CSV files |yes |no |no | +-------------------------------------------------+-----+-----+-------+ Console Owners, Admins, and Auditors can all view the names, email addresses and assigned roles of organization members displayed on the **Settings** > **Users** page. .. Note:: Only the end customer can view the Personally Identifiable Information (PII) entered for creating shipment requests. Neither the distributor nor the reseller can view the PII entered by their end customers for creating shipment requests. .. LAAS-5804 In order to view Personally Identifiable Information (PII), new and existing users must accept the applicable terms and conditions when they log in for the first time after the release of YubiEnterprise Services 2.4.0. .. LAAS-5196 .. _distributor-role-label: Distributor Role ---------------- The Distributor role is used by organizations that sell Yubico products to resellers. As a user with the Distributor role, you have access to the :ref:`Distributor view ` where you can monitor end customers' product inventory and activities in your reseller network. .. Note:: The Distributor role does not provide permission to view or manage user information. The Distributor view lets you access the **Settings** > **Resellers** page where you can provide access for your resellers to view purchase order information. .. image:: graphics/distributor-view-settings.png :width: 800 To allow your resellers to access purchase order information for end customers, set the **View purchase orders** toggle to "on" for the desired reseller. This setting also enables resellers to allow their :ref:`end customers to access purchase order information `. To *revoke* access to purchase order information, set the toggle to "off". .. IMPORTANT:: If you disable this access for a reseller, then neither that reseller nor their end customers can see any inventory purchased through this reseller. As a Console Owner for a distributor organization, you can assign the Distributor role to users from your organization. When adding a user as described in :ref:`add-users-label`, you will see the option for assigning the Distributor role in the **Add new member** dialog. .. image:: graphics/add-user-distributor.png :width: 350 .. LAAS-5200 .. _reseller-role-label: Reseller Role ------------- The Reseller role is used by organizations that sell Yubico products to end customers. As a user with the Reseller role, you have access to the :ref:`Reseller view ` where you can monitor end customers' product inventory and purchase orders. .. Note:: The Reseller role does not provide permission to view or manage user information. The Reseller view lets you access the **Settings** > **Customers** page where you can provide access for customers to view purchase order information. .. image:: graphics/reseller-view-settings.png :width: 800 To let a customer access purchase order information, set the **View purchase orders** toggle to "on" for the desired customer. To *revoke* access to purchase order information, set the toggle to "off". .. IMPORTANT:: If you disable this access for a customer, this customer will not be able to see any inventory purchased from you. If a distributor is involved, the distributor must also first :ref:`enable this setting for you as a reseller `, in order for your end customer to see the purchase order information. As a Console Owner for a reseller organization, you can assign the Reseller role to users from your organization. When adding a user as described in :ref:`add-users-label`, you will see the option for assigning the Reseller role in the **Add new member** dialog. .. image:: graphics/add-user-reseller.png :width: 350 .. _account-states: User Account States =================== All Console users have one of the following account states. To view a user's account state, click **Settings** > **Users**, locate the desired user, and view the **State** column. **Invited** The user has been emailed a login link for the system, but they have not yet done so and thereby activated their account. Most users have this state initially. **Active (demo mode)** The user has activated their account, but they have not yet registered a WebAuthn credential such as a YubiKey. Console activity is restricted to the activities described in :ref:`onboarding-label`. **Active** The user has activated their account and registered a WebAuthn credential. **Account Reset** A Console Owner can do this if a user's account has been compromised. The user state remains as "Account Reset" until the user follows the instructions in the Account Reset email sent by the system. **Deactivated** The user has been removed from all organizations, and they can no longer log in to the Console. All associated access tokens have been revoked. Console Owners can add the user to the organization again at a later date. **Suspended** If a user becomes a security concern, disable system access for that user by contacting YubiEnterprise Support to have the user suspended. Any API token the user has is deleted, and their login credentials are temporarily invalidated. * If a suspended user tries to log in, they get the "userID/password invalid" message. * Only Yubico can suspend a user and only Yubico can lift such a suspension. * Although all access tokens are revoked, the user remains associated with their organization, so that if the suspension is lifted, Console Owners are not required to recreate the affected user. * All owners of the suspended user’s organization receive an email notifying them that this user is suspended and they must contact YubiEnterprise Support to have the suspension lifted. .. _sso-label: SSO: Single Sign-On =================== Single sign-on (SSO) is an authentication method that enables users to use a single set of credentials to access multiple applications and services securely. Employers frequently use SSO to safeguard their resources and streamline work processes by enabling employees to access a whole range or subset of applications and platforms without having to log in to each one separately. Most employees of an enterprise have already encountered SSO by logging in to a service provider using the enterprise's Identity Provider (IdP), for example, Azure AD, Google for Workgroups, or Okta. YubiEnterprise Services supports SSO. For an organization with SSO enabled, users do not have to register. Although they are added the same way as non-SSO-enabled users, instead of remaining in the *Invited* state until they follow the emailed instruction to register a security key, they are *immediately* added to the organization in the *Active* state. They can therefore use the service-provider-initiated login link to log in to the Console. For details, see :ref:`sso-details-label`. ------------------------------------- To file a support ticket for YubiEnterprise Delivery, click `Support `_.