This article shows Privileged Users how to add and manage SSProtect Organization Users.
When you start using SSProtect, your Organization comes pre-configured with a certain number of seats available for users at your discretion. These seats are usable in any way you see fit - if an employee leaves your company, you can reclaim that seat without losing the history or even the information associated with that employee's use.
To understand how these pieces fit together, we must explain certain resource and their roles.
Accounts, Organizations, and Servers
Your use of SSProtect is uniquely defined by your Account, and you identify yourself to this Account with your Username, which is an email address. Each Account belongs to a single Organization, and each Organization is associated with and unique to a set of Servers.
For more insight, refer to the article, Accounts, Identities, and Roles.
This section's information regarding Server Sets applies to those that are working with both Internet-managed KODiAC Cloud Service deployments, such as that managed by DefiniSec, and also corporate-deployed and independently, in-house managed systems. This is not currently common, however the information is offered for completeness and further operational insight.
A Server Set is a collection of cloud Servers. KODiAC Cloud Services have been designed to work with one or more instances of High Availability Server Clusters. These can be hosted in a single Data Center or, by using any number of High Availability technologies, globally distributed. As such, the singular reference to a Server is a logical association that has more to do with the common data set being used than the Servers that are dispatching and controlling communications.
In most cases, this is irrelevant, as most users choose to utilize the DefiniSec-hosted KODiAC Cloud Services solution, which handles :Foundation Client associations to the proper geographically distributed Server Sets (and thus Data Centers) while also managing Global Scope and visibility for sharing and/ or replication to other geographic regions around the globe. This is an advanced topic for Multi-National corporation deployments, and should be revisited once the basic concepts of deployment have been mastered.
As such, in this article, we will refer to a singular Server reference as, "Server Set". For details, refer to the article, Trusts, Profiles, and Server Sets.
Email Addresses and Multiple Accounts
A single Server Set manages multiple Organizations, each containing a unique set of Accounts and thus unique set of Usernames. A Username is unique across a single dataset: You must use a different Username for every Account attached to an Organization managed by the same Server Set. As a result, your email address cannot be used with multiple Accounts on the same Server Set.
You can however use a single email address with multiple Accounts so long as they are part of Organizations managed by two different Server Sets. For example, you could register your email address with an Account at work that uses an in-house deployment of SSProtect. Obviously the Server Set would be independent from those managed by DefiniSec on the Internet, thus the datasets would be independent and, as a result, would not be in conflict.
NOTE: We do NOT recommend using the same email address for multiple Accounts, even when possible. This can be problematic when using :Email and trying to determine why a particular incoming message is not accessible - and it almost always boils down to being Logged into the wrong context.
To simplify matters, we have created Profiles to represent the combination of email address, Username, Account, Organization, and Server. This is a unique combination which is easier referred to by moniker, i.e., "Work" or, "Home". Access Profiles from the Advanced Login display, where you can edit to rename or even delete them.
In fact, deleting a Profile only serves to remove data from the host computer - Profile configuration is securely stored by KODiAC Cloud Services, and it can be re-provisioned at any time. See the article Remote Profile Deployment for details.
Before you deploy to an individual, consider the environment in which they are working. Check to make certain their host computer meets System Requirements, and be aware of any possible software compatibility issues. Compatibility issues hold higher potential with consumer products than with corporate business applications. Anti-virus software, VPN software, and other security software can but does not usually conflict with SSProtect. For questions, contact Support as noted at the end of this article.
Procedure for Adding a New User
To Provision a New User in your Organization, navigate to the Administer Users menu from the notification tray icon, then choose the Manage submenu item to display User Administration (shown below in Edit Mode):
- Click New
- For Username, enter the user's email address that uniquely defines an Account
- Check Delegate if you want this user to have Administrator privileges
- Check Unsigned Containers to allow Managed Access with unsigned software
- Check Release Protections to allow this user to remove content from Active Protection
- Choose :Recover for this user's files to be stored with KODiAC :Recover
- Chose No 2nd Factor to disable 2nd factor software acknowledge for each operation
- For Acct Quota, choose the amount of space for :Recover operation, if/when applicable
- Choose Save
This will send email to the address you used for the Username providing instructions for the user to acquire and install the software (see Email Notifications for further details on notification). You will receive an email message when this user completes Registration so you can perform Validation.
Validation allows you to make certain that the Account you provisioned wasn't intercepted by an intruder before permitting access to Organization data. After the provisioned user goes through Registration, you will as noted receive an email notification indicating that he/she is ready for Validation. Speak to this person and verify that he/ she carried out the Registration, then:
- Return to Administer Users
- Choose the target Username from the list of Users
- Click Validate
This will generate notification email for the end-user to inform them that the Account is ready to be used. Their first subsequent Login transfers the keys necessary for them to access Organization content - though no content is transferred to them, as it must be shared using traditional or existing collaboration software methods and/ or infrastructure - a core principle of SSProtect in supplementing existing systems with compatibility.
If you cannot verify that the intended User performed Registration, rather than Validate their presence as a member of the Organization, you can instead choose Dismiss. This will mark the Account for Support, who can subsequently Destroy its' configuration, allowing you to retry. You will receive notification email when this procedure has been executed.
Note however that any concern regarding Registration credential disclosure has to be addressed before repeating the process.
Additional Organization Configuration
This display includes additional facilities for Organization-specific configuration.
Sign-Up Policy allows you to determine whether or not Users can Join your Organization through the Sign-Up process, though this requires Validation and permits Dismissal.
Pwd Policy allows you to enforce restrictions on valid passwords, their duration, and can also be used to force immediate Password Change for every Organization Account on next Login.
Use 2FA Token to configure USB Tokens that can require physical presence assertion for every managed activity, such as accessing content or viewing Reports.
For bulk User Configuration, you can use Import/ Export Users. Contact your DefiniSec Representative for details and insight on how you can use this to integrate with existing Directory services.
SSProtect uses 2FA for every operation, though doesn't always require end-user acknowledge (for example when No 2nd Factor is checked - see below). The software 2FA process utilizes RFC 4226 HMAC-based OTPs, and in certain circumstances the Client and Server can become misaligned. Sync 2Factor allows you to repair this situation such that the target Account holder can continue with normal operation.
In similar fashion, you can use Reset Pwd to help a User who has forgotten their Login credentials, and though not shown here, you can use Reset Enh2FA to repair host-specific Login 2FA configuration details.
Use Save All... to apply changes to multiple Account Edit states. This is typically used after Import Users though you can Edit multiple Accounts at one time, then individually Save or Revert changes for each.
Read-Write Account Attributes
The following attributes can be modified when editing an Organization Account:
Disabled - immediate denies further access to any managed resource or operation
Delegate - elevates Account Privilege to Delegate status
Conversion Policy Options
Int Override - allows Release operation to override Integrity Check failure (after prompting)
Unsigned Apps - permits unsigned applications to be used with Protected Access
Rel Protections - allows the Account holder to Release protections on managed content
Ignore Enh 2FA - bypasses Organization-configured Enhanced Login 2FA
Disable fg2FA - Disables Fine-Grained 2FA prompts (software or hardware) for managed operations
Conversion/ :Recover Quota Options
Split vChain - creates a new, independent Version Chain when a file is renamed (and/ or moved)
:Recover - enables Hybrid or Double Conversion (vs. Optimized), securely storing content
Double - utilizes Double Conversion rather than Hybrid Conversion for managed content
Reserved (Account FlexQuota) - the amount of storage space allocated to the active Account
Bulk Conversion and Catalogs
Disable Bulk - precludes use of Bulk Conversion execution without inhibiting Catalog Details, if available
Enable Cat - Enables Catalogs, presenting related controls and enumeration in Bulk Conversion
The following attributes are displayed for informational reference:
Username - The email address associated with the chosen Account
Organization - The name of the current Organization (that you belong to)
Software ID - A unique, 12-digit ID associated with the chosen Account
Hardware ID - A unique, 12-digit ID associated with a configured hardware 2FA Token
Data Conversion (Encryption/ Decryption):
SHA1 Data - the active Conversion Mode uses SHA1 for data hashing (rather than MD5)
Integrity Protect - the active Conversion Mode enforces Integrity Protection for each item
AES-256 - the active Conversion Mode uses 256-bit AES encryption (rather than 128-bit)
Organization Configuration's Impact to the chosen Account:
Global Share - the Account (Organization) is visible for data sharing outside its' Home Region
Admin - When the Userlist selection matches the Administrator, this replaces Delegate
Optional Organization-wide Configuration
Org Enh2FA - Login Enhanced 2FA has been configured and is being enforced
Pwd Policy - An Organization Password Policy has been configured and is being enforced
:Recover Storage Quota and Retention Policy Detail
AcctUsed - The amount of data, in MB, stored for the selected Account
OrgQuota - The maximum amount of :Recover storage space available for the Organization
OrgAvail - Unassigned Organization :Recover storage space that can be assigned to Accounts
Retain Versions - N/A when disabled, else the number of Versions stored for protected content
Users Seated - The number of Licenses being utilized
Users Permitted - The total number of Licenses available to the Organization
ACCESS - whether or not you have the Globally-Exclusive Edit Lock for this Organization
There are 3 different state descriptors below the Userlist:
x User(s) Seated provides the number of actively utilized License Seats for the current set of Users (Accounts) and associated states. The Seated Count includes all Registered and Validated Users that are not Disabled. It also includes any User that has been Provisioned (from this interface by a Privileged User) even before User Registration. Disabled Users do not consume a License Seat, nor do Users that resulted from Sign-Up until (unless) Validated. Finally, Deleted Users maintain their License Seat until Recover Seat has been executed. For details, start with the article, SSProtect Licensing.
x User(s) Permitted provides the total number of License Seats available for Users (Accounts) in the Organization. The difference between the Permitted Count and Seated Count provides the number of Seats available for re-Enabled Users and/ or New Users (through Provisioning and from this interface). Note that a User can perform Sign-Up and request Organization membership (when enabled by Policy) without allocating an active Seat - the Seat is allocated if/ when the associated Account is Validated.
This Account is Operational indicates that the selected User is not Disabled or Deleted, which would then change to, This Account is temporarily Disabled and This Account has been Deleted, respectively.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.6.1 of the :Foundation Client