Requiring secondary authentication log in
You can require a user to log in using two-factor authentication by enabling the Require Secondary Authentication option in the user record.
To require a user to log in using secondary authentication
-
Setup a secondary authentication provider in Appliance Management > Safeguard Access > Identity and Authentication. For more information, see Adding identity and authentication providers..
-
Configure the SPP user to Require Secondary Authentication. For more information, see Authentication tab (add user)..
-
On the Authentication tab of a user's properties, select the Require Secondary Authentication check box.
-
Choose the Authentication Provider.
-
Depending on the type of authentication provider selected, specify the additional information this user must use when logging into SPP with two-factor authentication.
-
Log in with secondary authentication.
When you log in to SPP as a user which requires secondary authentication, you log in as usual, using the password that is set for the SPP user account. SPP then displays one or more additional login screens. Depending on how the system administrator has configured the secondary authentication provider, you must enter additional credentials for your secondary authentication service provider account, such as a secure password, security token code, or both.
NOTE:The type and configuration of the secondary authentication provider (for example, RSA SecureID, FIDO2, and so on) determines what you must provide for secondary authentication. Check with your system administrator for more information about how to log in to SPP with secondary authentication.
Adding a user to user groups
It is the responsibility of the Security Policy Administrator to add users to user groups to assign to password policies.
To add a user to a user group
- Navigate to User Management > Users.
- In Users, select a user from the object list and open the User Groups tab.
- Click Add from the details toolbar.
- Select one or more groups from the list in theUser Groups dialog and click OK.
If you do not see the user group you are looking for and are a Security Policy Administrator, you can click Create New in the User Groups dialog and add the user group. For more information about creating user groups, see Adding a user group.
Adding a user to entitlements
It is the responsibility of the Security Policy Administrator to add users to entitlements. When you add users to an entitlement, you are specifying which people can request access governed by the entitlement's policies.
To add a user to entitlements
- Navigate to User Management > Users.
- In Users, select a user from the object list and open the Entitlements tab.
- Click Add from the details toolbar.
- Select one or more entitlements from the list in the Entitlements dialog and click OK.
If you do not see the entitlement you are looking for and are a Security Policy Administrator, you can click Create New in the Entitlements dialog. For more information about creating entitlements, see Adding an entitlement.
Activating or deactivating a user account
It is the responsibility of an Authorizer Administrator or User Administrator to activate or deactivate users within SPP. However, this state can only be changed within SPP on users that have their identity source set to the Local provider. This state cannot be modified for directory users. A directory user's state must be modified in the directory and then synchronized with SPP.
Deactivating a user will prevent that user from logging into SPP and end any currently logged in session. However, an administrator cannot deactivate their own user.
SPP can also be configured to automatically deactivate users who have not logged in within a configured time span. Note, this does not apply to directory users. For more information, see Local Login Control.
To activate or deactivate a user account
- Navigate to User Management > Users.
- In Users, select a user from the object list.
- From the toolbar options, select either Activate User or Deactivate User.