Managing user accounts
Managing user accounts
The Accounts tab allows you to manage user's accounts.
To perform the task described in this section, you must:
- Either have at least the following administration role:
- In classic administration mode: "Security object administrator" or "Access administrator".
- In advanced administration mode, your role must contain one of the following:
- the rights "Account: Creation/Modification", "Account: Deletion", "Account: Manage parameters", "User role: Creation/Modification", "User role: Deletion".
- the right "Application: Manage all applications".
- Or be an administrator allowed to manage the application(s) with full control on it.
- In the tree structure of the Directory panel, select the wanted user.
- Click the Accounts tab.
- The Accounts tab appears.
- Select the account you want to manage and perform the wanted operation using the available buttons, as explained in the following Accounts tab description section.
Accounts tab description
- Show unregistered account check box
- Check box selected: the tab displays all the accounts that are not yet registered.
- Check box cleared: the tab displays only the registered accounts.
- Export button
Exports the user accounts list in a CSV file.
- Lock/Unlock button
Locks/unlocks the account. If the account is locked, the user is not able to connect to the application anymore.
- Properties button
Displays the account properties window, which allows you to manage the selected account SSO data and the delegation properties.
- SSO Data tab
- Login field
Account login name.
- Password field
Account password. You can manually type it or automatically generate it by clicking the Generate button.
- Password must change at next logon check box
If this check box is selected, the user will be prompted to change his/her password when he/she first logs on to this application with this account.
- Clear password history check box
If this check box is selected, all previous passwords are deleted. This means that the user will be able to use again previous passwords.
- Parameters area
Displays any additional parameters set for the account, and allows you to set them again.
- Delegation tab
This tab displays the list of users to whom the user has delegated his/her account using Enterprise SSO.
- Ownership tab
This tab enables you to select users allowed to manage the account. Click one of the following buttons:
|IMPORTANT: The account access is managed by an ACL, therefore super administrators of the directory can always access the account.|
Managing the User Self Enrollment
You must configure EAM console so that users can self enroll.
Thanks to the EAM portal, external users can self enroll, which will enable them to authenticate to their Windows session.
The self enrollment system will create a primary account in the corporate directory, within a dedicated OU depending on the domain of their email address.
Assigning Administration Rights
You must assign rights to the following elements:
- Administration rights to the technical account of the E-SSO Controller, sufficient to create users in the directory, such as "create, delete, and manage user accounts" (for more information refer to the One Identity EAM Installation Guide).
- The User administrator administration profile to the SSPR administrator (for more information, see Delegating Administration Roles).
- For AD LDS: rights to the SSPR administrator to manage the user accounts in the welcome nodes of the users who self enroll, by creating an account delegation on the welcome node (for more information, refer to the Microsoft documentation
Configuring the Dedicated Organizational Units
Users who self enroll are identified with the domain of their email address and are created in dedicated OU in the directory.
The dedicated OU must already be created in the directory. You can create a general OU for the dedicated users or one OU for each domain.
In EAM console, you must create the following elements, which will be dedicated to theses users and applied to the dedicated OU:
You can also apply a dedicated PFCP (see Creating/Modifying Password Format Control Policies).