User security profiles are security objects that define a set of rights and properties that are applied generically for one or more users.
User security profiles only applies to users.
As mentioned in Section Overview, the user object refers to the user himself, a group of users or an organizational unit that contains users. Thus, user security profiles can be applied to the following LDAP directory objects (they are listed from the highest to lowest order of priority):
In this section:
Procedures
Creating User Security Profiles
Modifying User Security Profiles
|
IMPORTANT: If you modify a user security profile already used by users, your modifications apply to all users associated with this security profile. |
The user security profile is modified.
To perform the task described in this section, you must have at least the following administration role:
In this section:
User authentication methods area
|
IMPORTANT:
|
|
IMPORTANT: EAM supports one activated authentication mode at a time.
To use these modes, RSA Authentication Manager or the RADIUS plugin must be installed and configured in accordance with the procedures detailed in One Identity EAM Installation Guide. For more information on how to configure the OTP authentication modes, see OTP Tab. |
The Mobile device authentication method; which is completely described in QRentry User’s Guide.
Timeslice
The default time slice is systematically selected. Click the button to select a different time slice.
|
NOTE: Click the button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices. |
Use cache/Cache data validity (h)
Select this option to allow the users associated with this security profile to use a cache on their workstations. This enables them to:
|
NOTE:
|
|
IMPORTANT: You must also select the use cache option in the access point security profile. For more details, see Security Services Tab. |
Session duration (in hours)
Session activation time before re-authentication is required.
|
NOTE: The 0 value is the "infinite" value: re-authentication is never required. |
Allow temporary password access for...
This option allows you to set a validity duration of the temporary password access method. When the time has elapsed, the user cannot authenticate using a password.
This value applies when, for a given user, you force a new primary password to enable the temporary password access (Predefining a new user's primary password).
This value applies when the user who resets on his/her own his/her password in disconnected mode enters the unblocking code given by the helpdesk. This value is displayed in the unblocking code generation window (Managing user Self Service Password Request).
|
NOTE: For a complete description of the temporary password access, see Authentication Manager Self Service Password Request Administrator's Guide. |
Allow on all access points
To authorize the users to log on access points registered in external domains, see Section Managing representative objects.
|
IMPORTANT: If you forbid access points to a user and this option is selected, then the user will be able to access the access points anyway. For more information, see Section Assigning/forbidding access points to a user. |
Can unlock a workstation
Authorizes the users associated with this security profile to unlock a workstation locked by another user.
Primary password is stored as an SSO account, encrypt by...
You can select this option when the primary password must be used:
If this option is selected, EAM stores the user primary password as an SSO account.
Then, Enterprise SSO uses this SSO account for each application configured to use primary accounts.
|
NOTE:
|
This drop-down list allows you to select the way the SSO primary accounts are ciphered and deciphered (for PKA authentication, the choice of the encrypt method has no impact on the functionality of password recovery through the controller):
|
IMPORTANT: If the user forgets his/her primary password or loses his/her smart card, the applications configured to use his/her SSO primary account will become obsolete. |
User can have only one active Windows session
This check box allows you to set up the double-login prevention functionality.
When a user authenticates on a workstation, the workstation on which he/she was previously logged on locks.
For this functionality to work properly:
|
NOTE: As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change from a workstation to another is longer than the time it takes to replicate data between all directory servers. If replication time is to long, you can configure EAM Controllers to make them use a list of directories according to their availability. |
For more details, see Authentication Manager Session Management Administrator’s Guide.
When a user authenticates on a workstation, the session on which he/she was previously connected remains active.
Allow password authentication until first smartcard enrollment
This check box allows you to authorize the user to authenticate with his password until he enrolls his smart card for the first time (for example, if he has not received it yet). Once he has enrolled his smart card, he will not be able to authenticate with his password anymore, except if the Password authentication method is selected.
The user can authenticate with his password.
The user cannot authenticate with his password and must authenticate with his smart card.
Upon first smart card authentication, add user to group
This check box allows to add a user to a group as soon as he authenticates for the first time with his smart card.
Click on to select the group in which the user will be added after his first smart card authentication.
The button is deactivated.
|
NOTE: To execute this operation, the EAM controller must have the right to add users in directory groups. For more information, see One IdentityEAM Installation Guide. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy