This article shows Privileged Users how to add and manage SSProtect Organization Users.
When you start using SSProtect, your Organization comes pre-configured with a certain number of Seats available for use at your discretion. These Seats are usable in any way you see fit - if an employee leaves your company, you can reclaim that Seat without losing the history or even the information associated with that employee's use.
Accounts, Organizations, and Servers
Your use of SSProtect is uniquely defined by your Account, and you identify yourself to this Account with your Username, which is an email address. Each Account belongs to a single Organization unless it is an Individual Account that operates without the context of an Organization.
For more insight, refer to the article, Accounts, Identities, and Roles.
Every Organization is associated with and unique to a set of interconnected Server Sets. Server Sets are groups of highly-available servers that instantiate KODiAC Cloud Services, deployed in distinct regional Data Centers then globally interconnected to one another. DefiniSec operates the global set of public KODiAC Server Sets for common SSProtect use.
You can deploy your own KODiAC (Cloud) Services Server Set(s) without connecting to the public DefiniSec network. In that case, you can use a single email address to identify an Account in both the public DefiniSec system and your own KODiAC deployment.
We do not recommend this approach, since it can be difficult to determine your Server Set context when necessary. Consider a protected email delivered to a peer email address used for Accounts in both systems. Which Account does the recipient use? Since you can only login to one system at a time, the recipient may have to try both systems which then requires Refresh Login to access, "the other system". This can - and will - lead to unwieldy execution.
For this and related reasons, we strongly encourage you to maintain the idea of using one email address for one Account no matter which system it's destined to use (and or by convention only use one of the available systems, either the company-deployed solution or the public DefiniSec system).
Depending on adoption and use tendencies, future releases may be enhanced to better support this type of operation. Submit feedback to your DefiniSec Representative or email our Support team.
For related insight, refer to the article, Trusts, Profiles, and Server Sets.
To simplify matters, we have created Profiles to represent the combination of email address, Username, Account, Organization, and Server Set. This is a unique combination more easily referred to by moniker, i.e., "Work" or, "Home". Modify and/ or remove Profiles from the Advanced Login display.
Note that Profile removal only removes data from the host computer - Profile configuration is securely stored by KODiAC Cloud Services, and it can be re-instantiated at any time. See the article Remote Profile Deployment for details.
Before you deploy to an individual, consider the environment in which they are working. Check to make certain their host computer meets System Requirements, and be aware of any possible software compatibility issues. Share questions with Support as noted at the end of this article.
Procedure for Adding a New User
To Provision a New User in your Organization, navigate to the Administer Users menu from the notification tray icon, then choose the Manage submenu item to display User Administration:
The left side of the display includes the list of Organization Users you can select and edit, while the right side of the display provides individual controls that adjust the Account Policy.
To create a New Account, first from the Userlist on the left side, chose the Account that is configured most like the Account you wish to create, then on the right choose New. A cutout of the Policy controls is shown below, which will default to the same configuration as that of the Account you chose before you clicked New:
Adjust the controls to reflect the Account Policy you wish to configure:
- For Username, enter the user's email address that uniquely defines the new Account
- Ignore Package; this future item will affect the way the Registration Email is created/ sent on Save
- Check Delegate if you want this User to have Privileged rights for the Organization
- When available, if desired check vChain to activate Split Version Chaining Policy
- Check Int Override to permit Release Protection on items that fail Integrity checks
- Check Unsigned Apps to allow Managed Access using unsigned (managing) software
- Check Rel Protections to allow this User to Release Protection from managed content
- Check Ignore Enh 2FA to bypass Enhanced Login 2FA if/ when configured
- Check Auto Soft fg2FA to bypass the need to manually acknowledge software 2FA popups
- Check :Recover (when available) for this User's managed data to be stored in the KODiAC Archive
- For FlexQuota, enter the Reserved amount of space (in MB) for this User's KODiAC Archive
- Check Disable Bulk to disable Bulk Conversion for this User, removing the notification menu item for Non-Privileged Users*
- Check Enable Cat to enable Catalog operation for this User, else related controls are not displayed with Bulk Conversion
- Choose Save
* Catalog controls are part of Bulk Conversion, and thus Catalogs cannot be enabled when Bulk Conversion is disabled. Disabling Bulk Conversion removes the Notification Menu item for Non-Privileged Users, reducing complexity. Privileged Users will see the Bulk Conversion menu item, however it will be disabled (gray).
When you click Save, SSProtect delivers a Registration Email message with instructions, a download link for the :Foundation Client, and a temporary password. In the future, the Package options will allow for custom email messages and alternate means for delivering and/ or using temporary Account credentials.
Refer to the article, Email Notifications for additional information. All Privileged Organization Users receive the same email dispatched to the newly created User (when one is sent). Your team will also receive email when this User completes Registration so you can perform Validation.
Validation allows you to make certain that the Account you provisioned wasn't intercepted by an intruder before enabling operation. This avoids the potential for an attacker to utilize valid SSProtect credentials to decrypt Managed Content from other Organization Users. This of course requires the attacker to acquire managed content from other sources, though if he/ she can intercept the Registration request to provision an Account, it's highly likely he/ she has already stolen SSProtect'd content (in encrypted form).
Note that this is one of the differentiating aspects of SSProtect: It is theoretically impossible for such an attacker to recover plaintext content without also breaching KODiAC Cloud Services (when using token-based 2FA, else the attacker can impersonate an authorized User). This need to breach both the corporate host/ network and independently-managed cloud services, at the same time, is unique and part of the patented Cloud Cryptographic Offloading scheme realized by SSProtect.
After the provisioned User goes through Registration, you will as noted receive an email notification indicating that he/she is ready for Validation. Speak to this person and verify that he/ she carried out the Registration, then:
- Return to Administer Users
- Choose the target Username from the list of Users
- Click Validate
This will generate notification email for the end-user to inform them that the Account is ready to be used. Their first subsequent Login transfers the keys necessary for them to access Organization content - though no content is transferred to them, as it must be shared using traditional or existing collaboration software methods and/ or infrastructure. This is a core principle of SSProtect in automatically supplementing existing systems with far-reaching compatibility, "out of the box".
If you cannot verify that the intended User performed Registration, rather than Validate their presence as a member of the Organization, you can instead choose Dismiss. This will mark the Account for Support, who can subsequently Destroy its' configuration, allowing you to retry. You will receive notification email when this procedure has been executed.
Note however that any concern regarding Registration credential disclosure should be thoroughly investigated and addressed before repeating the process.
Additional Organization Configuration
This display includes additional facilities for Organization-specific configuration.
Sign-Up Policy allows you to determine whether or not Users can Join your Organization through the Sign-Up process, though this requires Validation and permits Dismissal.
Pwd Policy allows you to enforce restrictions on valid passwords, their duration, and can also be used to force immediate Password Change for every Organization Account on next Login.
Use 2FA Token to configure USB Tokens that can require physical presence assertion for every managed activity, such as accessing content or viewing Reports.
For bulk User Configuration, you can use Import/ Export Users. Contact your DefiniSec Representative for details and insight on how you can use this to integrate with existing Directory services.
SSProtect uses 2FA for every operation, though doesn't always require end-user acknowledge (for example when Auto Soft fg2FA is checked - see below). The software 2FA process utilizes RFC 4226 HMAC-based OTPs, and in certain circumstances the Client and Server can become misaligned. Sync 2Factor allows you to repair this situation such that the target Account holder can continue with normal operation.
In similar fashion, you can use Reset Pwd to help a User who has forgotten their Login credentials, and though not shown here, you can use Reset Enh2FA to repair host-specific Login 2FA configuration details.
Use Save All... to apply changes to multiple Account Edit states. This is typically used after Import Users though you can Edit multiple Accounts at one time, then individually Save or Revert changes for each.
Read-Write Account Attributes
The following attributes can be modified when editing an Organization Account:
Disabled - immediate denies further access to any managed resource or operation
Delegate - elevates Account Privilege to Delegate status
NOTE: These two items cannot be changed when editing your own Account.
Conversion Policy Options
Int Override - allows Release operation to override Integrity Check failure (after prompting)
Unsigned Apps - permits unsigned applications to be used with Protected Access
Rel Protections - allows the Account holder to Release protections on managed content
Ignore Enh 2FA - bypasses Organization-configured Enhanced Login 2FA
Auto Soft fg2FA - When checked, internal, Account-specific software 2FA creds are dispatched for you, when necessary. This disables any configured hardware 2FA token. If unchecked and you have not configured hardware 2FA use, SSProtect will present the Software Simulated 2FA prompt when credentials are needed.
Conversion/ :Recover Quota Options
Split vChain - creates a new, independent Version Chain when a file is renamed (and/ or moved)
:Recover - enables Hybrid or Double Conversion (vs. Optimized), securely storing content
Double - utilizes Double Conversion rather than Hybrid Conversion for managed content
Reserved (Account FlexQuota) - the amount of storage space allocated to the active Account
NOTE: Double is by default not available and in that case, not displayed.
Bulk Conversion and Catalogs
Disable Bulk - precludes use of Bulk Conversion execution without inhibiting Catalog Details, if available
Enable Cat - Enables Catalogs, presenting related controls and enumeration in Bulk Conversion
The following attributes are displayed for informational reference:
Username - The email address associated with the chosen Account
Organization - The name of the current Organization (that you belong to)
Software ID - A unique, 12-digit ID associated with the chosen Account
Hardware ID - A unique, 12-digit ID associated with a configured hardware 2FA Token
Data Conversion (Encryption/ Decryption):
SHA1 Data - the active Conversion Mode uses SHA1 for data hashing (rather than MD5)
Integrity Protect - the active Conversion Mode enforces Integrity Protection for each item
AES-256 - the active Conversion Mode uses 256-bit AES encryption (rather than 128-bit)
Organization Configuration's Impact to the chosen Account:
Global Share - the Account (Organization) is visible for data sharing outside its' Home Region
Admin - When the Userlist selection matches the Administrator, this replaces Delegate
Optional Organization-wide Configuration
Org Enh2FA - Login Enhanced 2FA has been configured and is being enforced
Pwd Policy - An Organization Password Policy has been configured and is being enforced
:Recover Storage Quota and Retention Policy Detail
AcctUsed - The amount of data, in MB, stored for the selected Account
OrgQuota - The maximum amount of :Recover storage space available for the Organization
OrgAvail - Unassigned Organization :Recover storage space that can be assigned to Accounts
Retain Versions - N/A when disabled, else the number of Versions stored for protected content
Users Seated - The number of Licenses being utilized
Users Permitted - The total number of Licenses available to the Organization
ACCESS - whether or not you have the Globally-Exclusive Edit Lock for this Organization
There are 3 different state descriptors below the Userlist:
x User(s) Seated provides the number of actively utilized License Seats for the current set of Users (Accounts) and associated states. The Seated Count includes all Registered and Validated Users that are not Disabled. It also includes any User that has been Provisioned (from this interface by a Privileged User) even before User Registration. Disabled Users do not consume a License Seat, nor do Users that resulted from Sign-Up until (unless) Validated. Finally, Deleted Users maintain their License Seat until Recover Seat has been executed. For details, start with the article, SSProtect Licensing.
x User(s) Permitted provides the total number of License Seats available for Users (Accounts) in the Organization. The difference between the Permitted Count and Seated Count provides the number of Seats available for re-Enabled Users and/ or New Users (through Provisioning and from this interface). Note that a User can perform Sign-Up and request Organization membership (when enabled by Policy) without allocating an active Seat - the Seat is allocated if/ when the associated Account is Validated.
This Account is Operational indicates that the selected User is not Disabled or Deleted, which would then change to, This Account is temporarily Disabled and This Account has been Deleted, respectively.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v11.0.3 of the :Foundation Client